The MetaData Service Distributing trust in AAI confederations
description
Transcript of The MetaData Service Distributing trust in AAI confederations
Connect. Communicate. Collaborate
The MetaData ServiceDistributing trust in AAI confederations
Manuela Stanica, DFN
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
What is the MetaData Service (MDS)?
• eduGAIN component developed in GN2-JRA5
• eduGAIN: the GÉANT2 AAI
• Support dynamic establishment of trust relations between members of AAI confederation
• Information model conform to SAML v 2.0 Metadata Specification
• SAML: Security Assertions Markup Language (OASIS)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
AAI confederation hierarchy
• AAI confederation interconnecting AAI federations
• AAI federation participant institutions users
– access to external resources & services
– unaware of participants in other federations
– require procedure of trust establishment between them
Connect. Communicate. Collaborate
DF
AAI confederation hierarchy (2)
Connect. Communicate. Collaborate
DF
Role of metadata
• Connecting to entities in other federated AAIs – required information:– where (in which federation)?– how to reach ?– what is supported (protocols and functionalities)?
metadata– distribution to all confederation members
• static (pre-configured upon software installation)• dynamic (on request)
Connect. Communicate. Collaborate
DF
Role of a MetaData Servicein AAI confederations
• AAI confederations
– non-static environments!
– frequent updates
means for dynamic collection & distribution of metadata:
MetaData Service (MDS)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Basic principles
• Centralised storage of metadata for eduGAIN components
• Dynamic retrieval & update– metadata exchange interface: eduGAINMeta– based on REST architecture model
• Distributed publishing & querying– among local federations – no central admin– multiple metadata publishers and consumers
Connect. Communicate. Collaborate
DF
eduGAIN components
Connect. Communicate. Collaborate
DF
Bridging Elements
• MDS used by Bridging Elements (BEs):
– gateways eduGAIN – local federations
– communication with peers (BEs) in other federations
– query MDS for metadata about Home BE
– MDS response: SAML 2.0 Metadata doc
– consumers/publishers of metadata
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
URL structure
• Syntax of REST URL mapping:
MDS base URL[/federation ID][/entity ID][?query string]
• Combinations of:
– MDS base URL: https://mds.geant2.net/ – federation ID: dfn, feide,...– entity ID: be1 – query string – Home Locator(s): homeDomain=uio.no
Connect. Communicate. Collaborate
DF
Home Locators
• eduGAIN specific atribute-value pairs
• For: locating a remote BE (Home BE)
• From: – hints provided by user
– contents of certificate extensions
• Types: – Home domain (homeDomain=switch.ch)– URN (urn=urn:geant:edugain:component:be:switch:be1)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Publishing/ updating
• Who: metadata publishers– Federation Peering Point (FPP)– authorized Bridging Elements (BEs)
• What: SAML 2.0 Metadata documents– EntityDescriptor root ( one BE)– EntitiesDescriptor root ( several BEs)
• How: HTTP POST/PUT
Connect. Communicate. Collaborate
DF
Publishing/ updating (2)
• For whole federation:– only by FPP– EntitiesDescriptor– URL syntax: <MDS base URL/federation ID>
http://mds.ladok.umu.se/feide
• For single entities:– by FPP / authorized BEs– EntityDescriptor– URL syntax: <MDS base URL/federation ID/entity ID>
http://mds.ladok.umu.se/switch/be1
Connect. Communicate. Collaborate
DF
Retrieving metadata
• BE queries MDS via HTTP GET
• Metadata lookup– entity/federation name is known– <MDS base URL[/federation ID][/entity ID]>
http://mds.ladok.umu.se
http://mds.ladok.umu.se/switch
http://mds.ladok.umu.se/switch/entity1
• Metadata search
– entity name unknown, home locators
– <MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Trust establishment
• Elements of trust establishment in eduGAIN:– MDS– eduGAIN PKI– Component identifiers (CIDs)
• MDS trust tightly bound with eduGAIN PKI
minimal trust in the service itself
• Transitive trust
Connect. Communicate. Collaborate
DF
Security checks
• MDS validations:– publisher‘s X.509 certificate– publishing rights
• Publishers‘ signatures fwd with metadata
validation by consumers
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
Connect. Communicate. Collaborate
DF
Conclusions
• MDS: dynamic metadata distribution in AAI confederations
• Centralised storage, distributed trust
• Employes standard SAML 2.0 Metadata
• Possible use in any SAML-based infrastructure
• Deployment together with eduGAIN-like PKI
Connect. Communicate. Collaborate
DF
Thank you for your attention!
Questions?