RedIRIS Identity Service

Size: px

Start display at page:

Download "RedIRIS Identity Service"

Ariel Sullivan
8 years ago
Views:

1 RedIRIS Identity Service latest news and developments Jaime Pérez Middleware Engineer FAM11 London, November 09 th 2011

2 Intro & numbers The research & education federation in Spain Hub & Spoke Supports multiple protocols SAML OpenID PAPI OAuth edugain STORK IdPs, 189 SPs More than 1M potential users

3 Growth Usage heavily raised last months due to services in the cloud: Google Apps

4 Problems The service became critical for our community If it stops working, users won t be able to work, read their So we need: A new, more scalable and reliable infrastructure A monitoring/diagnostics tool

5 Action #1 Monitor the infrastructure Based on nagios and JMeter software It consists of a nagios plugin and a JMeter test plan to run automated checks The key is to simulate the behavior of the user and his browser Must be completely independent of the underlying technology Remember. SIR federation is multi-protocol Users know nothing about technology, just make use of it!

6 Action #1 Monitor the infrastructure We deployed a brand new platform which gathered international recognition: TERENA TF-EMC 2 TERENA Networking Conference 11slew (Prague) A set of Open Source tools Many countries asked for the software to deploy the same platform: Denmark Portugal Greece Italy Australia

7 Action #1 Monitor the infrastructure Currently integrated within our Monitoring Service Users can manage the system and see the stats online:

8 Action #1 Monitor the infrastructure

9 Action #1 Monitor the infrastructure

10 Action #1 Monitor the infrastructure

11 Action #1 Monitor the infrastructure

12 Action #1 Monitor the infrastructure Monthly reports are sent by Administrators can manage and schedule downtimes Next steps: Find some solution suitable for IdPs making heavy use of JavaScript Start monitoring Service Providers

13 Action #2 New infrastructure We wanted something more scalable and reliable Moving from Perl to PHP based infrastructure Our central hub is based on our own protocol, PAPI: Simpler to manage Simpler to deploy Lightweight A completely new Discovery Service (WAYF), with support for mobile users A new module to ask for consent

14 Action #2 New infrastructure The new WAYF: process indications

15 Action #2 New infrastructure The new WAYF: multi-language

16 Action #2 New infrastructure The new WAYF: Service Provider identification

17 Action #2 New infrastructure The new WAYF: search by name, acronym

18 Action #2 New infrastructure The new WAYF: search by region

19 Action #2 New infrastructure The new WAYF: accessible/mobile versions

20 Action #2 New infrastructure The new WAYF: accessible/mobile versions

21 Action #2 New infrastructure The consent module: follow the process

22 Action #2 New infrastructure The consent module: multi-language

23 Action #2 New infrastructure The consent module: IdP & SP recognition

24 Action #2 New infrastructure The consent module: comprehensive attributes

25 Action #3 Collect better stats We are already collecting stats, but need something more flexible As we are migrating our infrastructure, we are also rationalizing how we collect statistics: Group by SPs Group by IdPs Relate both We have a web interface ready for us and the service administrators in our institutions Will include all SPs as soon as we finish the migration

26 Action #3 Collect better stats Web interface: group by SP

27 Action #3 Collect better stats Web interface: group by IdP

28 Action #3 Collect better stats Web interface: daily usage per IdP

29 Action #3 Collect better stats Web interface: daily accesses per IdP to an SP

30 Inter-federation STORK Aims to create an European eid interoperability platform It will enable secure access to online services between Member States It will be tested through 5 pilots: Pilot 3: student s mobility Online access to university services, using national eids for eidentification and esignature

31 Inter-federation STORK Extends SAML2 to request extra information, as: QAA level Requested attributes <stork:requestedattribute Name= NameFormat= urn:oasis:names:tc:saml:2.0:attrname-format:uri isrequired= true!!<saml:attributevalue>16</saml:attributevalue>! </ stork:requestedattribute>! New gateway in SIR, based on the STORK core library SIR performs on demand attribute mapping from STORK definitions to HE standards

32 Inter-federation

33 Inter-federation STORK 15 universities connected, 9 active Main use cases: Pre-enrollment of Erasmus students Authentication of Spanish citizens with a higher LoA Initial contacts established for STORK2 support Collaboration between edugain (GN3 Project) and STORK

34 Inter-federation edugain GÉANT academic inter-federation service Based on SAML2, federates federations Went into production in April 2011 Current uptake: SIR is an early adopter, but currently allowing only the RedIRIS Identity Provider Internal opt-in process for SIR IdPs is under validation: Entities must join SIR prior to joining edugain Becoming an edugain entity may require signing an additional inter-federation policy

35 Questions? Thanks for listening!

Licia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe

APAN Conference Honolulu, Hawaii 24 January 2008 Licia Florio Project Development Officer licia@terena.org www.terena.org Identity Federations in Europe Outline Networking Organisations in Europe Requirements