Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Published byDina Armstrong Modified over 8 years ago

Similar presentations

Presentation on theme: "Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN."— Presentation transcript:

1 Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN

2 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

3 Connect. Communicate. Collaborate DF What is the MetaData Service (MDS)? eduGAIN component developed in GN2-JRA5 eduGAIN: the GÉANT2 AAI Support dynamic establishment of trust relations between members of AAI confederation Information model conform to SAML v 2.0 Metadata Specification SAML: Security Assertions Markup Language (OASIS)

4 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

5 Connect. Communicate. Collaborate DF AAI confederation hierarchy AAI confederation  interconnecting AAI federations AAI federation  participant institutions  users –access to external resources & services –unaware of participants in other federations –require procedure of trust establishment between them

6 Connect. Communicate. Collaborate DF AAI confederation hierarchy (2)

7 Connect. Communicate. Collaborate DF Role of metadata Connecting to entities in other federated AAIs – required information: –where (in which federation)? –how to reach ? –what is supported (protocols and functionalities)?  metadata –distribution to all confederation members static (pre-configured upon software installation) dynamic (on request)

8 Connect. Communicate. Collaborate DF Role of a MetaData Service in AAI confederations AAI confederations –non-static environments! –frequent updates  means for dynamic collection & distribution of metadata: MetaData Service (MDS)

9 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

10 Connect. Communicate. Collaborate DF Basic principles Centralised storage of metadata for eduGAIN components Dynamic retrieval & update –metadata exchange interface: eduGAINMeta –based on REST architecture model Distributed publishing & querying –among local federations – no central admin –multiple metadata publishers and consumers

11 Connect. Communicate. Collaborate DF eduGAIN components

12 Connect. Communicate. Collaborate DF Bridging Elements MDS used by Bridging Elements (BEs): –gateways eduGAIN – local federations –communication with peers (BEs) in other federations –query MDS for metadata about Home BE –MDS response: SAML 2.0 Metadata doc –consumers/publishers of metadata

13 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

14 Connect. Communicate. Collaborate DF URL structure Syntax of REST URL mapping: MDS base URL[/federation ID][/entity ID][?query string] Combinations of: –MDS base URL : https://mds.geant2.net/ –federation ID : dfn, feide,... –entity ID : be1 –query string – Home Locator(s) : homeDomain=uio.no

15 Connect. Communicate. Collaborate DF Home Locators eduGAIN specific atribute-value pairs For: locating a remote BE (Home BE) From: –hints provided by user –contents of certificate extensions Types: –Home domain (homeDomain=switch.ch) –URN (urn=urn:geant:edugain:component:be:switch:be1)

16 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

17 Connect. Communicate. Collaborate DF Publishing/ updating Who: metadata publishers –Federation Peering Point (FPP) –authorized Bridging Elements (BEs) What: SAML 2.0 Metadata documents –EntityDescriptor root (  one BE) –EntitiesDescriptor root (  several BEs) How: HTTP POST/PUT

18 Connect. Communicate. Collaborate DF Publishing/ updating (2) For whole federation: –only by FPP –EntitiesDescriptor –URL syntax: http://mds.ladok.umu.se/feide For single entities: –by FPP / authorized BEs –EntityDescriptor –URL syntax: http://mds.ladok.umu.se/switch/be1

19 Connect. Communicate. Collaborate DF Retrieving metadata BE queries MDS via HTTP GET Metadata lookup –entity/federation name is known – http://mds.ladok.umu.se http://mds.ladok.umu.se/switch http://mds.ladok.umu.se/switch/entity1 Metadata search – entity name unknown, home locators – http://mds.ladok.umu.se/?homeDomain=switch.ch

20 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

21 Connect. Communicate. Collaborate DF Trust establishment Elements of trust establishment in eduGAIN: –MDS –eduGAIN PKI –Component identifiers (CIDs) MDS trust tightly bound with eduGAIN PKI  minimal trust in the service itself Transitive trust

22 Connect. Communicate. Collaborate DF Security checks MDS validations: –publisher‘s X.509 certificate –publishing rights Publishers‘ signatures fwd with metadata  validation by consumers

23 Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

24 Connect. Communicate. Collaborate DF Conclusions MDS: dynamic metadata distribution in AAI confederations Centralised storage, distributed trust Employes standard SAML 2.0 Metadata Possible use in any SAML-based infrastructure Deployment together with eduGAIN-like PKI

25 Connect. Communicate. Collaborate DF Thank you for your attention! Questions?

Download ppt "Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN."

Similar presentations

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Middleware for P2P architecture Jikai Yin, Shuai Zhang, Ziwen Zhang.

Middleware for P2P architecture Jikai Yin, Shuai Zhang, Ziwen Zhang.
Web services security I

Web services security I
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
POAD Distributed System Case Study: A Medical Informatics System Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

POAD Distributed System Case Study: A Medical Informatics System Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Similar presentations

Ads by Google