Presentation is loading. Please wait.

Presentation is loading. Please wait.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

Published byTheodora Diana Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet."— Presentation transcript:

1 June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet

2 SURFnet. We make innovation work1 Overview -Identity Federation Models -SURFfederatie gateway -Implementation/Deployment -Features/Experiences -SURFnet Service Provider -Conclusion

3 SURFnet. We make innovation work2 Federation Models -1-1 -Business: SAML 1.x -de-facto -NxN -Shared trust, pt2pt -Education VS/Europe -Shibboleth -2xN -Central gateway (CFC) -Protocol translation -SURFfederation SURFnet = CFC, IDP, SP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP CFC

4 SURFnet. We make innovation work3 Functional View Central Federation Components A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS Identity ProvidersService ProvidersSURFfederatie CORE Applications Credentials

5 SURFnet. We make innovation work4 Authentication Redirect Flow SPSFSIDP web service authentication backend browser request auth request SSO 1 request 2 SSO 2 request LDAP/Radius/.. access & attributes SSO 1 response 2 SSO 2 response auth response

6 SURFnet. We make innovation work5 Deployment View server1server2server3 phpFederate PingFederate management failover PingFed/Mgmt wayf.surfnet.nl sfs.surfnet.nl round-robin DNS phpFederate PingFederate PingFed/Mgmt

7 SURFnet. We make innovation work6 Server Node apache2 mod_fcgid php5_cgi phpFederate memcached (state sharing) mysql (logging) sendmail (error reporting) heartbeat2 (failover) pingFederate

8 SURFnet. We make innovation work7 Connections -Federation Protocols -IDP: -SAML 2.0 (5), ADFS (15), A-Select (10) -SP: -SAML 2.0 (5), Shibboleth 1.3 (5), A-Select (3) -Federation Products -Microsoft ADFS, Shibboleth (1/2), A-Select, Novell Access Manager, simpleSAMLphp, Oracle IdM, PingFederate

9 SURFnet. We make innovation work8 Implementation -PHP: -implementation programming language -metadata/configuration store -configuration and processing language -provisioning tool -Provision connections to PingFederate -Federate connections transparency across protocols (!= simpleSAMLphp); caveat: identifiers -IDPs “see” 1 SP; SPs “see” 1 or all IDPs -IDP ARPs: (configured) filter by SURFfederatie gateway

10 SURFnet. We make innovation work9 Features -Pure stateless switch vs. stateful processing gateway -Transparent vs. single-point-of-entry -Detailed and accurate logging/statistics -ARP and ACLs implemented in PHP -TBD: attribute processing/enrichment… -SP “personalized” IDP discovery and authorisation -Limited SP access for IDPs -EduGAIN, OpenID, InfoCard -Optional: management APIs for members (IaaS) -Metadata/configuration -ARP, IDP/SP authorisation

11 SURFnet. We make innovation work10 Experiences -Multi-protocol abilities speed up institutional deployment: fits in their home ICT environment (!= JAVA, = Microsoft) -Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs -SAML 2.0 implementations are hard (specs/products/knowledge) -> slow SP take-up -Scalability is ok: up to national level -Trust model of centralized federation is functionally equivalent to distributed federations: federation- operator is TTP (signed responses vs. signed metadata)

12 SURFnet. We make innovation work11 Future Developments -Web-services (gateway as WS-Trust STS!) -Cross-layer identity (unified SSO) -Identity-as-a-Service extensions -User Centric privacy extensions: user consent -Geneva -SURFnet services: OpenID -Confederations: Kennisnet, EduGAIN

13 SURFnet. We make innovation work12 SURFnet Service Provider -SURFnet plays three roles in the SURFfederatie: -Federation operator, gateway -IDP, for SURFnet employees -SP, for services offered by SURFnet to federation members -Services are connected via a proxy -Proxy is running phpFederate

14 SURFnet. We make innovation work13 SURFnet Service Provider SURFnet Service Provider SURFfederatie gateway IDP SURFmedia SURFmailfilter SURFdomeinen SP IDP

15 Proxy benefits -Protocol translation: -Hook up any service using A- Select/Shibboleth/SAML/WS-Federation -Centralize features needed for all services: -Access Control -Attribute enrichment -Guest access to selected services -Migrating user data when users switch identity SURFnet. We make innovation work14

16 SURFnet. We make innovation work15 Guest access SURFnet Service Provider Guest IDP SURFfederatie IDP SURFmedia SURFmailfilter SURFdomeinen

17 SURFnet. We make innovation work16 Attribute enrichment SURFnet Service Provider SURFmedia SURFmailfilter SURFdomeinen SURFfederatie IDP attribute database attribute database Attributes

18 Current developments -OpenID Gateway: -SURFnet SP as OpenID RP (guest access) -SURFfederatie as OpenID Provider (requires user consent) -Federated Groups -Join people from multiple IDPs into groups -Centrally managed -Across multiple services -Federated directory -Step-up authentication (introduce second factor) -OTP per SMS -Mobile PKI (authN using private key on SIM) SURFnet. We make innovation work17

19 SURFnet. We make innovation work18 OpenID protocol handler SURFnet Service Provider OpenID Provider SURFfederatie IDP SURFmedia SURFmailfilter SURFdomeinen OpenID RP

20 SURFnet. We make innovation work19 Mobile PKI

21 SURFnet. We make innovation work20 Conclusions -Rapid deployment: 500.000 users -From gateway towards Identity-as-a-Service -Outlook: from use-once-a-month content towards every-day use hosted web applications

Download ppt "June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation.

SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
Europe Latin America Collaborative e ‑ Infrastructure for Research Activities A Model for Federated Services Brook Schofield, TERENA ● Sofia, Bulgaria.

Europe Latin America Collaborative e ‑ Infrastructure for Research Activities A Model for Federated Services Brook Schofield, TERENA ● Sofia, Bulgaria.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Update SURFnet Bart Kerver TF-EMC2-meeting, Utrecht, 17 Oktober 2006.

Update SURFnet Bart Kerver TF-EMC2-meeting, Utrecht, 17 Oktober 2006.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Www.kennisnet.nl Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.

Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations

Ads by Google