Post on 06-Feb-2016
description
Connect. Communicate. Collaborate
The MetaData ServiceDistributing trust in AAI confederations
Manuela Stanica, DFN
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
What is the MetaData Service (MDS)?
• eduGAIN component developed in GN2-JRA5
• eduGAIN: the GÉANT2 AAI
• Support dynamic establishment of trust relations between members of AAI confederation
• Information model conform to SAML v 2.0 Metadata Specification
• SAML: Security Assertions Markup Language (OASIS)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
AAI confederation hierarchy
• AAI confederation interconnecting AAI federations
• AAI federation participant institutions users
– access to external resources & services
– unaware of participants in other federations
– require procedure of trust establishment between them
Connect. Communicate. Collaborate
DF
AAI confederation hierarchy (2)
Connect. Communicate. Collaborate
DF
Role of metadata
• Connecting to entities in other federated AAIs – required information:– where (in which federation)?– how to reach ?– what is supported (protocols and functionalities)?
metadata– distribution to all confederation members
• static (pre-configured upon software installation)• dynamic (on request)
Connect. Communicate. Collaborate
DF
Role of a MetaData Servicein AAI confederations
• AAI confederations
– non-static environments!
– frequent updates
means for dynamic collection & distribution of metadata:
MetaData Service (MDS)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Basic principles
• Centralised storage of metadata for eduGAIN components
• Dynamic retrieval & update– metadata exchange interface: eduGAINMeta– based on REST architecture model
• Distributed publishing & querying– among local federations – no central admin– multiple metadata publishers and consumers
Connect. Communicate. Collaborate
DF
eduGAIN components
Connect. Communicate. Collaborate
DF
Bridging Elements
• MDS used by Bridging Elements (BEs):
– gateways eduGAIN – local federations
– communication with peers (BEs) in other federations
– query MDS for metadata about Home BE
– MDS response: SAML 2.0 Metadata doc
– consumers/publishers of metadata
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
URL structure
• Syntax of REST URL mapping:
MDS base URL[/federation ID][/entity ID][?query string]
• Combinations of:
– MDS base URL: https://mds.geant2.net/ – federation ID: dfn, feide,...– entity ID: be1 – query string – Home Locator(s): homeDomain=uio.no
Connect. Communicate. Collaborate
DF
Home Locators
• eduGAIN specific atribute-value pairs
• For: locating a remote BE (Home BE)
• From: – hints provided by user
– contents of certificate extensions
• Types: – Home domain (homeDomain=switch.ch)– URN (urn=urn:geant:edugain:component:be:switch:be1)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Publishing/ updating
• Who: metadata publishers– Federation Peering Point (FPP)– authorized Bridging Elements (BEs)
• What: SAML 2.0 Metadata documents– EntityDescriptor root ( one BE)– EntitiesDescriptor root ( several BEs)
• How: HTTP POST/PUT
Connect. Communicate. Collaborate
DF
Publishing/ updating (2)
• For whole federation:– only by FPP– EntitiesDescriptor– URL syntax: <MDS base URL/federation ID>
http://mds.ladok.umu.se/feide
• For single entities:– by FPP / authorized BEs– EntityDescriptor– URL syntax: <MDS base URL/federation ID/entity ID>
http://mds.ladok.umu.se/switch/be1
Connect. Communicate. Collaborate
DF
Retrieving metadata
• BE queries MDS via HTTP GET
• Metadata lookup– entity/federation name is known– <MDS base URL[/federation ID][/entity ID]>
http://mds.ladok.umu.se
http://mds.ladok.umu.se/switch
http://mds.ladok.umu.se/switch/entity1
• Metadata search
– entity name unknown, home locators
– <MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Trust establishment
• Elements of trust establishment in eduGAIN:– MDS– eduGAIN PKI– Component identifiers (CIDs)
• MDS trust tightly bound with eduGAIN PKI
minimal trust in the service itself
• Transitive trust
Connect. Communicate. Collaborate
DF
Security checks
• MDS validations:– publisher‘s X.509 certificate– publishing rights
• Publishers‘ signatures fwd with metadata
validation by consumers
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Conclusions
• MDS: dynamic metadata distribution in AAI confederations
• Centralised storage, distributed trust
• Employes standard SAML 2.0 Metadata
• Possible use in any SAML-based infrastructure
• Deployment together with eduGAIN-like PKI
Connect. Communicate. Collaborate
DF
Thank you for your attention!
Questions?