SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet [email protected] *with input from a lot of others
Jan 04, 2016
SURFfederatie & SURFconext Federated identity system for scientific collaborations9-10 June 2011 CERNRemco Poortinga – van Wijnen*, [email protected]
*with input from a lot of others
SURFnet. We make innovation work2
Overview
- SURFfederatie- In 3 slides
- SURFconext- Background- Features- Architecture- Services- TBD/Future development
SURFnet. We make innovation work3
Federation Models
- 1-1
- Business: SAML 1.x
- de-facto
- NxN (‘distributed’)
- Shared trust, pt2pt
- Education VS/Europe
- Shibboleth
- 2xN (‘hub-and-spoke’)
- Central gateway (CFC)
- Protocol translation
- Attribute filtering &
enrichment
- Easier configuration for IdPs
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
SURFnet. We make innovation work4
SURFfederatieFunctional View
CentralFederation
Components
CentralFederation
Components
A-Select CrossA-Select Cross
A-Select CrossA-Select Cross
ShibbolethShibboleth
SAML 2.0SAML 2.0
WS-Fed / ADFSWS-Fed / ADFS
SAML 2.0SAML 2.0
WS-Fed / ADFSWS-Fed / ADFS
Identity Providers Service ProvidersSURFfederatie CORE
ApplicationsCredentials
Some numbers
- IdPs (79)- 36 SAML 2.0- 22 (30*) WS-Federation (ADFS)
- (* 8 proxied)- 13 A-Select
- SPs (55+)- Google apps, foodle, live@edu, CLARIN (7),
several publishers, libraries, webshops, SURFconext, …
- ≈ 700k users
- (Technically) connected to eduGAIN
SURFnet. We make innovation work5
SURFconextsome background
- Goal of SURFnet is to enable collaboration- Across (institutional) borders
- Used to be done by SURFgroepen service- Sharepoint- User defined groups/spaces
- But:- Monolithic- No domestication (then)- Single (specific) service no choice- No way to extend groups to other services
- (exception: AdobeConnect)
SURFnet. We make innovation work6
SURFconext
- Allow users from different institutions to work together using their own preferred combination of tools- Using groups across services- Using SURFfederatie (trust, identities, attributes)
SURFnet. We make innovation work7
SURFconextplatform features
- IdP and SP (SAML 2.0) proxy- Group Relation Provider(s)- IdP and SP and oAuth registry- OpenSocial ‘Gadgets’ for GUI handling- OpenSocial ‘Social Data’ API- VO Registry VO IdP
- Uses OSS components where possible- Apache Shindig – OpenSocial Container- Apache Rave (incubator) – OpenSocial Portal- Corto – Idp/SP proxy- Janus – (SP/IdP Metadata) registry
- Is Open Source itself – http://www.openconext.org
SURFnet. We make innovation work8
SURFconext architecture
SURFnet. We make innovation work9
SURFconextservices
- Confluence- Alfresco- Liferay- WebEx- BigBlueButton- Sympa- Lobber- …
https://wiki.surfnetlabs.nl/display/domestication/Overview
SURFnet. We make innovation work10
What’s missing/TBD?
- Group Management across boundaries- NREN and/or VO-platform boundary
- On the agenda of GN3-JRA3-T2
- Production ready VO support- Group Management in context of a VO- virtualIDP for services supporting only single IdP
endpoint (Google apps etc)
- Roles and Rights- Roles group management ≠ roles services
- Service usage (licenses for guest users)
SURFnet - We make innovation work11
Questions?
- http://www.surffederatie.nl- http://www.surfconext.nl- http://www.openconext.org
SURFnet. We make innovation work12
Backup slides
SURFnet. We make innovation work13
OpenSocial - overviewOpenSocial - overview
App’s Virtual Organization ConsumersApp’s Virtual Organization Consumers ‘ ‘Social Network’Social Network’
https://portal.surfconext.nl → http://wiki.apache.org/incubator/RaveProposalhttps://os.surfconext.nl → http://shindig.apache.org/https://engine.surfconext.nl → http://code.google.com/p/corto/https://serviceregistry.surfconext.nl → http://code.google.com/p/janus-ssp/(SURFteams) https://www.surfteams.nl → http://www.internet2.edu/grouper/
SURFconext & eduGAIN
SURFnet - We make innovation work17
SURFconext/Corto
SURFconext/Corto
VOsVOs
GroupsGroups
ServiceService
IDP
SP
GuestIDP
GuestIDP
eduGAINeduGAIN
SURF-federatie
SURF-federatie
IDP
IDP
SP
SP
IDPIDPIDPIDP
IDPIDP
IDP
SP
IDP
SP
ServiceServiceServiceService
18
19
20