Download presentation
Presentation is loading. Please wait.
1
SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation
2
SURFnet - We make innovation work1 Content -History of SURFfederatie -Federation models -Functional view -Consequences of hub & spoke -eduGAIN -Future changes
3
Once upon a time… SURFnet - We make innovation work2 Student Chipcard: authentication A-Select: intra-organisational web-SSO 199620012004200620072008 DigiD: government eID based on A-Select Federative AAI, A-Select (open source) FIdM service (gateway) in production Elsevier, EBSCO, Google Apps
4
Federation models (communication/login, not metadata) SURFnet - We make innovation work3 -1-1 -Business VS: SAML 1.x -de-facto -NxN -Shared trust, pt2pt -Education VS/Europa -2xN -Central gateway (CFC) -protocol translation -SURFfederatie = CFC, IDP, SP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP CFC
5
Functional view (Since August 2008) SURFnet - We make innovation work4 Central Federation Components A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS Identity Providers Service Providers SURFfederatie CORE Applications Credential s
6
Metadata & proxying SURFnet - We make innovation work5 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF A-1 A-2 A-3 A-1 A-2 A-3 B-1 B-2 B-3 B-1 B-2 B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all}
7
WAYF/WAYF-less operation SURFnet - We make innovation work6 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF
8
hub & spoke pros/cons Pros -1 connection for IDP/SP -Minimal overhead for IDPs -Centralized (technical) management -Specialist knowledge @ SN -Less needed for IDP/SP -Scales well at national level -Extra features easier to do -Web services -Group support SURFnet - We make innovation work7 Cons -Procedures -release consent per SP -Key/cert/metadata changes -Lack of knowledge @ IDP -Double-edged sword… -Scalability European level -Can only support common denominator
9
Importing eduGAIN SPs SURFnet - We make innovation work8 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SPx=ddd SPy=eee SPz=fff eduGAIN SPzSPz SPzSPz A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3
10
Exporting IDPs SURFnet - We make innovation work9 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff IDP3=B-3 SPx=ddd SPy=eee SPz=fff IDP3=B-3 eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3
11
Exporting SPs to eduGAIN SURFnet - We make innovation work10 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 SPx=ddd SPy=eee SPz=fff SP3=SP3 eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3 IDP z
12
SP auth list (optional) SURFnet - We make innovation work11 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz Per SP auth list SP3: - IDP1 - IDP2 - IDPz
13
SP auth list (optional) SURFnet - We make innovation work12 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz Per SP auth list SP3: - IDP1 - IDP2 - IDPz
14
Future plans -Integrate with SURFconext -Procedural/organisational -Technical (level of integration TBD) -Change of consent model -Opt-in Opt-out -Addition of User Consent -Web Service support -Needed for (scientific) workflows -Rich client/beyond web SSO/mobile support -Rethink procedures/management SURFnet - We make innovation work13
15
SURFnet - We make innovation work14 Remco Poortinga – van Wijnen remco.poortinga@surfnet.nl federatie-beheer@surfnet.nl www.surfnet.nl Presentation released under Creative Commons http://creativecommons.org/licenses/by/3.0/
16
SURFnet - We make innovation work15
17
Backup slides SURFnet - We make innovation work16
18
(C) 2011 SURFnet B.V.17 URLs SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal) https://wayf.surfnet.nl/federate/surfnet/edug ain 2 IDPS: SN & TERENA 1 SP: TERENA (MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo. Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs
19
(C) 2011 SURFnet B.V.18 Metadata https://aai-viewer.switch.ch/interfederation- test/test/ Wij nu niet saml2int compliant. (behandelen attribs als ‘format unspecified’, moet ‘uri’ zijn volgens spec)
Similar presentations
