www.canarie.ca REFEDS Update on Canadian Access Federation Chris Phillips | Nov11,2013 | Internet2 idweek2013 | San Francisco
May 20, 2015
www.canarie.ca
REFEDS Update on Canadian Access Federation
Chris Phillips | Nov11,2013 | Internet2 idweek2013 | San Francisco
www.canarie.ca www.canarie.ca
About CANARIE
Map date: 29 May 2012
Operates Canada’s ultra-high-bandwidth research network • Connects one million users at
1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia
• 19,000km of fibre with a 40 Gbps backbone
• Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector
Operator of the Canadian Access Federation • SAML federation based on
Shibboleth • Canadian Eduroam 802.1x
wireless roaming operator • eduGAIN participant Primary investment from Government of Canada - $480 M since 1993
2
www.canarie.ca www.canarie.ca
About CANARIE
Map date: 29 May 2012
Operates Canada’s ultra-high-bandwidth research network • Connects one million users at
1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia
• 19,000km of fibre with a 40 Gbps backbone
• Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector
Operator of the Canadian Access Federation • SAML federation based on
Shibboleth • Canadian Eduroam 802.1x
wireless roaming operator • eduGAIN participant Primary investment from Government of Canada - $480 M since 1993
3
DAIR - Digital Accelerator for Innovation and Research An on-demand, advanced R&D cloud environment that supports Canada’s tech innovators. Openstack based, with 2 regions (Alberta, Quebec). RPI - Research Platform Infrastructure An investment in middleware by CANARIE that leverages existing platforms & is the evolution of the NEP program. Reduces duplication, increases re-use and collaboration between programs. http://science.canarie.ca/ NEP - Network Enabled Platforms Similar in nature to GEANT opencall. Research initiatives showing innovative uses of the network. Has evolved to be even more collaborative and generates new interfaces/ RPI services to be reused between projects.
Additional Programs
www.canarie.ca
This is what it feels like trying to collaborate…. 4
Image: Phil Roeder - Flickr
www.canarie.ca This is how we want it to feel.
5
www.canarie.ca www.canarie.ca
How?
Facilitate collaboration at the largest scale possible.
www.canarie.ca www.canarie.ca
How?
Facilitate collaboration at the largest scale possible.
Easiest but
trusted!v
Seamlessly!v
www.canarie.ca
Roaming wireless
• International wireless roaming • Ability to automatically sign on
using your home credential • Reduces barriers to mobile
users • Worldwide and expanding
coverage: • Canada: 64 sites • 65 countries worldwide
• Federated Single Sign On for services
• Web and non web sign on • Authentication • Authorization • Attribute release • Across different security domains
Federated identity
• International wireless roaming • Ability to automatically sign on
using your home credential • Reduces barriers to mobile
users • Worldwide and expanding
coverage: • Canada: 48 sites • 60 countries worldwide
• eduGAIN as primary, exploring other direct relationships
• Bridge to international community • Enables CAF participants to:
• Accept identities inbound from outside Canada to Canadian services
• Use Canadian identities in services outside Canada
Interfederation
• ~3M logins Sept 2013 • 2.5x traffic growth in 1yr • 48 sites ~50% universities in
Canada • 40% growth in sites in 1yr
- 500,000
1,000,000 1,500,000 2,000,000
Successful Logins
International
Canada
• 24 Service Providers – 160% increase in 1yr
• 21 Identity Providers
937,000
986,765
1,011,793 1,020,387
880,000 900,000 920,000 940,000 960,000 980,000
1,000,000 1,020,000 1,040,000
Total CAF enabled users – SAML & eduroam
• Int’l NREN CEO Forum placed eduGAIN as a key effort
• CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
www.canarie.ca
A Glimpse at eduroam traffic
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
-
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
4,000,000
% N
o R
eply
from
Ser
ver
Succ
essf
ul L
og in
s
eduroam Successful Logins - up to Oct 30,2013
International
Canada
www.canarie.ca
Closing the gap • Eduroam evidence of success àWhy not same for FSSO? • Talked to new & old participants, other federations • Analyzed over a years worth of data
http://www.flickr.com/photos/asparagus_hunter/483841638/ asparagus hunter
www.canarie.ca
Why? • Evolved approach to better match campus IT reality • Reduced cost/effort to be CAF participant • Simplifies CAF installation experience • Easier day to day operations
http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy
Choose RADIUS server
Install & Configure Test & Connect
Supported Server installed
Pre-configured Tested & Connected
Regular Approach Identity Appliance
Supported platform installed Pre-Configured Tested & Connected
Choose platform Install & Configure Test & Connect
www.canarie.ca
Why? • Evolved approach to better match campus IT reality • Reduced cost/effort to be CAF participant • Simplifies CAF installation experience • Easier day to day operations
http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy
Choose RADIUS server
Install & Configure Test & Connect
Supported Server installed
Pre-configured Tested & Connected
Regular Approach Identity Appliance
Supported platform installed Pre-Configured Tested & Connected
Choose platform Install & Configure Test & Connect
A Bit Deeper
• Reviewed many styles, but no one really doing both eduroam AND Federated SSO w/SAML
• Inspired by many DevOps style approaches, adopted installer based model (SWAMID approach, others influencial too)
• eduroam in alpha now, FedSSO going through test cycles • Sites will be connected to both eduroam & eduGAIN
www.canarie.ca
Inter-federation • In use and business as usual • Eduroam Configuration Assistant Tool(CAT) driving current IdPs • Appliance approach will see sites joining eduGAIN when they join
CAF.
www.canarie.ca www.canarie.ca
Eduroam CAT service (accessed via eduGAIN)
• Builds & hosts profile installers for all platforms and devices(MSFT,Apple, Linux)
• Profile = specific configuration on your device to connect to the network
www.canarie.ca www.canarie.ca
Signing on to Manage Your eduroam Site
• Access is only for site admins
• Requires Federated Single Sign On + invitation one time link
• Can create multiple admins
• Can create multiple ‘profiles’ for testing prior to release.
• Production Profiles can be downloaded via CAT
www.canarie.ca www.canarie.ca
Once Signed in
Snapshot of eduroam CAT • # of federations with at least 1 production Idp: 30 • Total idps registered: 391 • IdPs which enabled public download interface: 264 • End User Downloads of installersso far : 162,289
www.canarie.ca
Sub-national Topic • Different groups across Canada expressed interest in ‘CAF+ . . .’ • Needs were diverse yet common: additional schema, workflow for
special sets of entities only, allow entities to be members of multiple sets, notify about joining set.
• View is that it can be done centrally through CAF, but tools & processes need improvements
www.canarie.ca
Unified Collaboration & Interconnection
CAF
Local Fed Idp SP
SP
Local Fed Idp SP
SP Idp
SP
Special Interest Trust Groups
Idp Idp
Idp
• Efficient, least effort for SP/IdP • Local fed incubates federation
aware apps • SITG can leverage common
infrastructure, and overlay special attribute sets & specific policies
SP SP
SP
SP Idp
Higher Assurance
www.canarie.ca
Improving Tools • Federation Operations needed to rise to the challenge • Federation Registry tools space has very rich offerings (AAF: Fed’n
Mgr, HEANET: Resource Registry, REEP to name a few) • Tough to choose because of the great work out there • Gravitated to HEANET RR
http://www.flickr.com/photos/chazferret/2075442918/
www.canarie.ca
Skating to where the puck will be • Our usual ‘customers’ are changing, we need to as well. • Centralized services with delegation functionality avoid
duplication of effort in the community and saves time and effort for sites
http://www.flickr.com/photos/mag3737/1997114236/ mag3737
www.canarie.ca
Seed Topics for the ACAMP • Effective Attribute release from IdPs • Centralized authorization and user preferences being sought – should we
run an instance of grouper or CoManage? • Non web SAML for restful webservices, looking for some interesting
approaches • Interested in any mobile plays for Fed. SSO on smartphones.
http://www.flickr.com/photos/the_yes_man/4648999621/sizes/l/in/photostream/
www.canarie.ca
www.canarie.ca
Additional Material
www.canarie.ca
Digital Accelerator for Innovation and Research (DAIR)
An on-demand, advanced R&D environment that supports Canada’s tech innovators and entrepreneurs in designing, prototyping, validating and demonstrating their new technology apps, products and services.
www.canarie.ca/en/dair
+ Optical Regional Advanced Networks
(ORANs) Réseaux optiques régionaux évolués
(ROREs)
Cloud Computing and Storage Infonuagique et stockage
INTERNET