SURFfederatie - eduGAIN
description
Transcript of SURFfederatie - eduGAIN
SURFfederatie - eduGAINOpt-in Metadata Management for a Hub & Spoke Federation
SURFnet - We make innovation work2
Content- History of SURFfederatie- Federation models- Functional view- Consequences of hub & spoke- eduGAIN- Future changes
SURFnet - We make innovation work3
Once upon a time…
Studen
t Chipc
ard: au
thentication
A-Select:
intra-or
ganisation
al web-SSO
1996 2001 2004 2006 2007 2008DigiD: gove
rnment eID base
d on A-Sele
ct
Federa
tive AAI, A
-Select (
open sourc
e)
FIdM se
rvice (
gatew
ay) in prod
uction
Elsevie
r, EBSCO, G
oogle A
pps
SURFnet - We make innovation work4
Federation models (communication/login, not metadata)
- 1-1- Business VS: SAML 1.x- de-facto
- NxN- Shared trust, pt2pt- Education VS/Europa
- 2xN- Central gateway (CFC)- protocol translation- SURFfederatie
= CFC, IDP, SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
SURFnet - We make innovation work5
Functional view(Since August 2008)
CentralFederation
Components
A-Select Cross
A-Select Cross
Shibboleth
SAML 2.0
WS-Fed / ADFS
SAML 2.0
WS-Fed / ADFS
Identity Providers
Service ProvidersSURFfederatie CORE
ApplicationsCredentials
6
Metadata & proxying
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
A-1
A-2
A-3
B-1
B-2
B-3
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
7
WAYF/WAYF-less operation
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
SURFnet - We make innovation work8
hub & spoke pros/consPros
- 1 connection for IDP/SP- Minimal overhead for IDPs- Centralized (technical)
management- Specialist knowledge @ SN
- Less needed for IDP/SP- Scales well at national level- Extra features easier to do
- Web services- Group support
Cons
- Procedures- release consent per SP- Key/cert/metadata
changes- Lack of knowledge @ IDP
- Double-edged sword…- Scalability European level- Can only support common
denominator
9
Importing eduGAIN SPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fff
eduGAIN
SPz
A-1A-2A-3
A-z
B-1
B-2
B-3
10
Exporting IDPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fff
IDP3=B-3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
11
Exporting SPs to eduGAIN
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fff
SP3=SP3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
12
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
13
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
SURFnet - We make innovation work14
Future plans- Integrate with SURFconext
- Procedural/organisational- Technical (level of integration TBD)
- Change of consent model- Opt-in Opt-out- Addition of User Consent
- Web Service support- Needed for (scientific) workflows
- Rich client/beyond web SSO/mobile support- Rethink procedures/management
SURFnet - We make innovation work15
Remco Poortinga – van [email protected]@surfnet.nl
www.surfnet.nl
Presentation released under Creative Commonshttp://creativecommons.org/licenses/by/3.0/
SURFnet - We make innovation work16
SURFnet - We make innovation work17
Backup slides
(C) 2011 SURFnet B.V.18
URLsSP die wil meedoen moet SAML doen (want daarvoor
zijn we geen proxy zoals normaal)https://wayf.surfnet.nl/federate/surfnet/edugain2 IDPS: SN & TERENA1 SP: TERENA
(MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo.
Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs
(C) 2011 SURFnet B.V.19
Metadatahttps://aai-viewer.switch.ch/interfederation-test/test/Wij nu niet saml2int compliant.(behandelen attribs als ‘format unspecified’, moet ‘uri’
zijn volgens spec)