The eduGAIN Way
description
Transcript of The eduGAIN Way
![Page 1: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
The eduGAIN Way
Diego R. Lopez - RedIRIS
![Page 2: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/2.jpg)
Connect. Communicate. CollaborateAs Federations Grow• The risk of dying of success
– Do we really need to go on selling the federated idea?• Different communities, different needs
– Not even talking about international collaboration– Different (but mostly alike) solutions– Grids and libraries as current examples– And many to come: Governments, professional
associations, commercial operators,…• Don’t hold your breath waiting for the Real And Only Global
Federation
![Page 3: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/3.jpg)
Connect. Communicate. Collaborate
Confederations Federate Federations• Same federating principles applied to federations themselves
– Own policies and technologies are locally applied• Independent management
– Identity and authentication-authorization must be properly handled by the participating federations
• Commonly agreed policy– Linking individual federation policies– Coarser than them
• Trust fabric entangling participants– Whitout affecting each federation’s fabric– E2E trust must be dynamically built
![Page 4: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/4.jpg)
Connect. Communicate. Collaborate
Applying Confederation Concepts in eduGAIN• An eduGAIN confederation is a loosely-coupled set of
cooperating federations– That handle identity management, authentication and
authorization using their own policies• Trust between any two participants in different federations
is dynamically established– Members of a participant federation do not know in
advance about members in the other federations• Syntax and semantics are adapted to a common language
– Through an abstract service definition
![Page 5: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/5.jpg)
Connect. Communicate. CollaborateThe eduGAIN Model Connect. Communicate. Collaborate
Id Repository(ies)Resource(s)
MDS
R-FPP
MetadataPublish
R-BE
MetadataQuery
AAInteraction
H-FPP
MetadataPublish
H-BE
AAInteraction
AA Interaction
![Page 6: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/6.jpg)
Connect. Communicate. CollaborateAn Adaptable ModelFrom centralized structures... Connect. Communicate. Collaborate
MDS
FPP
BE
FPP
BE
SPSP
SPSP
SP
IdP
IdP
IdP
IdP
IdP
IdP
IdPSP SP SP SP
![Page 7: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/7.jpg)
Connect. Communicate. CollaborateAn Adaptable Model...to fully E2E ones... Connect. Communicate. Collaborate
MDS
SPBE
IdPBE
SPBE
SPBE
SPBE
SPBE
IdPBE
IdPBE
IdPBE
SPBE
IdPBE
IdPBEIdP
BE
SPBE
SPBE
SPBE
![Page 8: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/8.jpg)
Connect. Communicate. CollaborateAn Adaptable Model...including any mix of them Connect. Communicate. Collaborate
MDS
SPBE
IdPBE
IdPBEIdP
BE
SPBE
SPBE
SPBE
FPP
BE
SPSP
SPSP
SP
IdP
IdP
IdP
IdPBE
FPP
![Page 9: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/9.jpg)
Connect. Communicate. Collaborate
A General Model for eduGAIN Interactions Connect. Communicate. Collaborate
Requester Responder
Id RepositoryResource
TLS Channel(s)
MDS
TLS Channel
https://mds.geant.net/ ?cid=someURN <EntityDescriptor . . .
entityID= ”urn:geant2:..:responder">. . .<SingleSignOnService . . . Location= “https://responder.dom/” /> . . .
<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . .</samlp:Request>
<samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . .</samlp:Response>
urn:geant2:...:responder
urn:geant2:...:requester
![Page 10: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/10.jpg)
Connect. Communicate. Collaborate
A Layered Model for Implementation Connect. Communicate. Collaborate
Component logic
eduGAINBase + eduGAINVal + eduGAINMeta
SAML toolkit (OpenSAML)
SOAP/TLS/XMLSig libraries
eduGAINBase Profile Access
![Page 11: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/11.jpg)
Connect. Communicate. Collaborate
The eduGAIN APIs:Trust Evaluation Connect. Communicate. Collaborate
eduGAINVal
Configuration
Key Store
Trust Store
Is this trust material (cert/signature) valid?Does it correspond to component X*?
Valid/not validCorresponds to component X
Sign this piece of XML
Signature
Which trust material to use for connecting
Trust material
![Page 12: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/12.jpg)
Connect. Communicate. Collaborate
The eduGAIN APIs:Metadata Access Connect. Communicate. Collaborate
eduGAINMeta Configuration
Publish these metadata through MDS server
Component metadata
Give me metadata about this part of eduGAIN
Metadata
eduGAINVal
Publishing result
Which component(s) can be queried to retrieve data about someone with these Home Locators?
![Page 13: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/13.jpg)
Connect. Communicate. Collaborate
The eduGAIN APIs:Abstract Service Connect. Communicate. Collaborate
eduGAINBase Configuration
Create/manipulate an abstract service object
Abstract service object orProtocol element
Send ASO: (AuthN/Attr/AuthR) request(Vanilla profile)
Corresponding ASO response
Abstract service object
Transform these abstract service object to/from wire protocol
eduGAINMeta
eduGAINVal
![Page 14: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/14.jpg)
Connect. Communicate. Collaborate
The eduGAIN APIs:Profile Access Connect. Communicate. Collaborate
eduGAINProfile API
Configuration
Is this AuthN/Attr material valid?
Valid/not valid
Provide data from the requester
Data
Create/modify a security token
TokeneduGAINBase
eduGAINMeta
eduGAINVal Is this request authorized?
Authorization response
![Page 15: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/15.jpg)
Connect. Communicate. CollaborateeduGAIN Profiles• Oriented to
– Enable direct federation interaction – Enable services in a confederated environment
• Four profiles discussed so far– WebSSO (Shibboleth browser/POST)– AC (automated cilent: no human interaction)– UbC (user behind non-Web client: use of SASL-CA)– WE (WebSSO enhanced client: delegation)
• Others envisaged– Extended Web SSO (allowing the send of POST data)– eduGAIN usage from roaming clients (DAMe)
• Based on SAML 1.1– Mapping to SAML 2.0 profiles along the transition period
![Page 16: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/16.jpg)
Connect. Communicate. CollaborateThe WebSSO Profile Connect. Communicate. Collaborate
![Page 17: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/17.jpg)
Connect. Communicate. CollaborateThe AC Profile Connect. Communicate. Collaborate
![Page 18: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/18.jpg)
Connect. Communicate. CollaborateThe UbC Profile Connect. Communicate. Collaborate
![Page 19: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/19.jpg)
Connect. Communicate. CollaborateThe WE Profile Connect. Communicate. Collaborate
![Page 20: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/20.jpg)
Connect. Communicate. CollaborateThe Paved Way• The first eduGAIN enabled resource is already available
– http://www.rediris.es/jra5wiki/– As a result of the implementation of the WebSSO profile
• Prototypes for– The MDS– The component ID registry– The PKI components
• eduGAIN base APIs available at the GN2 SVN server• Cookbook and reference material
![Page 21: The eduGAIN Way](https://reader031.fdocuments.us/reader031/viewer/2022011718/5681675b550346895ddc20e8/html5/thumbnails/21.jpg)
Connect. Communicate. CollaborateThe Road Ahead• Implementing the rest of initial profiles
– Direct collaboration with initial user activities– And initial liaisons with some others
• Migration to SAML2– Plans to align as much as possible with Shibboleth 2
• Building stable support services– Many component IDs foreseen– Web-based and extensible PKI services
• Keeping coolness– CardSpace– OpenID
• And policy!