Presentation is loading. Please wait.

Presentation is loading. Please wait.

Neil Witheridge’s slides

Published byAmberlynn Stokes Modified over 5 years ago

Similar presentations

Presentation on theme: "Neil Witheridge’s slides"— Presentation transcript:

1 Neil Witheridge’s slides
TNC2014 Service Delivery NREN style: Using OpenConext to build service delivery platforms Neil Witheridge’s slides Intro to Neil Witheridge SAML Federation Experience AARNet authentication and authorisation services technical manager eduroam administrative experience (global (GeGC), regional (APAN eduroam federation), national (eduroam AU), institutional (AARNet)) Also participating in Global Federated Infrastructure Delivery, Management and Services Also partnership with AAF 21 May 2014 TNC 2104

2 Topics OpenConext Components & Architecture
AARNet Service Requirements AARNet: eduroam Admin, Cloud Services Deployment Model Use with eduroam Admin Tools Use with Cloud Services Deployment experience Service access requirements: Federated authentication (supporting all customers, whether AAF member or not, SAML-IdP-enabled or not). OpenConext is a SAML proxy, hence is a gateway for AAF member IdPs, non-AAF member IdPs, and using a VHO, non SAML-IdP-enabled users group-aware i.e. using an authenticated user’s group information for group-based functionality and authorisation decision making. OpenConext is able to retrieve an authenticated user’s group information by virtue of its “group proxy” architecture. OpenConext also provides a Grouper-based group management tool. 21 May 2014 TNC 2104

3 OpenConext Components
Architecture SAML Proxy (Engine, config via ServiceRegistry) Group Proxy (API, config via Manage) Group Management (Teams), Group Provider (Grouper-based) Components Engine & Profile ServiceRegistry Mujina IdP and SP API Manage API Playground Teams Grouper OpenConext components: ServiceRegistry (configuration of Engine) Manage (configuration of API) Teams & Grouper API Playground (GUI & utility code on API) Profile (User info and basic user management, GUI on Engine) Behind the scenes: Engine (SAML Proxy) API (Group Proxy) Also not visible from UI: API also provides a “Mock Group Provider”

4 OpenConext Architecture
The OpenConext architecture diagram depicts its two main components, - SAML Proxy (Engine), and - Group Proxy (API) Engine (SAML Proxy) makes use of SAML metadata which is managed by ServiceRegistry (dotted box on right) Group Proxy is managed primarily using the Manage component (dotted box on left) (e.g. configures other Group Providers to be used). Teams (top left) is a GUI front end to Grouper, the built-in Group Provider API implements VOOT protocol (which in turn relies on Open Social API) VOOT supports retrieval of person, a person’s group membership and membership of group (persons in the group). Source:

5 OpenConext Architecture
Cont’d Another view, deployment Illustrates how it can be integrated with an existing national SAML Federation. Both National SAML Federation IdPs + non-National Federation SAML2 IdPs (including a private virtual IdP) can access “conexted” services. Conexted SPs can access group information via OpenConext Group Proxy from internal and external Group Providers (Currently must provide a Grouper or VOOT interface)

6 OpenConext Deployment @ AARNet
Flexible Customer Access Conext SP in AAF Access by AAF IdPs (controlled by AARNet via OpenConext) Inclusion of AARNet Services only SAML IdPs E.g. Schools & TAFEs who only want AARNet Services AARNet Virtual Home Organisation For those institutions without a SAML IdP Flexible Service Delivery Platform Usage Metrics Monitoring Support Access to eduGAIN-enabled Services eduGAIN compatible metadata AARNet Specific requirements: Currently AARNet is delivering or planning to deliver the following services which benefit from OpenConext proxy architecture: (federated access, group-based authorization) eduroam Admin Services (and seeking to contribute to global eduroam admin evolution – see separate paper) (trial SSO access) Cloud services (e.g. box.net and Zoom) OpenConext provides: Flexible access by full range of AARNet customers (SAML-IdP AAF participants & non-AAF participants, non-SAML-IdP customers (via AARNet Virtual Home Organisation)) Flexible service delivery platform (access control, instrumentation for metrics and monitoring, enhanced end-user support services) eduGAIN conformant metadata (in future, if required, global access to service features is feasible)

7 AARNet Services Requirements
AARNet above-the-net services strategy not operators of Australian SAML Federation (see AAF) OpenConext Features sought Group-based access eduroam Administration Services Services behind single “shopfront” (i.e. SAML Proxy) Branding Instrumentation for Monitoring, Metrics, Support Deployment Flexibility National SAML Federation participants SAML capable, not AAF Not SAML capable Two service suites: Eduroam Administration (global ancillary services) Cloud Services access by customers (e.g. Box, Zoom) AARNet is developing an ‘above-the-net’ services strategy for delivery of network-centric services. AARNet participates in the Global NREN CEO Forum What OpenConext provides (by virtue of proxy architecture) Group based access SAML Proxy (integration with AAF, access to AARNet customers not in AAF) unified look & feel across services by presenting them behind a single “AARNet Shopfront”. OpenConext enables AARNet to delivering access flexibly to all customers, and provide instrumentation for monitoring , metrics and support) Examples of potential context’d services: - Global Real-Time Communications: SIP-based telephony and video conferencing, - brokered services (e.g. Net+ and other 3rd-party cloud services), and - existing AARNet services such as the FileSender-based “CloudStor” service. 21 May 2014 TNC 2104

8 eduroam Administration
Deployment Automation (DjNRO) Operability Testing and Auditing Monitoring (monitor.eduroam.org) Metrics Aggregate (F-Ticks) Detailed institutional Support eduroam Configuration Assistant Tool (CAT) Access via eduGAIN Triggered authentications and log visibility New New AARNet is also the national roaming operator (NRO) of eduroam AU. Currently working on a pilot deployment of eduroam administrative services, accessed via the OpenConext SAML+Group proxy Goal of these services is optimal automation of OA&M of the APAN eduroam federation, eduroam AU national federation, and AARNet’s institutional eduroam deployment. Tools will be provided for automating eduroam deployment, operability testing and monitoring, and usage metrics. Strategy for tools adoption is to use those that are delivered and endorsed globally, and which contribute to and make use of the global eduroam database . E.g. DjNRO (eduroam administration tool) monitor.eduroam.org Aggregate metrics (Federation Ticker System (F-Ticks)) eduroam Configuration Assistant Tool (CAT) AARNet will also work with global colleagues on delivery of administrative tools for Detailed institutional metrics Institutional End-User Support tools (triggered authentication and access to logs for diagnostic purposes) eduroam operability testing and auditing New 21 May 2014 TNC 2104

9 eduroam Services Currently Available
DjNRO monitor.eduroam.org F-Ticks eduroam CAT Currently available services intended to be used by AARNet DjNRO (eduroam Admin and contribution to global database) monitor.eduroam.org (global monitoring) F-Ticks (aggregate metrics) CAT (device configuration script generation) 21 May 2014 TNC 2104

10 New eduroam Admin Services
Operability Testing & Auditing, Detailed Institutional Metrics, Institutional Support Tools Requirement for group-based access Institutional Support Tools Detailed Institutional Metrics Currently seeking to deliver (collaboratively globally) automated solutions for: Detailed institutional metrics Institutional end-user support diagnostic tools (triggered authentications, log access) 21 May 2014 TNC 2104

11 Context’d eduroam Admin Services
The architecture to be adopted for delivery of AARNet eduroam administrative services. Mix of services hosted by AARNet, and those hosted globally. Flexible access by AARNet customers: AAF members Non-AAF members with SAML IdPs Not SAML IdP enabled customers (access via AARNet VHO). 21 May 2014 TNC 2104

12 User Management AAF IdPs, AARNet Services only SAML IdPs
OpenConext: Group Management AARNet VHO (SWITCH VHO-based) Current plan is for Interfaces to be provided for customer self-administration of identities in AARNet VHO and AARNet and Customer-self-administration of Groups for Group-based access. 21 May 2014 TNC 2104

13 eduroam Administration
Global eduroam services can be accessed via eduGAIN OpenConext provides eduGAIN compatible metadata out-of-the-box. 21 May 2014 TNC 2104

14 Cloud Services & Global Services
box.net Zoom Global Services Global NREN CEO Forum Initiatives Network Architecture eduGAIN for Global Federated Access (GFIM) GFIDMS (Global Federation Infrastructure Delivery, Management and Services) Real Time Communications SIP-based communications Global Services Delivery AARNet will also trial SSO access to Cloud Services (Currently box.net and Zoom trialed and planning to be provided by AARNet). Global Services from Global NREN CEO Forum Initiatives Relevant related activies are: Global Federated Infrastructure Real-Time Communications (SIP-based) Services arising from Global Services Delivery initiative. 21 May 2014 TNC 2104

15 Cloud Service: Box Example of OpenConext access to box.net delivered by AARNet. 21 May 2014 TNC 2104

16 OpenConext Deployment Experience
Note, using Version 62 from OpenConext VM Configuration & Upgrade Certificate Management & Roll-over Integration with AAF Attribute requirements & primary identifier Importing metadata from AAF aggregate list General Localisation, GUI Customisation SP Development & Group-based authZ Java, PHP, Python libraries Deployment is relatively straight forward Providing feedback to SURFnet re areas that AARNet sees as important Certificate management Localisation Integration with existing National SAML Federation Power of proxy architecture is evident Also development of service interfaces in various popular languages (Java, PHP, Python). 21 May 2014 TNC 2104

Download ppt "Neil Witheridge’s slides"

Similar presentations

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
AARNet Copyright 2013 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge,

AARNet Copyright 2013 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge,
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
AARNet Copyright 2011 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge,

AARNet Copyright 2011 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge,
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution An Identity 1.0 story Maarten Koopmans SURFnet,

Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution An Identity 1.0 story Maarten Koopmans SURFnet,
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.

Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Www.eudat.eu b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
Facing the challenge of relevance Erwin Bleumink 4 June 2013 TNC13.

Facing the challenge of relevance Erwin Bleumink 4 June 2013 TNC13.
Networks ∙ Services ∙ People www.geant.org Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Similar presentations

Ads by Google