SURFfederatie - eduGAINOpt-in Metadata Management for a Hub & Spoke Federation

SURFnet - We make innovation work2

Content- History of SURFfederatie- Federation models- Functional view- Consequences of hub & spoke- eduGAIN- Future changes

SURFnet - We make innovation work3

Once upon a time…

Studen

t Chipc

ard: au

thentication

A-Select:

intra-or

ganisation

al web-SSO

1996 2001 2004 2006 2007 2008DigiD: gove

rnment eID base

d on A-Sele

ct

Federa

tive AAI, A

-Select (

open sourc

e)

FIdM se

rvice (

gatew

ay) in prod

uction

Elsevie

r, EBSCO, G

oogle A

pps

SURFnet - We make innovation work4

Federation models (communication/login, not metadata)

- 1-1- Business VS: SAML 1.x- de-facto

- NxN- Shared trust, pt2pt- Education VS/Europa

- 2xN- Central gateway (CFC)- protocol translation- SURFfederatie

= CFC, IDP, SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SPCFC

SURFnet - We make innovation work5

Functional view(Since August 2008)

CentralFederation

Components

A-Select Cross

A-Select Cross

Shibboleth

SAML 2.0

WS-Fed / ADFS

SAML 2.0

WS-Fed / ADFS

Identity Providers

Service ProvidersSURFfederatie CORE

ApplicationsCredentials

6

Metadata & proxying

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

A-1

A-2

A-3

B-1

B-2

B-3

IDP1=B-1

IDP2=B-2

IDP3=B-3

SP1=A-1 {IDP1, IDP2}

SP2=A-2 {IDP2, IDP3}

SP3=A-3 {all}

7

WAYF/WAYF-less operation

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

SURFnet - We make innovation work8

hub & spoke pros/consPros

- 1 connection for IDP/SP- Minimal overhead for IDPs- Centralized (technical)

management- Specialist knowledge @ SN

- Less needed for IDP/SP- Scales well at national level- Extra features easier to do

- Web services- Group support

Cons

- Procedures- release consent per SP- Key/cert/metadata

changes- Lack of knowledge @ IDP

- Double-edged sword…- Scalability European level- Can only support common

denominator

9

Importing eduGAIN SPs

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

IDP1=B-1

IDP2=B-2

IDP3=B-3

SP1=A-1 {IDP1, IDP2}

SP2=A-2 {IDP2, IDP3}

SP3=A-3 {all}

SPz=A-z {IDP2, IDP3}

SPx=dddSPy=eeeSPz=fff

eduGAIN

SPz

A-1A-2A-3

A-z

B-1

B-2

B-3

10

Exporting IDPs

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

IDP1=B-1

IDP2=B-2

IDP3=B-3

SP1=A-1 {IDP1, IDP2}

SP2=A-2 {IDP2, IDP3}

SP3=A-3 {all}

SPz=A-z {IDP2, IDP3}

SPx=dddSPy=eeeSPz=fff

IDP3=B-3

eduGAIN

A-1A-2A-3

A-z

B-1

B-2

B-3

11

Exporting SPs to eduGAIN

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

IDP1=B-1

IDP2=B-2

IDP3=B-3

SP1=A-1 {IDP1, IDP2}

SP2=A-2 {IDP2, IDP3}

SP3=A-3 {all}

SPz=A-z {IDP2, IDP3}

SPx=dddSPy=eeeSPz=fff

SP3=SP3

eduGAIN

A-1A-2A-3

A-z

B-1

B-2

B-3

IDPz

12

SP auth list (optional)

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

IDP1=B-1

IDP2=B-2

IDP3=B-3

SP1=A-1 {IDP1, IDP2}

SP2=A-2 {IDP2, IDP3}

SP3=A-3 {all}

SPz=A-z {IDP2, IDP3}

SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz

eduGAIN

A-1A-2A-3

A-z

B-1

B-2

B-3

IDPz

Per SP auth list

SP3: - IDP1 - IDP2 - IDPz

13

SP auth list (optional)

SURFnet - We make innovation work

IDP1

IDP2

IDP3

SP1

SP2

SP3

WAYF

WAYF

IDP1=B-1

IDP2=B-2

IDP3=B-3

SP1=A-1 {IDP1, IDP2}

SP2=A-2 {IDP2, IDP3}

SP3=A-3 {all}

SPz=A-z {IDP2, IDP3}

SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz

eduGAIN

A-1A-2A-3

A-z

B-1

B-2

B-3

IDPz

Per SP auth list

SP3: - IDP1 - IDP2 - IDPz

SURFnet - We make innovation work14

Future plans- Integrate with SURFconext

- Procedural/organisational- Technical (level of integration TBD)

- Change of consent model- Opt-in Opt-out- Addition of User Consent

- Web Service support- Needed for (scientific) workflows

- Rich client/beyond web SSO/mobile support- Rethink procedures/management

SURFnet - We make innovation work15

Remco Poortinga – van Wijnenremco.poortinga@surfnet.nlfederatie-beheer@surfnet.nl

www.surfnet.nl

Presentation released under Creative Commonshttp://creativecommons.org/licenses/by/3.0/

SURFnet - We make innovation work16

SURFnet - We make innovation work17

Backup slides

(C) 2011 SURFnet B.V.18

URLsSP die wil meedoen moet SAML doen (want daarvoor

zijn we geen proxy zoals normaal)https://wayf.surfnet.nl/federate/surfnet/edugain2 IDPS: SN & TERENA1 SP: TERENA

(MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo.

Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs

(C) 2011 SURFnet B.V.19

Metadatahttps://aai-viewer.switch.ch/interfederation-test/test/Wij nu niet saml2int compliant.(behandelen attribs als ‘format unspecified’, moet ‘uri’

zijn volgens spec)