SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet [email protected].

SURFfederatie & SURFconext Federated identity system for scientific collaborations9-10 June 2011 CERNRemco Poortinga – van Wijnen*, [email protected]

*with input from a lot of others

SURFnet. We make innovation work2

Overview

- SURFfederatie- In 3 slides

- SURFconext- Background- Features- Architecture- Services- TBD/Future development

SURFnet. We make innovation work3

Federation Models

- 1-1

- Business: SAML 1.x

- de-facto

- NxN (‘distributed’)

- Shared trust, pt2pt

- Education VS/Europe

- Shibboleth

- 2xN (‘hub-and-spoke’)

- Central gateway (CFC)

- Protocol translation

- Attribute filtering &

enrichment

- Easier configuration for IdPs

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SPCFC

SURFnet. We make innovation work4

SURFfederatieFunctional View

CentralFederation

Components

CentralFederation

Components

A-Select CrossA-Select Cross

A-Select CrossA-Select Cross

ShibbolethShibboleth

SAML 2.0SAML 2.0

WS-Fed / ADFSWS-Fed / ADFS

SAML 2.0SAML 2.0

WS-Fed / ADFSWS-Fed / ADFS

Identity Providers Service ProvidersSURFfederatie CORE

ApplicationsCredentials

Some numbers

- IdPs (79)- 36 SAML 2.0- 22 (30*) WS-Federation (ADFS)

- (* 8 proxied)- 13 A-Select

- SPs (55+)- Google apps, foodle, live@edu, CLARIN (7),

several publishers, libraries, webshops, SURFconext, …

- ≈ 700k users

- (Technically) connected to eduGAIN

SURFnet. We make innovation work5

SURFconextsome background

- Goal of SURFnet is to enable collaboration- Across (institutional) borders

- Used to be done by SURFgroepen service- Sharepoint- User defined groups/spaces

- But:- Monolithic- No domestication (then)- Single (specific) service no choice- No way to extend groups to other services

- (exception: AdobeConnect)

SURFnet. We make innovation work6

SURFconext

- Allow users from different institutions to work together using their own preferred combination of tools- Using groups across services- Using SURFfederatie (trust, identities, attributes)

SURFnet. We make innovation work7

SURFconextplatform features

- IdP and SP (SAML 2.0) proxy- Group Relation Provider(s)- IdP and SP and oAuth registry- OpenSocial ‘Gadgets’ for GUI handling- OpenSocial ‘Social Data’ API- VO Registry VO IdP

- Uses OSS components where possible- Apache Shindig – OpenSocial Container- Apache Rave (incubator) – OpenSocial Portal- Corto – Idp/SP proxy- Janus – (SP/IdP Metadata) registry

- Is Open Source itself – http://www.openconext.org

SURFnet. We make innovation work8

SURFconext architecture

SURFnet. We make innovation work9

SURFconextservices

- Confluence- Alfresco- Liferay- WebEx- BigBlueButton- Sympa- Lobber- …

https://wiki.surfnetlabs.nl/display/domestication/Overview

SURFnet. We make innovation work10

What’s missing/TBD?

- Group Management across boundaries- NREN and/or VO-platform boundary

- On the agenda of GN3-JRA3-T2

- Production ready VO support- Group Management in context of a VO- virtualIDP for services supporting only single IdP

endpoint (Google apps etc)

- Roles and Rights- Roles group management ≠ roles services

- Service usage (licenses for guest users)

SURFnet - We make innovation work11

Questions?

- http://www.surffederatie.nl- http://www.surfconext.nl- http://www.openconext.org

[email protected]

SURFnet. We make innovation work12

Backup slides

SURFnet. We make innovation work13

OpenSocial - overviewOpenSocial - overview

App’s Virtual Organization ConsumersApp’s Virtual Organization Consumers ‘ ‘Social Network’Social Network’

https://portal.surfconext.nl → http://wiki.apache.org/incubator/RaveProposalhttps://os.surfconext.nl → http://shindig.apache.org/https://engine.surfconext.nl → http://code.google.com/p/corto/https://serviceregistry.surfconext.nl → http://code.google.com/p/janus-ssp/(SURFteams) https://www.surfteams.nl → http://www.internet2.edu/grouper/

SURFconext & eduGAIN

SURFnet - We make innovation work17

SURFconext/Corto

SURFconext/Corto

VOsVOs

GroupsGroups

ServiceService

IDP

SP

GuestIDP

GuestIDP

eduGAINeduGAIN

SURF-federatie

SURF-federatie

IDP

IDP

SP

SP

IDPIDPIDPIDP

IDPIDP

IDP

SP

IDP

SP

ServiceServiceServiceService

18

19

20