CAF Workshop BCNet2014
-
Upload
chris-phillips -
Category
Internet
-
view
225 -
download
2
description
Transcript of CAF Workshop BCNet2014
www.canarie.ca www.canarie.ca
CAF Workshop on Federation Tools
IDP Installer and Federation Management Tools
Chris Phillips | April 2014 | CANARIE | Vancouver
www.canarie.ca
Agenda
8:00-8:30 – Coffee & Registration 8:30-8:45 – Introductions and Workshop Overview 8:45-10:15 – Using the IdP Installer, Sample Installation, Walkthrough 10:15-10:30 - Break 10:30-11:15 – CAF Tools walkthrough 11:15-12:15 – Federation Management Tools 12:15 – 12:30 – Q&A, Closing remarks
www.canarie.ca www.canarie.ca www.canarie.ca
In theory, there is no difference between theory and practice.
But, in practice, there is.
www.canarie.ca
Introductions
www.canarie.ca
Outcomes for today • Improved understanding of the IdP Installer • Highlight key deployment considerations • Know where to go for CAF resources • Socialize Federation management tools direction
https://www.flickr.com/photos/reway2007/3137608759 reway2007
www.canarie.ca
Setting Today’s Context
www.canarie.ca www.canarie.ca
Roaming wireless
• International wireless roaming • Ability to automatically sign on
using your home credential • Reduces barriers to mobile
users • Worldwide and expanding
coverage: • Canada: 78 sites • 60 countries worldwide
• Federated Single Sign On for services
• Web and non web sign on • Authentication • Authorization • Attribute release • Across different security domains
Federated identity
• International wireless roaming • Ability to automatically sign on
using your home credential • Reduces barriers to mobile
users • Worldwide and expanding
coverage: • Canada: 48 sites • 60 countries worldwide
• eduGAIN as primary, exploring other direct relationships
• Bridge to international community • Enables CAF participants to:
• Accept identities inbound from outside Canada to Canadian services
• Use Canadian identities in services outside Canada
Interfederation
• 3.4M logins March 2014 • 2x traffic growth in 1yr • 78 sites
- 500,000
1,000,000 1,500,000 2,000,000
Successful Logins
International
Canada
• 33 Service Providers • 25 Identity Providers
937,000
986,765
1,011,793 1,020,387
880,000 900,000 920,000 940,000 960,000 980,000
1,000,000 1,020,000 1,040,000
Total CAF enabled users – SAML & eduroam
• Int’l NREN CEO Forum placed eduGAIN as a key effort
• CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
www.canarie.ca
Identity Providers
Service Providers
Universities Colleges Research inst. Cloud providers
Specialized R&E Apps Libraries Commercial SP Research teams
Regional Community
Community
Group
Gateway
Partners BCNET Provincial governments Organizing bodies
Applicants Parents Temporary staff
Professor Student Researcher
Researcher App Developer
IDM Expert Group Admin
CAF Ecosystem
www.canarie.ca www.canarie.ca www.canarie.ca
CAF Roadmap
Federation Infrastructure & Governance
Knowledge Base + more tools!
Federation Community Manager
CAF Marketplace
Operating Policies
VALU
E
Training & Techn
ical Sup
port
Marke9n
g Material
Today
FY 2015
FY16
IDP Installer
www.canarie.ca
IDP Installer
www.canarie.ca
IdP Installer
• What is it? – VM image +
html configuration forms • What does it do?
– Auto installs and configures IdP server components
– Easier connection to CAF servers
– Supports eduroam and Shibboleth
• Benefits – Fewer steps – Hides technical complexity
from user
Identity Appliance"
Shibboleth IdentityProvider"
freeRADIUS"Apache Tomcat"
Java"
Operating System (centOS)"
www.canarie.ca
IdP Installer Consolidating & Reducing Effort
www.canarie.ca www.canarie.ca www.canarie.ca
Installation Overview
Download installer
Plan & Prepare
installation Do
Installation Post
installation tailoring
Local acceptance
testing
Contact CANARIE
to complete registration
1. Download Installer 1. From http://bit.ly/caftools
2. Plan & Prepare your installation 1. Review System Requirements to prepare your environment. 2. Prepare your network 3. Prepare your environment (settings for Directory, Certificates, etc) 4. Review and choose a preferred deployment approach 5. Review your federation specific post install steps
3. Do the installation 1. Create a configuration from your federations' configuration builder 2. Save configuration as 'config' in this directory on your server 3. Run the script ./deploy_idp.sh 4. Answer any inline questions (use self signed cert? password creation for keystores)
4. Perform Post installation Tailoring 1. Based on items previously identified, finalize the installation 2. Identity steps needed to be repeated in production
5. Locally Test Installation 6. Repeat installation steps for production installation as needed [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
www.canarie.ca
Planning: Deployment Model – Test & Prod
www.canarie.ca
Planning: SSID strategy – augment or replace?
Recommendation: Consider consolidating to eduroam • Why:
– Less to configure for end users: • setup once, use everywhere à why do one that only works for you? • Less to manage as wifi infrastructure operator à reduces helpdesk
support – Eduroam can be VLAN’d based on authentication
• Local users VLAN’d to ‘local IP space’ and remote to remote1,2
– Configuration Assistant Tool (CAT) performs configuration • To resolve ‘how do I get on?’ for users, offer eduroam_help SSID
– Behaves as captive portal and only able to reach eduroam configuration information (cat.eduroam.org) and your specific information
– Working with UFV through IdP Installer with the – Some Canadian sites already using just eduroam as singular SSID
[1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus [2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/
www.canarie.ca www.canarie.ca www.canarie.ca
Planning: Certificates
FedSSO / SAML2 Eduroam / 802.1x
16
• 2 certificates § End user facing(port 443) for SSO
userid/password • commercial root’ed certificate to
avoid browser pain § IdP/SP Certificate for metadata
• Self signed, 2048 bit SHA2 • Autogenerated on install • Usually long lived (10yrs)
§ Possession & comparison of certs present in metadata crux of trust
• 2 TLS pieces: CA + server cert. § Laptops and mobile devices asked
to trust both CA and server certificate
§ If CA= commercial root, slightly less pain on MSFT clients (avoids popup of ‘trust this root?)
§ eduroam CAT installer critical to help streamline installation & trust regardless of cert type.
Recommendation: Use your usual commercial cert for end user facing port 443 Let tools do what they should do for long lived self signed
Recommendation: Simply put: YMMV & up to you to tailor the experience Quick video example:eduroam CAT w/ comm. cert & w/ non commercial certificate.
IDP Installer automatically uses self-signed everything & is a base for build outs.
www.canarie.ca
Certificates & HeartBleed • Heartbleed risk present on hosts susceptible to OpenSSL handshake
– FedSSO/SAML • Metadata signing was not at risk since that key is never used in handshake & OpenSSL
version was safe. • Handful of SAML entities did have to do key roll over (regenerate and replace keys) • Risk was possible exposure of private key and therefore emulation or decryption of
traffic could have been done – extremely remote and require extraordinary attack, but risk present nonetheless à must
regenerate private key and metadata cert and do roll over. – Eduroam
• Eduroam trust built on shared secrets therefore not susceptible in server to server trusts. • HOWEVER, the RADIUS server certificate suffered same style attack vector but
between RADIUS server and clients (mobile devices) – Key compromise and therefore decrypt traffic if such was done – risk extremely remote but present. The few sites patched and made necessary changes.
• Global eduroam had validator within hours of announcement and scanned many sites, including Canadian ones very early on.
• Within 72hrs all Heartbleed risk was eliminated from the affected few sites in FedSSO and eduroam in Canada.
– Would self signed or commercial have made a difference? No. Risk was same regardless of root. A private key is a private key and both would need to have been regenerated.
– Many thanks to admins who were very responsive to the issue!
www.canarie.ca
IdP Installer Test Shib walkthrough
www.canarie.ca
Break
www.canarie.ca
CAF Tools Walkthrough
• Eduroam weathermap – http://weathermap.canarie.ca/caf/eduroam
• Eduroam CAT – https://cat.eduroam.org/
• eduGAIN – https://www.edugain.org/
• FedSSO Discovery Guidance – https://discovery.refeds.org
• CAF FAQ system – http://tts.canarie.ca/otrs/public.pl
• Collaboration.canarie.ca – http://collaboration.canarie.ca
• CAF Guest IdP & 'external identities' (aka social2SAML)
– http://id.canarie.ca – External identity demo with SAML
sharepoint sign on
All available at: http://bit.ly/caftools
www.canarie.ca
CAF Guidance on Attribute Release
• Current CAF policy àmandatory release of eduPersonTargetedID • Example of the importance of attribute release • What the community at large is doing
– In Canada à Examining various profiles for attribute ‘bundles’ • Collaboration profile • Canadian Researcher profile • Canadian Student profile • K-12 specific attributes
– Internationally – Entity categories in metadata, rules in IdPs for release – K-12 conversations in US.
• SAML metadata representation
www.canarie.ca
Federation Management Tools
www.canarie.ca
www.canarie.ca
Federation Community Manager
Features • UI-based provisioning of privacy and security policies (e.g. ARPs) • Self-serve user interface for Partner, IDP and SP admins • Consolidated view of all community groups, IDPs and SPs in CAF • Auto-generates meta data
Benefits • Reduces development time à
faster implementation • Reduces errors and facilitates
debugging
Status • Seeking pilot participants
www.canarie.ca www.canarie.ca www.canarie.ca
Collaboration via CAF & Community Groups
CAF Identity Providers
Regional Community
Community Group (CG)
Shared Services
CAF Service Providers
• Services available to IDPs within the community group
• Define operating polices (e.g. attribute release) specific to CG
• Gives IDPs access to national and international CAF SPs
www.canarie.ca www.canarie.ca www.canarie.ca
Community Group Responsibilities
Privacy Help Desk
Community Groups Admin
Hosted IDP Operations
Local Outreach
Central Operations Technical Support Technical
Community
Trust Assertion Governance National
Outreach Tool Development
Opera-tions
International Representation
CAF Participant Agreements
Implementation Guidance
Community Agreements
Institutions
CAF Partners
CAF
www.canarie.ca
Closing Remarks / Q&A