2017 Workshop Main Deck€¦ · • Data archetypes & referential integrity therein • Rigidity &...
Transcript of 2017 Workshop Main Deck€¦ · • Data archetypes & referential integrity therein • Rigidity &...
Leveraging Federation For Your ServiceChris Phillips | CAF Architect | CANARIE
101
TopicMap
Architecture
•RequirementsGathering• ImplementationTechniques•TechnologyChoices
DataManagement
•Attributes•Authorization
UserExperience
• SessionInitiation•Discovery
Application-CentricIdM• Servicesactivated,butlittleinteractionbetweenthem
• ApplicationshavedistinctuserID/passwordpairsoftheirown
CentralizingCampusDirectory&Sign-On• Servicesareeasiertoturnon
• Usersareusingsamepassword
• CampusSSOuserssignin‘once’
• Applicationscannotseetheuser’spassword
FederatedSSO• Fasterserviceturn-uptime– config andgo
• Minimizedattack/risksurfaceinherentindesign
• Servicesoutsideyourdomainmoreeasilyenabled
WhereareyouintheServiceMaturityModel?
myinstitution.ca
Federation
ServicesandPartners
SSO
myinstitution.ca
Portfolio
myinstitution.ca
SSO
UnderstandingServiceSign-On
IdentityProvider(akaIdP)
Users
ServiceProviders(akaSPs)
ServicesInstitution
Iwanttousethisservice!
Ipsum lorum
Ipsum lorum
Ipsum lorum
Ipsum lorum
Choose
DiscoveryService
Sure!Choosewheretosigninfromfirst
Ipsuµ loruµUserid:Password:
Hi.Signinwasok,theygavemethis
toshowyou
Hi.Icamefromoverthere.
TrustedEntities(akametadata)
Hello!CheckingtoseeifItrustwhereyoucamefrom
Yes,serviceisinthere.ValidateyourpasswordandI’ll
signthatyouareA-OK&includesomeinfoaboutyou
TrustedEntities(akametadata)
Yes,ItrustthatIdP,andseeyourattributesforthisservice,goonin!
A
Hello!haveyourassertionformeto
validate?
Architecture
> Describingtheservice• Whoistheaudience?• Whatistheirlifecycle?
>Whataretheminimalidentityelementsrequired?• Sufficienttohaveauniqueidentifier,firstandlastname,email,andmaybeaffiliation?
> Howarepermissionstobemanaged?> Aretherespecialsecurityorconsiderations?> Buildingneworintegratingexistingtool/platform?> Sustainingthesolution
• Whatisthesustainmentplanaftergolive?• What’syourtransitionplanfromnowtothenewway?
GatheringRequirements
TheGeneralizedModel
HTTP/S
CodeContainer
DBStorage
SSOAgent/Library
N-TierApproach Benefits
• Abstracts&delegatesfunctionalroles&responsibilities• Looselycouplescomponents
• Mixandmatch• Programing‘contracts’(api/libs/*.so/*.dll)arelightweight
• Scaleshorizontallyorverticallyasneeded• Favours parallelizedwork/implementation• Neutraltodataanddataarchetypes• Layeredsecuritymodel
Drawbacks
• NoteveryonesubscribestoNtier&co-locatecomponents• Maynotbeprescriptiveenoughfor:
• Dataflows• Dataarchetypes&referentialintegritytherein
• Rigidity&disciplineonsecuritymodelrequiredatALLlayers
UsualImplementation
Apache/IIS
AppContainer(tomcat,php,asp,vendor
app)
Database
Mod_Shib
N-TierApproach Benefits
• Classicandwidelyusedmodel• Scalesupanywayyoudeploy• Canbe‘imaged’andreduceconfig• Allextrafederationefforttakencareof
Loosecoupling
• Applicationexpects‘thetruth’fromcontainer&server• Informationpassedinviavarietyofmethods
• Passthrough&applicationunpacksinfo• Handoffofenvironmentattributespersession• Keyvaluepassedin&custom‘resolver’step
• Delegationofroles&responsibilitiesupwardkeepsapplesscomplex
ServiceDeploymentPatterns
> Servicesaddedindividually> Servicesdifferindesiredorrequiredattributes
>Operationally• Servicespinsup,reachesouttorequestattributesonperservicebasis• Applieshealthypracticeofleastrelease,butbecomeschallengingasservicesproliferate
StandardServiceDeployment
CAF
Service
IdPsIdPs
IdPsIdPsIdPs
>Oneservicerevealedtofederation> Sign-on‘repackaged’tootherservices>Attributereleaseissimplifiedoutwardlyatexpenseofinternalcomplexity
> Impliesattributereleaseissufficientandequalforallservices‘behind’proxy
Proxied ServiceDeployment
CAF
ProxyService
DownstreamService
DownstreamService
DownstreamService
IdPsIdPs
IdPsIdPsIdPs
SpecializedDiscovery
> Identify whichtechniquesfityourprojectandworksustainably> Adopt standardResearch&ScholarshipEntityCategoryattributebundleforeasierattributerelease
> Sharecommoncomponents> Avoid rebuildingwheels-- leverageloosecouplinganddelegationmodeltoyourbenefit
ArchitectureRecommendations
DataManagement
Attributes are Like Buckets• Cancarrypracticallyanything• Wanttousecertainonesforcertainpurposes
• Avoidcrosspurposecontamination• Buildenoughforthatwhichweneed
http://www.flickr.com/photos/linneberg/4481309196/sizes/l/in/photostream/
ServiceProviderWebContainer
CommonAttributeFlow&SpanofDictionary
IdP
ServiceProviderApplication
<saml2:AttributeFriendlyName="displayName"
Name="urn:oid:2.16.840.1.113730.3.1.241"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">BabsJensen<....
eduPerson
DirectoryApplicationDatabase
1.AttributesmappedfromdirectorytoIdP dictionary
2.Attributesmappedtoover-the-wireformat 4.Appingests
header,internallogicmapsattributestoappdictionary
3.Attributesunmarshaled fromover-the-wireformattoenvironmentvariables
HTTP_displayName=“Babs Jensen”
5.Apppersistsdatainternally
DataDictionarySpanofControl
> eduPerson Attributes• 2.2.1.eduPersonAffiliation• 2.2.2.eduPersonEntitlement• 2.2.3.eduPersonNickname• 2.2.4.eduPersonOrgDN• 2.2.5.eduPersonOrgUnitDN• 2.2.6.eduPersonPrimaryAffiliation• 2.2.7.eduPersonPrimaryOrgUnitDN• 2.2.8.eduPersonPrincipalName• 2.2.9.eduPersonPrincipalNamePrior• 2.2.10.eduPersonScopedAffiliation• 2.2.11.eduPersonTargetedID• 2.2.12.eduPersonAssurance• 2.2.13eduPersonUniqueId
DictionaryofAttributes
http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201310.html
> CommonPersonAttributes> 3.1.audio
> 3.2.cn (commonName)
> 3.3.description
> 3.4.displayName
> 3.5.facsimileTelephoneNumber
> 3.6.givenName
> 3.7.homePhone
> 3.8.homePostalAddress
> 3.9.initials
> 3.10.jpegPhoto
> 3.11.localityName
> 3.12.labeledURI
> 3.13.mail
> 3.14.manager
> 3.15.mobile
> 3.16.o(organizationName)
> 3.17.ou (organizationalUnitName)
> 3.18.pager
> 3.19.postalAddress
> 3.20.postalCode
> 3.21.postOfficeBox
> 3.22.preferredLanguage
> 3.23.seeAlso
> 3.24.sn (surname)
> 3.25.st (stateOrProvinceName)
> 3.26.street
> 3.27.telephoneNumber
> 3.28.title
> 3.29.uid
> 3.30.uniqueIdentifier
> 3.31.userCertificate
> 3.32.userPassword
> 3.33.userSMIMECertificate
> 3.34.x500uniqueIdentifier
> eduPersonAttributes• 2.2.1.eduPersonAffiliation• 2.2.2.eduPersonEntitlement• 2.2.3.eduPersonNickname• 2.2.4.eduPersonOrgDN• 2.2.5.eduPersonOrgUnitDN• 2.2.6.eduPersonPrimaryAffiliation• 2.2.7.eduPersonPrimaryOrgUnitDN• 2.2.8.eduPersonPrincipalName• 2.2.9.eduPersonPrincipalNamePrior• 2.2.10.eduPersonScopedAffiliation• 2.2.11.eduPersonTargetedID• 2.2.12.eduPersonAssurance• 2.2.13eduPersonUniqueId
DictionaryofAttributes– FilteredbyMostUsed
http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
> CommonPersonAttributes> 3.1.audio
> 3.2.cn (commonName)
> 3.3.description
> 3.4.displayName
> 3.5.facsimileTelephoneNumber
> 3.6.givenName
> 3.7.homePhone
> 3.8.homePostalAddress
> 3.9.initials
> 3.10.jpegPhoto
> 3.11.localityName
> 3.12.labeledURI
> 3.13.mail
> 3.14.manager
> 3.15.mobile
> 3.16.o(organizationName)
> 3.17.ou (organizationalUnitName)
> 3.18.pager
> 3.19.postalAddress
> 3.20.postalCode
> 3.21.postOfficeBox
> 3.22.preferredLanguage
> 3.23.seeAlso
> 3.24.sn (surname)
> 3.25.st (stateOrProvinceName)
> 3.26.street
> 3.27.telephoneNumber
> 3.28.title
> 3.29.uid
> 3.30.uniqueIdentifier
> 3.31.userCertificate
> 3.32.userPassword
> 3.33.userSMIMECertificate
> 3.34.x500uniqueIdentifier
>MostCommonuniqueidentifier1. 2.2.8.eduPersonPrincipalName2. 3.13.mail3. 2.2.11.eduPersonTargetedID4. 2.2.13eduPersonUniqueId
Attributes– Filtered&OrderedbyMostCommonlyRequired/Desired
http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
> MostCommonAccessControl1. 2.2.1.eduPersonAffiliation2. 2.2.2.eduPersonEntitlement3. 2.2.6.eduPersonPrimaryAffiliation4. 2.2.10.eduPersonScopedAffiliation
> MostCommonUserInfo1. 3.13.mail2. 3.2.cn (commonName)3. 3.24.sn (surname)4. 3.4.displayName5. 3.6.givenName6. 3.16.o(organizationName)
>Classicservicebyservicereleasestyle• Createpolicyforeachserviceyouwanttotrust
– 1:Nentities– Finegrained,onetime,buthighereffort
AttributeReleaseinPracticeMetadataAggregate
ServiceProviderEntitiesIdentityProviderEntities
MyIdP
SP
SP
PermitePPN,email,cn,affiliation
PermitePPN,email,cn,affiliation
PermitePPN,email,cn,affiliation
SP
ScalingAttributeReleasewithEntityCategoriesMetadataAggregate
ServiceProviderEntitiesIdentityProviderEntities
MyIdP
SP
SP
SP
HasEntityCategory:‘SupportsR&S’
PermitePPN,email,cn,affiliation
> Leverageentitycategoriesstyle• Createpolicyforeachcategoryyouwanttotrust
─ 1category=manyentities─ Worldwideusagesofar:
• April2016:87SPs,103IdPs• April2017:150SPs239IdPs(+42%and+56%annualgrowth)
─ Policyistothecategorycriteria,NOTtheentityidentifier─ Equallythorough,lessefforttomaintain─ NOefforttoenablenewserviceswhoreceivecategory;theyjuststartworking
> Qualitiestoseek:Globallyunique,scoped,non-reassigned
> Commonpitfalls• Emailasaprimarykey
– Highlyproblematic• It’snotscoped(ie IdP ondomainY.cacanexpressemailfromdomainZ.ca)• It’sre-assignable/re-used
• ActiveDirectoryGUIDisgoodenough– NotabadchoiceBUTveryrisky!
• Didyouknowthatif/whenyouhavetodoanActiveDirectoryrecoveryeveryGUIDisrecreated?
• eduPersonPrincipalName(ePPN)isequivalenttoemail– The@separatorbetweenthelefthandside(id)andtherighthandside(domainscope)lookslikeanemailbutthat’sthelimitof
similarity
> Recommendations• UseR&Sapproachesforubiquitousidentifier(ePPN oreduPersonTargetedId)• ReviewSAMLNameId PersistentIdformat• Don’tuseemailaddressasithasmanyriskvectors
– Sometimesunavoidablewithoff-the-shelfsolutions– planaheadformitigation
ChoosingaUniqueIdentifier
UserExperience
NextSteps
> Leverageourtools• CAFBuildTool
– RapidprototypingenvironmentbasedonVagrant– Installsin20minutes– 100%self-contained,local,fullyfunctionalfederation– Allowsforfullisolatedreferencetestcapability– https://bit.ly/cafbuildtool
• CAFTestFederation– SharedTestInfrastructure
• DiscoveryService• Testvalidatorservice
– [email protected] tojoin
>Arrangeforaone-on-oneassessmentwithCAF
NextSteps
Questions?
> CAFDocumentation• CanadianAccessFederationDefaultPersonSchema(short)
– https://tts.canarie.ca/otrs/public.pl?Action=PublicFAQZoom;ItemID=18
> CommunityDocumentation• eduPerson:
– FAQ• https://spaces.internet2.edu/display/macedir/eduPerson+FAQ
– Home:• http://www.internet2.edu/products-services/trust-identity-middleware/eduperson-eduorg/eduperson-eduorg-documentation/
– ObjectClass specification• http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html
> AARCworkbyGÉANT:• https://aarc-project.eu/workpackages/training-and-outreach/• https://aarc-project.eu/workpackages/training-and-outreach/training-modules/training-for-service-provider-
operators/• https://aarc-project.eu/wp-content/uploads/2016/01/AARC_SP_Training_v2-4.pdf
References&RecommendedReading