SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet *with input from a lot of others
SURFnet. We make innovation work1 Overview -SURFfederatie -In 3 slides -SURFconext -Background -Features -Architecture -Services -TBD/Future development
SURFnet. We make innovation work2 Federation Models Business: SAML 1.x -de-facto -NxN (‘distributed’) -Shared trust, pt2pt -Education VS/Europe -Shibboleth -2xN (‘hub-and-spoke’) -Central gateway (CFC) -Protocol translation -Attribute filtering & enrichment -Easier configuration for IdPs IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP CFC
SURFnet. We make innovation work3 SURFfederatie Functional View Central Federation Components A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS Identity ProvidersService ProvidersSURFfederatie CORE Applications Credentials
Some numbers -IdPs (79) -36 SAML (30*) WS-Federation (ADFS) -(* 8 proxied) -13 A-Select -SPs (55+) -Google apps, foodle, CLARIN (7), several publishers, libraries, webshops, SURFconext, … -≈ 700k users -(Technically) connected to eduGAIN SURFnet. We make innovation work4
SURFconext some background -Goal of SURFnet is to enable collaboration -Across (institutional) borders -Used to be done by SURFgroepen service -Sharepoint -User defined groups/spaces -But: -Monolithic -No domestication (then) -Single (specific) service no choice -No way to extend groups to other services -(exception: AdobeConnect) SURFnet. We make innovation work5
SURFconext -Allow users from different institutions to work together using their own preferred combination of tools -Using groups across services -Using SURFfederatie (trust, identities, attributes) SURFnet. We make innovation work6
SURFconext platform features -IdP and SP (SAML 2.0) proxy -Group Relation Provider(s) -IdP and SP and oAuth registry -OpenSocial ‘Gadgets’ for GUI handling -OpenSocial ‘Social Data’ API -VO Registry VO IdP -Uses OSS components where possible -Apache Shindig – OpenSocial Container -Apache Rave (incubator) – OpenSocial Portal -Corto – Idp/SP proxy -Janus – (SP/IdP Metadata) registry -Is Open Source itself – SURFnet. We make innovation work7
SURFconext architecture SURFnet. We make innovation work8
SURFconext services -Confluence -Alfresco -Liferay -WebEx -BigBlueButton -Sympa -Lobber -… SURFnet. We make innovation work9
What’s missing/TBD? -Group Management across boundaries -NREN and/or VO-platform boundary -On the agenda of GN3-JRA3-T2 -Production ready VO support -Group Management in context of a VO -virtualIDP for services supporting only single IdP endpoint (Google apps etc) -Roles and Rights -Roles group management ≠ roles services -Service usage (licenses for guest users) SURFnet - We make innovation work10
Questions? SURFnet. We make innovation work11
Backup slides SURFnet. We make innovation work12
OpenSocial - overview App’s Virtual Organization Consumers ‘Social Network’ ‘Social Network’
→ → → → (SURFteams) →
SURFconext & eduGAIN SURFnet - We make innovation work16 SURFconext /Corto VOs Groups Service IDP SP Guest IDP eduGAIN SURF- federatie IDP SP IDP SP IDP SP Service
17
18
19