Connect. Communicate. Collaborate

eduGAIN in Real Life!

Ajay Daryanani, RedIRIS

TERENA Networking Conference Brugge, 20th May 2008

Connect. Communicate. CollaborateOutline

• Introducing eduGAIN• eduGAIN in real life• eduGAIN FAQ• Future plans

Connect. Communicate. CollaborateOutline

• Introducing eduGAINIntroducing eduGAIN• eduGAIN in real life• eduGAIN FAQ• Future plans

Connect. Communicate. CollaborateIntroduction: Concepts

• eduGAIN federates federations

• Federation software and policy remain untouched

• Providing trust among partners

• Using standards

Connect. Communicate. Collaborate

INTRODUCTION: ARCHITECTUREIntroduction: Architecture Connect. Communicate. Collaborate

Connect. Communicate. Collaborate

Bridging Elements

• Adapt eduGAIN messages to local protocols

• Query the MDS for other BEs in the infrastructure

• Several BEs available

Connect. Communicate. Collaborate

Federation Peering Point

• Publishes SAML 2.0 metadata to the MDS

• Metadata describes federation interfaces in eduGAIN, such as IdPs, SPs, AAs..

Connect. Communicate. Collaborate

Metadata Service

• Allows storage and retrieving of federation information

• Different search options

• Metadata must be signed by the FPP

Connect. Communicate. Collaborate

INTRODUCTION: ARCHITECTUREIntroduction: To BE or not to BE Connect. Communicate. Collaborate

MDS

SPBE

IdPBE

IdPBEIdP

BE

SPBE

SPBE

SPBE

FPP

BE

SPSP

SPSP

SP

IdP

IdP

IdP

IdPBE

FPP

Connect. Communicate. CollaborateOutline

• Introducing eduGAIN• eduGAIN in real lifeeduGAIN in real life• eduGAIN FAQ• Future plans

Connect. Communicate. CollaborateeduGAIN in real life

• Two approaches– Components

• URN Registry• eduGAIN PKI• MDS-based WFAYF• eduGAINFilter

– Applications / Projects• autoBAHN• Web applications• perfSONAR, DAMe

Connect. Communicate. CollaborateComponents: URN Registry

• Each eduGAIN component MUST have a unique URN• Registry can be delegated• Registry software available • Can produce XML output• Format:

urn:geant:edugain:component:be:rediris:rediris.es

• URL: http://registry.edugain.org

Connect. Communicate. CollaborateComponents: eduGAIN PKI

• Each eduGAIN component MUST have a X.509 certificate– Which includes the previously registered URN

• Different RAs can be delegated from eduGAINSCA• PKI software available• URL: http://sca.edugain.org

• eduGAIN supports multiple roots of trust– Certs MUST include a proper URN– CA MUST comply to eduGAIN PMA policy

Connect. Communicate. Collaborate

Components: MDS-based WAYF (1)

• WAYF = Where Are You From• Queries the MDS for available federations and IdPs

Connect. Communicate. Collaborate

Components: MDS-based WAYF

(2)

• Highlight available federations

• Federation info available through javascript events

• Servlet can be queried by other interfaces

RedIRIS federation

-Organization info

- IdPs

- …

Connect. Communicate. Collaborate

Components: eduGAINFilter

• Implementation of the javax.servlet.Filter interface• eduGAINizes any application inside a servlet container…• … without any federation software!• Operates as an eduGAIN Remote Bridging Element• Beta version available at GÉANT2 SVN

Connect. Communicate. CollaborateApplications: autoBAHN (1)

• AutoBAHN is a research activity for engineering, automating and streamlining the inter-domain setup of guaranteed capacity (Gbit/s) end-to-end-paths

• A chained-solution is adopted:– A user is authenticated and his/her BoD request is

authorized successively in each domain on the path where bandwidth should be scheduled.

– The scheduled resource are enabled in each domain by the Domain Manager (DM) only after AA

Extract from a presentation by Victor Reijs (HEAnet)http://tnc2007.terena.org/meetings/aai-slides/autoBAHN_AAI_TNC2007-vr-03.ppt

Connect. Communicate. Collaborate

Applications: AutoBAHN (2)

• User authN is performed through eduGAINFilter

• DM fetches user data and includes it in the WS message using SAML Parser

• Each IDM may use the data to perform authorization locally

Connect. Communicate. CollaborateApplications: WebSSO

• Tested eduGAINized applications– Wikis

• JRA5 wiki: http://wiki.rediris.es/jra5• DemoWiki: http://demowiki.feide.no

– Flyspray: http://flyspray.edugain.org– OTRS: http://edugain-rnd.srce.hr/otrs/customer.pl

• All apps listed here can be connected:– http://rnd.feide.no/view/federatedsoftware– https://wiki.internet2.edu/confluence/display/seas/Home

• Lessons learned– We need attribute conversion– We need to agree on access policies– It works :-)

Connect. Communicate. CollaborateOutline

• Introducing eduGAIN• eduGAIN in real life• eduGAIN FAQeduGAIN FAQ• Future plans

Connect. Communicate. CollaborateThe common reaction

Connect. Communicate. CollaborateeduGAIN FAQs

• Question: What the $%&/ is eduGAIN about?– Answer: Watch the presentation from the beginning

• Q: Does this freak stuff really work?– A: YES

• Q: What do I need to become part of the infrastructure?– A: The recipe is: Choose your SW, add a pinch of URN and mix it

with certificates; cook your metadata on slow fire, take it from the fire and place it in a MDS. It can be seasoned with your own CA.

• Q: My problem can’t be solved with the current eduGAIN profiles– A: Contact us!

Connect. Communicate. CollaborateOutline

• Introducing eduGAIN• eduGAIN in real life• eduGAIN FAQ• Future plansFuture plans

Connect. Communicate. CollaborateFuture plans

• Complete the implementation, make it stable• Add SAML 2.0 support• Shib 2.0 testing• Dynamic metadata discovery• Explore new profiles and use cases• Transition to service

Connect. Communicate. CollaborateThanks to…

Connect. Communicate. CollaborateFor More Information

• http://www.edugain.org• http://www.geant2.net• For latest news and factsheets http://www.geant2.net/media

• For research activities http://www.geant2.net/research