June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
Europe Latin America Collaborative e ‑ Infrastructure for Research Activities A Model for Federated Services Brook Schofield, TERENA ● Sofia, Bulgaria.
WSO2 Identity Server Road Map
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Update SURFnet Bart Kerver TF-EMC2-meeting, Utrecht, 17 Oktober 2006.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
WebFTS as a first WLCG/HEP FIM pilot
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.
AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
SWITCHaai Team Introduction to Shibboleth.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Chad La Joie Shibboleth’s Future.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October
Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
The FederID project The First Identity Management and Federation Free Software.
Using Your Own Authentication System with ArcGIS Online
LIGO Identity and Access Management
Federation made simple
Federation Systems, ADFS, & Shibboleth 2.0
eduTEAMS platform for collaboration Niels Van Dijk
Identity Federations - Overview
Scalability of trust and metadata exchange across federations
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Identity Federations - Installation and operation
Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007
Office 365 Identity Management
Community AAI with Check-In
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet

SURFnet. We make innovation work1 Overview -Identity Federation Models -SURFfederatie gateway -Implementation/Deployment -Features/Experiences -SURFnet Service Provider -Conclusion

SURFnet. We make innovation work2 Federation Models Business: SAML 1.x -de-facto -NxN -Shared trust, pt2pt -Education VS/Europe -Shibboleth -2xN -Central gateway (CFC) -Protocol translation -SURFfederation SURFnet = CFC, IDP, SP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP CFC

SURFnet. We make innovation work3 Functional View Central Federation Components A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS Identity ProvidersService ProvidersSURFfederatie CORE Applications Credentials

SURFnet. We make innovation work4 Authentication Redirect Flow SPSFSIDP web service authentication backend browser request auth request SSO 1 request 2 SSO 2 request LDAP/Radius/.. access & attributes SSO 1 response 2 SSO 2 response auth response

SURFnet. We make innovation work5 Deployment View server1server2server3 phpFederate PingFederate management failover PingFed/Mgmt wayf.surfnet.nl sfs.surfnet.nl round-robin DNS phpFederate PingFederate PingFed/Mgmt

SURFnet. We make innovation work6 Server Node apache2 mod_fcgid php5_cgi phpFederate memcached (state sharing) mysql (logging) sendmail (error reporting) heartbeat2 (failover) pingFederate

SURFnet. We make innovation work7 Connections -Federation Protocols -IDP: -SAML 2.0 (5), ADFS (15), A-Select (10) -SP: -SAML 2.0 (5), Shibboleth 1.3 (5), A-Select (3) -Federation Products -Microsoft ADFS, Shibboleth (1/2), A-Select, Novell Access Manager, simpleSAMLphp, Oracle IdM, PingFederate

SURFnet. We make innovation work8 Implementation -PHP: -implementation programming language -metadata/configuration store -configuration and processing language -provisioning tool -Provision connections to PingFederate -Federate connections transparency across protocols (!= simpleSAMLphp); caveat: identifiers -IDPs “see” 1 SP; SPs “see” 1 or all IDPs -IDP ARPs: (configured) filter by SURFfederatie gateway

SURFnet. We make innovation work9 Features -Pure stateless switch vs. stateful processing gateway -Transparent vs. single-point-of-entry -Detailed and accurate logging/statistics -ARP and ACLs implemented in PHP -TBD: attribute processing/enrichment… -SP “personalized” IDP discovery and authorisation -Limited SP access for IDPs -EduGAIN, OpenID, InfoCard -Optional: management APIs for members (IaaS) -Metadata/configuration -ARP, IDP/SP authorisation

SURFnet. We make innovation work10 Experiences -Multi-protocol abilities speed up institutional deployment: fits in their home ICT environment (!= JAVA, = Microsoft) -Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs -SAML 2.0 implementations are hard (specs/products/knowledge) -> slow SP take-up -Scalability is ok: up to national level -Trust model of centralized federation is functionally equivalent to distributed federations: federation- operator is TTP (signed responses vs. signed metadata)

SURFnet. We make innovation work11 Future Developments -Web-services (gateway as WS-Trust STS!) -Cross-layer identity (unified SSO) -Identity-as-a-Service extensions -User Centric privacy extensions: user consent -Geneva -SURFnet services: OpenID -Confederations: Kennisnet, EduGAIN

SURFnet. We make innovation work12 SURFnet Service Provider -SURFnet plays three roles in the SURFfederatie: -Federation operator, gateway -IDP, for SURFnet employees -SP, for services offered by SURFnet to federation members -Services are connected via a proxy -Proxy is running phpFederate

SURFnet. We make innovation work13 SURFnet Service Provider SURFnet Service Provider SURFfederatie gateway IDP SURFmedia SURFmailfilter SURFdomeinen SP IDP

Proxy benefits -Protocol translation: -Hook up any service using A- Select/Shibboleth/SAML/WS-Federation -Centralize features needed for all services: -Access Control -Attribute enrichment -Guest access to selected services -Migrating user data when users switch identity SURFnet. We make innovation work14

SURFnet. We make innovation work15 Guest access SURFnet Service Provider Guest IDP SURFfederatie IDP SURFmedia SURFmailfilter SURFdomeinen

SURFnet. We make innovation work16 Attribute enrichment SURFnet Service Provider SURFmedia SURFmailfilter SURFdomeinen SURFfederatie IDP attribute database attribute database Attributes

Current developments -OpenID Gateway: -SURFnet SP as OpenID RP (guest access) -SURFfederatie as OpenID Provider (requires user consent) -Federated Groups -Join people from multiple IDPs into groups -Centrally managed -Across multiple services -Federated directory -Step-up authentication (introduce second factor) -OTP per SMS -Mobile PKI (authN using private key on SIM) SURFnet. We make innovation work17

SURFnet. We make innovation work18 OpenID protocol handler SURFnet Service Provider OpenID Provider SURFfederatie IDP SURFmedia SURFmailfilter SURFdomeinen OpenID RP

SURFnet. We make innovation work19 Mobile PKI

SURFnet. We make innovation work20 Conclusions -Rapid deployment: users -From gateway towards Identity-as-a-Service -Outlook: from use-once-a-month content towards every-day use hosted web applications

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.