SURFfederatie - edugain. Opt-in Metadata Management for a Hub & Spoke Federation

Transcription

1 SURFfederatie - edugain Opt-in Metadata Management for a Hub & Spoke Federation

2 Content - History of SURFfederatie - Federation models - Functional view - Consequences of hub & spoke - edugain - Future changes 1

3 Once upon a time

4 Federation models (communication/ login, not metadata) Business VS: SAML 1.x IDP SP - de-facto - NxN - Shared trust, pt2pt IDP IDP SP SP - Education VS/Europa IDP SP - 2xN - Central gateway (CFC) IDP SP - protocol translation - SURFfederatie IDP IDP CFC SP SP = CFC, IDP, SP 3

5 Functional view (Since August 2008) Identity Providers SURFfederatie CORE Service Providers A-Select Cross Credentials A-Select Cross Central Federation Components Shibboleth Applications SAML 2.0 SAML 2.0 WS-Fed / ADFS WS-Fed / ADFS 4

6 Metadata & proxying IDP1 SP1 A-1 B-1 IDP2 A-2 A-3 B-2 B-3 SP2 IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 SP3=A-3 {all} IDP1=B-1 IDP2=B-2 IDP3=B-3 5

7 /-less operation IDP1 SP1 IDP2 IDP3 SP2 SP3 6

8 hub & spoke pros/cons Pros Cons - 1 connection for IDP/SP - Minimal overhead for IDPs - Centralized (technical) management - Specialist SN - Less needed for IDP/SP - Scales well at national level - Extra features easier to do - Web services - Group support - Procedures - release consent per SP - Key/cert/metadata changes - Lack of IDP - Double-edged sword - Scalability European level - Can only support common denominator 7

9 Importing edugain SPs SPz edugain IDP1 SP1 SPx=ddd IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SPy=eee SPz=fff IDP3 SP3 SP1=A-1 {IDP1, IDP2} IDP1=B-1 SP2=A-2 IDP2=B-2 SP3=A-3 {all} IDP3=B-3 SPz=A-z 8

10 Exporting IDPs edugain IDP1 SP1 SPx=ddd IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SPy=eee SPz=fff IDP3=B-3 IDP3 SP3 SP1=A-1 {IDP1, IDP2} IDP1=B-1 SP2=A-2 IDP2=B-2 SP3=A-3 {all} IDP3=B-3 SPz=A-z 9

11 Exporting SPs to edugain edugain IDP1 SP1 SPx=ddd IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SPy=eee SPz=fff SP3=SP3 IDP3 SP3 SP1=A-1 {IDP1, IDP2} IDP1=B-1 SP2=A-2 IDP2=B-2 SP3=A-3 {all} IDP3=B-3 IDPz SPz=A-z 10

12 SP auth list (optional) edugain IDP1 SP1 IDP2 IDP3 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SP3 SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SP1=A-1 {IDP1, IDP2} SP2=A-2 SP3=A-3 {all} IDP1=B-1 IDP2=B-2 IDP3=B-3 Per SP auth list SP3: - IDP1 - IDP2 - IDPz IDPz SPz=A-z 11

13 SP auth list (optional) edugain IDP1 SP1 IDP2 IDP3 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SP3 SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SP1=A-1 {IDP1, IDP2} SP2=A-2 SP3=A-3 {all} IDP1=B-1 IDP2=B-2 IDP3=B-3 Per SP auth list SP3: - IDP1 - IDP2 - IDPz IDPz SPz=A-z 12

14 Future plans - Integrate with SURFconext - Procedural/organisational - Technical (level of integration TBD) - Change of consent model - Opt-in à Opt-out - Addition of User Consent - Web Service support - Needed for (scientific) workflows - Rich client/beyond web SSO/mobile support - Rethink procedures/management 13

15 Remco Poortinga van Wijnen Presentation released under Creative Commons 14

16 15

17 Backup slides 16

18 URLs SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal) 2 IDPS: SN & TERENA 1 SP: TERENA (MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals ) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo. Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + approved edugain IDPs 17 (C) 2011 SURFnet B.V.

19 Metadata Wij nu niet saml2int compliant. (behandelen attribs als format unspecified, moet uri zijn volgens spec) 18 (C) 2011 SURFnet B.V.