Europe'La*n'America' Collabora*ve'e Infrastructure' for ... · Europe'La*n'America' Collabora*ve'e Infrastructure' for'Research'Ac*vi*es' ' TICAL2014'' ' Brook Schofield, TERENA TICAL
Post on 18-Aug-2020
4 Views
Preview:
Transcript
Europe'La*n'America'Collabora*ve'e�Infrastructure'for'Research'Ac*vi*es''TICAL2014'''
Brook Schofield, TERENA ● TICAL 2014 ● 29th May 2014
'About'me…'
• Brook%Schofield%• mailto:schofield@terena.org • skype://brookschofield • tel:+31651553991 • http://terena.org/~schofield • linkedin.com/in/brookschofield
I work at TERENA. eduGAIN Task Leader in the GN3plus Project. eduroam Global Governance Secretary. ELCIRA Project participant.
The'Situa*on'on'Campus:'Lots'of'Applica*ons'
• More%applica1ons%for%students%and%researchers%
• Applica1ons%require%authen1ca1on%and%authoriza1on%
Lots'of'Applica*ons''!'Lots'of'Passwords'
• One%password%for%each%applica1on%does%not%scale%• Tons%of%passwords%to%manage%for%users%and%service%operators%
• Varying%degree%of%password%security%• Increased%helpdesk/user%work%due%to%password%resets%• Collabora1ve%usage%of%applica1ons%is%difficult%
The'Solu*on:'Iden*ty'Management'
• Create%an%(iden1ty)%federa1on:%– Mul1ple%organisa1ons/services%agree%on%%
common%technical%and%legal%standards'– Deploy%Iden1ty%and%Service%Providers%– Mutually%trust%each%other's%asser1ons%
– Collaborate,%e.g.%common%eOlearning%
• One%login%name%and%password%for%users%
• Password%entered%only%at%home%login%page%%
• Many%countries%have%na1onal%academic%iden1ty%%
federa1ons%today!%
• First%Academic%Iden1ty%Federa1ons%started%in%midO2000s%
Authen*ca*on'services'you'already'use…'
Hub&Spoke'Federa*on'with''Central'Login'
~5%'of%all%Federa1ons%• FEIDE%• AAI@EduHr%
Also%used%by%• Facebook%• TwiWer%
• Google+%
Requires%“trust”%in%%
the%Operator%
SP
SP
DB
SPSP
SPSP
SPDB
SP
SP
SP
SPSP
SP
DB
Organisation
UserDirectory Service
Provider
Hub with Central Login
DB
IdP
SAML Assertion FlowConnection to User Directory
Hub&Spoke'Federa*on'with'Distributed'Login'
~15%'of%Federa1ons%• SURFconext%• WAYF%(Denmark)%
• SIR%• TAAT%• Confia%
Operator%can%see%the%%
“content”%of%Auth%%
messages%
% SAML Assertion FlowConnection to User Directory
DS
IdP
SP
SP
IdPDBSP
SP
SP
SP
SP
IdPDB
SPSP
SP
SP
SP
SP
IdP DB
Organisation
UserDirectory
Service Provider
Identity Provider
Hub
IdP SP
DB
CentralDiscovery
Service
'Full'Mesh'Federa*on'
~80%'of%Federa1ons%• COFRe%• CAFe%• InCommon%
• UKAMF%
• SWAMID%
• HAKA%• AAF%• SWITCHaai%
• ...%SAML Assertion FlowConnection to User Directory
DS
DS
DS
SP
IdPDB
SP
SP
SPSP
SP
IdPDB
SP
SP
IdP DB
SPSP
SP SP
SP
IdP DBOrganisation
UserDirectory
Service Provider
Identity Provider
DS
CentralDiscovery
Service
DS
(Local)Discovery
Service
Iden*ty'Federa*ons'World'Wide'
31 Production Federations
17 Pilot Federations Last update May 2014
Iden*ty'Federa*ons'Are'Tradi*onally'Na*onal'
All'Federa*ons:'" Support%SAML2%
" educa1on%&%research%
" Use%same/similar%%
user%aWributes%
eduroam'–'roam'across'borders'
12%
eduroam Pilot :-(
'eduroam'in'La*n'America'
%8%produc1on%deployments%– Argen1na,%Brazil,%Chile,%
Colombia,%Costa%Rica,%Ecuador,%Mexico,%Peru!
%4%pilot%deployments%– El%Salvador,%Nicaragua,%
Uruguay,%Venezuela%
%>%9%Missing%– Bolivia,%%Guatemala,%
Honduras,%Panama,%Paraguay,%Guyana%
– Caribbean%– Belize,%French%Guiana,%
Suriname%
eduroam Pilot :-(
Global'Authen*ca*on'INfrastructure'
Who,'What,'Where,'When,'Why'and'How'of'eduGAIN'
Provide'legal'and'technical'frameworks'to'make'Iden*ty'Federa*ons'interoperate'=='interfederate'
'Who'is'Behind'eduGAIN?'
Key'Personnel'• Opera1onal%Team%(Tomasz%Wolniewicz,%UMK,%PL)%
• Policy%&%Code%of%Conduct%(Mikael%Linden,%CSC,%FI)%
• Emerging%Federa1ons%(Brook%Schofield/Nadia%Sluer,%
TERENA,%NL)%
• FaaS%(Marina%Vermezovic,%AMRES,%RS/Valter%Nordh,%
SWAMID,%SE)%
• Engaging%User%Communi1es%(Lukas%Hämmerle/Ann%
Harding,%SWITCH,%CH)%
%
'…and'How'Is'it'Governed?'
Governing'Structure'• eduGAIN'Steering'Group'(eSG)'Each%member%federa1on%has%one%representa1ve.%
Votes%on%which%new%federa1ons%are%accepted%or%
policy%changes.%%
• eduGAIN'Execu*ve'Commi]ee'(eEC)'Approves%changes%to%the%cons1tu1on%and%has%veto%
right.%Nominated%by%GEANT%Execu1ve%CommiWee.%
%
Interfedera*on'with'eduGAIN'
• Global%Authen1ca1on%INfrastructure%for%educa1on%• An%interfedera1on%service%primarily%for%Research%&%Educa1on%
• Connects%exis1ng%SAMLObased%academic%iden1ty%
federa*ons%• Developed%and%funded%by%European%GÉANT%projects%(www.geant.net)%but%open%also%to%nonOEuropean%
federa1ons%
• Web site: www.eduGAIN.org%%
What'Is'it?''…and'How'Does'it'Work?'
%
• MDS%fetches,%aggregates%and%republishes%metadata%%
• eduGAIN%provides%policy%framework%and%standards%to%build%
trust%
Code ofConduct
Attribute Profile
Metadata Profile
Web SSOProfile
eduGAIN Constitution
eduGAINDeclaration
More'"Realis*c"'Architecture'
'“Phonebook”'Tools
Ques*on' SWITCH'RR' Fed'Reg'AAF' JAGGERcRR' pyFF' JANUScSSP' IncHouse'
Which%
Federa1on?%
SWITCHaai,%
Haka,%NIIF,%
Edugate%
AAF,%Tuakiri%
(NZ),%CAFe%
Edugate,%
RCTSaai,%
IDEM,%CAF,%
iAMRES,%
“FaaS”%
SWAMID,%
ACOnet%
WAYF,%
SURFconext%
Belnet,%
RENATER,%
AAI@EduHR%
Customisa1on% Lots% Limited% Community% Community% Lots%
Language% PHP% Java%(v1)%
Groovy%(v2)%
Scala%
PHP% Python% PHP% XSLT,%Perl,%
PHP%
Missing%
Features%
Dependent%
on%version%
of%soqware.%
“optOin/out”,%
MDUI,%MD%
Aggrega1on%
UI,%UX,%
Signing,%
Real1me%
Aggrega1on%
SelfOService% *“optOin/
out”,%MD%
Aggrega1on%
SelfOService,%
“op1n/out”,%
MDUI,%
MD%
Aggregate%
*Process%available%but%requires%documenta1on.%%
NB:O%Signing%of%metadata%outside%the%scope%of%these%tools%–%solu1ons%exist.%
eduGAIN:'Legal'Trust'and'Profiles'
• eduGAIN%Declara1on%(3%pages)%– Signed%by%each%Member%Federa1on%
– Contains%13%rules%that%federa1ons%promise%to%obey%
• eduGAIN%Cons1tu1on%(10%pages)%• Profiles%for%SAML,%Metadata,%
AWributes,%...%
• GEANT%Data%Protec1on%Code%of%Conduct%%
– Declara1on%of%Service%Providers%to%"behave%well"%with%user%data%
– Applicable%in%EU/EEA%or%similar%
'h]p://edugain.org/policy'
'GÉANT'Code'of'Conduct'
25 EEA Data Protection
5 EEA Compatible DP
1 Safe Harbor (USA)
17 Federation outside GÉANT CoC (5 in or joining)
GÉANT'Data'Protec*on'Code'of'Conduct'
• Only%Argen1na%in%La1n%America%is%covered%
• Significant%piece%of%work%with%huge%impact%– Poten'ally%covers%a%large%por1on%of%the%community%
• 30%of%the%47%Federa1ons%(31%of%48%countries)%
• Adop1on%+%use%s1ll%required.%– Technology%works%with%Shibboleth%IdP.%– In%Development%for%simpleSAMLphp%+%Federa1on%Metadata%Registry%
Tools.%
• Scalable%solu1on%for%the%other%17/18%Federa1ons/Countries?%– Export%out%of%Europe%is%the%problem%to%be%solved!%
History'of'eduGAIN'
• 2006%–%Research%project%within%GN2%– Trailed%various%architectures,%technologies%+%protocols%
• 2009%–%Promoted%to%a%service%in%GN3%
– Path%forward%was%Mesh%&%SAML2%
• 2011%–%Launched%to%the%federa1on%community%
• 2013%–%Renewed%as%a%service%in%GN3+%• 2014%–%All%produc1on%federa1ons%have%joined%
'eduGAIN'&'Federa*ons'
18 eduGAIN Members 2 Joining eduGAIN
9 Candidate Federation!
1 April 2013
'eduGAIN'&'Federa*ons'
24 eduGAIN Members 6 Joining eduGAIN
1 Candidate Federation!
1 April 2014
'eduGAIN'&'Federa*ons'
24 eduGAIN Members 7 Joining eduGAIN
0 Candidate Federation
15 April 2014
'eduGAIN'&'Federa*ons'
24 eduGAIN Members 7 Joining eduGAIN
0 Candidate Federation
15 April 2014
'eduGAIN'&'Federa*ons'
24 eduGAIN Members 7 Joining eduGAIN
0 Candidate Federation!17 Other Federations
15 April 2014
eduGAIN:'Some'Sta*s*cs'
– April'2011:'Official%start%of%eduGAIN'– Nov'2013:'21'Federa*ons%are%members%(50%)%
– Apr'2014:'24'Federa*ons%are%members%(51%)'– En**es:'253'IdPs,'117'SPs'(369'in'total)'
One%IdP%can%represent%for%dozens%of%organisa1ons%and%services%
depending%on%federa1on%architecture%=>%actual%numbers%are%higher'
– Whole'(academic)'SAML'landscape:'47'Federa*ons,'2539'IdPs,'5280'SPs'Not%all%of%them%need%to%be%interfederated,%e.g.%many%internal%SPs%
Numbers%from%May%2014%
Iden*ty'Federa*ons''and'La*n'America'
• eduGAIN%Par1cipant%– Brazil%(CAFe)%
– Chile%(COFRe)%
• eduGAIN%Candidate%– Colombia%(COLFIRE)%
• Emerging%Federa1ons%– Argen1na,%Costa%Rica,%
Ecuador,%El%Salvador,%%Mexico,%Peru%
%eduGAIN Member Joining eduGAIN Candidate Federation!Pilot Federation MoU Signed with ELCIRA
Why'do'eduGAIN?'
'Interfedera*on'Use'Cases'
Researchers'Oqen%work%together%in%interna1onal%research%projects,%which%operate%many%
webObased%services%that%need%authen1ca1on.%Services%are%in%different%
countries/federa1ons.%Thanks%to%Interfedera1on%researchers%can%use%their%
ins1tu1on's%account.%
%
%
Lecturers'Can%start%eOlearning%collabora1ons%across%country%borders.%Create%(costly)%eO
learning%content%collabora1vely%or%easier%"sell"%it%to%other%universi1es%abroad.%
%
%
Content'Publishers'Companies%like%Elsevier/Thomson%Reuters/etc.%already%joined%mul1ple%iden1ty%
federa1ons.%Cumbersome%for%them%and%for%federa1on%operators.%%
Thanks%to%Interfedera1on:%Join%one,%be%connected%to%many!%
Slide 36
Lots'of'Federa*ons'
Which'federa*on'do'I'join'first?'
• Large%federa1ons%are%more%interes1ng%for%
commercial%suppliers%
• How%to%focus%on%customers%–%not%size?%
• …why%not%focus%on%customers%AND%size!%
• eduGAIN%is%NOT%a%federa1on…%• …but%if%it%was%it%would%be%the%6th%largest%
hWp://memegenerator.net/
instance/50198870%
How'do'I'eduGAIN?'
Federa*on'Development'
Campus%• Username/Password%Store%for%AuthN%
IdP%• Expose%Campus%IdM%via%SAML/RADIUS%
Federa1on%• Aggregates%IdPs%&%SPs;%Builds%Trust%
eduGAIN%• Aggregates%Federa1ons%
Federa*on'Development'Criteria'
Pilot%• Name,%Webpage,%Metadata%Feed%
Produc1on%• Policy%for%IdPs%&%SPs%
Candidate%• Metadata%Registra1on%Prac1ce%Statement%
eduGAIN%• Declara1on%Signed,%Metadata%Feed%Validated%
*'''INCA'(Peru)'
• INCA%run%by%RAAP%– Iden1dad%Nacional%para%el%Conocimiento%y%
auten1cación%(INCA)%%
– Iden1ty%for%Na1onal%Knowledge%and%Authen1ca1on%(INKA)%%
• Started%opera1on%in%lateO2013%midO2014%
• Joined%eduGAIN%in%lateO2013%earlyO2015%;O)%
• *This%is%NOT%their%logo!!%
*'''MATE'(Argen*na)'
• MATE%run%by%INNOVA|RED%
– Marco%para%el%Acceso%a%la%Tecnología%y%la%Educación%(MATE)%
– Model%for%Access%to%Technology%and%Educa1on%(MATE)%
• Started%opera1on%in%late%2013%2014%
• Joined%eduGAIN%in%earlyO2014%lateO2014%;O)%
%
• *This%is%NOT%their%logo%(nor%their%name)!!%
Federa*on'Development'
Technology%
%
% % % % % % % % % % % %Policy%
Federa*on'Development'
Technology%
==%Pilot%
% % % % % % % % % % % %Policy%
% % % % % %==Produc1on%
Federa*on'Development'
Technology%
=>Campus%
% % % % % % % % % % % %Policy%
% % % % % % % % % %=>NREN%
Technology'=='Pilot'
• Federa1on%Core%Services%– “Rou1ng”%
– Discovery%
• Federa1on%“En11es”%(IdPs/SPs)%– Shibboleth%
– simpleSAMLphp%
– PySAML%
– ADFS%
Technology'=='Pilot'
• NREN%as%Federa1on%Operator%– “Rou1ng”%
– Discovery%
• Campus,%Content%Providers,%Research%Infrastructures%– Shibboleth%
– simpleSAMLphp%
– PySAML%
– ADFS%
'Federa*on'Architectures'
“Rou*ng”'&'Discovery'
• Full%Mesh%
• Hub&Spoke%with…%– Centralised%Login%
– Distributed%Login%
• Can%be%a%combina1on%
“Rou*ng”'Tools Ques*on' SWITCH'RR' Fed'Reg'AAF' JAGGERcRR' pyFF' JANUScSSP' IncHouse'
Which%
Federa1on?%
SWITCHaai,%
Haka,%NIIF,%
Edugate%
AAF,%Tuakiri%
(NZ),%CAFe%
Edugate,%
RCTSaai,%
IDEM,%CAF,%
iAMRES,%
“FaaS”%
SWAMID,%
ACOnet%
WAYF,%
SURFconext%
Belnet,%
RENATER,%
AAI@EduHR%
Customisa1on% Lots% Limited% Community% Community% Lots%
Language% PHP% Java%(v1)%
Groovy%(v2)%
Scala%
PHP% Python% PHP% XSLT,%Perl,%
PHP%
Missing%
Features%
Dependent%
on%version%
of%soqware.%
“optOin/out”,%
MDUI,%MD%
Aggrega1on%
UI,%UX,%
Signing,%
Real1me%
Aggrega1on%
SelfOService% *“optOin/
out”,%MD%
Aggrega1on%
SelfOService,%
“op1n/out”,%
MDUI,%
MD%
Aggregate%
*Process%available%but%requires%documenta1on.%%
NB:O%Signing%of%metadata%outside%the%scope%of%these%tools%–%solu1ons%exist.%
• simpleSAMLphp%
– PHP%– Mul1Olingual%support%
• Shibboleth%– IdP%is%Java,%SP%is%C/mod_shib%
– Runs%within%Apache%Tomcat%
• PySAML2%%
– Python%• Many%plugOins%or%modules%available%for%common%tools.%
• Benefits%are%greater%than%using%LDAP.%
More'that'one'choice'is'good…'
NRENs'Role'
</pilot>!%
% % % % % % % % % % % %Policy%
% % % % % %==Produc1on%
Policy'
• Don’t%write%your%own…%– “That’s%not%what%we%MEANT%to%do…”%
– You’ll%make%mistakes%–%even%eduGAIN%made%mistakes%
• GÉANT%“Policy%Template”%useful%for%Federa1ons%– Policy%is%in%English%–%but%this%isn’t%a%problem%
– Analysed%15%policy%documents%
– Found%the%“best%of”%and%provided%example%text%
• See%EuroCAMP%November%2012%for%more…%
Identity Federation Policy document
Iden*ty'Federa*on'Policy'document'suite'
Identity Federation Policy document
Identity Federation Policy (main)
Appendices
Technology Profile eduroam
Technology Profile Web single sign-on
Level of Assurance Profiles
Data Protection Profile
Federation Operational Practices
Appendix Governance
Appendix Fees
Metadata'Registra*on'Prac*ce'Statement'
• This%is%a%requirement%for%eduGAIN%
• All%statements%published%on%eduGAIN%website%
– hWp://eduGAIN.org/technical/status.php%
• Inconsistent%format%between%federa1on%
• REFEDS%FOP%to%the%rescue%
Identity Federation Policy document
Federa*on'Operator'Prac*ce'document'suite'
Federation Operator Practice Statement document
Federation Operator Practice
Appendices
Metadata Registration Practice
Statement
Key Management Practice Statement
Monitoring Practice Statement
Assurance Practice Statement
Appendix x Appendix y
What'to'NOT'focus'on?'
• Wai1ng%un1l%…%– NRENx%has%their%federa1on%in%“produc1on”.%– NRENy%is%a%member%of%eduGAIN.%
– A%“killer%app”%is%found.%
• “Other”%or%Future%Federa1on%Technologies%– OpenID%Connect%+%OAuth%are%being%explored.%
– Hub&Spoke%gateways%already%exist.%
• Connec1ng%to%“other”%federa1ons%– Let%eduGAIN%do%that%for%you.%
– Bilateral%peerings%only%solves%THEIR%problem.%
'What'to'focus'on?'
• Federa1ng%your%campus%systems%– Talk%to%your%researchers,%staff%&%students%
• Inves1gate%key%services%– Intranet%and%Website%
– Webmail%• Google%Apps%for%Educa1on,%Microsoq%365%
– eOLearning%–%Moodle,%Desire2Learn%
– Talk%to%your%librarian%about%Journal%Access%
– Find%your%own%“killer%app”.%
Next'steps…'
• Deploy%eduroam%!%Use%it%at%TICAL2015%
• Pick%a%campus%federa1on%architecture:%– Hub&Spoke%or%Mesh%
• Deploy%an%IdP%– PySAML2,%simpleSAMLphp,%Shibboleth%
• Connect%with%your%NRENs%pilot%Federa1on%• Connect%with%the%community%
– Country,%La1n%America%and%Globally%
• Federate%your%services%
A'family'of'services'
Join'eduGAIN'and'solve'problems…'
'''''''''
Solving'problems'is'a'partnership.'
</end>'
Brook%Schofield%
schofield@terena.org%
top related