SURFfederatie - edugain. Opt-in Metadata Management for a Hub & Spoke Federation

SURFfederatie - edugain Opt-in Metadata Management for a Hub & Spoke Federation

Content - History of SURFfederatie - Federation models - Functional view - Consequences of hub & spoke - edugain - Future changes 1

Once upon a time 1996 2001 2004 2006 2007 2008 2

Federation models (communication/ login, not metadata) - 1-1 - Business VS: SAML 1.x IDP SP - de-facto - NxN - Shared trust, pt2pt IDP IDP SP SP - Education VS/Europa IDP SP - 2xN - Central gateway (CFC) IDP SP - protocol translation - SURFfederatie IDP IDP CFC SP SP = CFC, IDP, SP 3

Functional view (Since August 2008) Identity Providers SURFfederatie CORE Service Providers A-Select Cross Credentials A-Select Cross Central Federation Components Shibboleth Applications SAML 2.0 SAML 2.0 WS-Fed / ADFS WS-Fed / ADFS 4

Metadata & proxying IDP1 SP1 A-1 B-1 IDP2 A-2 A-3 B-2 B-3 SP2 IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 SP3=A-3 {all} IDP1=B-1 IDP2=B-2 IDP3=B-3 5

/-less operation IDP1 SP1 IDP2 IDP3 SP2 SP3 6

hub & spoke pros/cons Pros Cons - 1 connection for IDP/SP - Minimal overhead for IDPs - Centralized (technical) management - Specialist knowledge @ SN - Less needed for IDP/SP - Scales well at national level - Extra features easier to do - Web services - Group support - Procedures - release consent per SP - Key/cert/metadata changes - Lack of knowledge @ IDP - Double-edged sword - Scalability European level - Can only support common denominator 7

Importing edugain SPs SPz edugain IDP1 SP1 SPx=ddd IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SPy=eee SPz=fff IDP3 SP3 SP1=A-1 {IDP1, IDP2} IDP1=B-1 SP2=A-2 IDP2=B-2 SP3=A-3 {all} IDP3=B-3 SPz=A-z 8

Exporting IDPs edugain IDP1 SP1 SPx=ddd IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SPy=eee SPz=fff IDP3=B-3 IDP3 SP3 SP1=A-1 {IDP1, IDP2} IDP1=B-1 SP2=A-2 IDP2=B-2 SP3=A-3 {all} IDP3=B-3 SPz=A-z 9

Exporting SPs to edugain edugain IDP1 SP1 SPx=ddd IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SPy=eee SPz=fff SP3=SP3 IDP3 SP3 SP1=A-1 {IDP1, IDP2} IDP1=B-1 SP2=A-2 IDP2=B-2 SP3=A-3 {all} IDP3=B-3 IDPz SPz=A-z 10

SP auth list (optional) edugain IDP1 SP1 IDP2 IDP3 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SP3 SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SP1=A-1 {IDP1, IDP2} SP2=A-2 SP3=A-3 {all} IDP1=B-1 IDP2=B-2 IDP3=B-3 Per SP auth list SP3: - IDP1 - IDP2 - IDPz IDPz SPz=A-z 11

SP auth list (optional) edugain IDP1 SP1 IDP2 IDP3 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 SP3 SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SP1=A-1 {IDP1, IDP2} SP2=A-2 SP3=A-3 {all} IDP1=B-1 IDP2=B-2 IDP3=B-3 Per SP auth list SP3: - IDP1 - IDP2 - IDPz IDPz SPz=A-z 12

Future plans - Integrate with SURFconext - Procedural/organisational - Technical (level of integration TBD) - Change of consent model - Opt-in à Opt-out - Addition of User Consent - Web Service support - Needed for (scientific) workflows - Rich client/beyond web SSO/mobile support - Rethink procedures/management 13

Remco Poortinga van Wijnen remco.poortinga@surfnet.nl federatie-beheer@surfnet.nl www.surfnet.nl Presentation released under Creative Commons http://creativecommons.org/licenses/by/3.0/ 14

15

Backup slides 16

URLs SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal) https://wayf.surfnet.nl/federate/surfnet/edugain 2 IDPS: SN & TERENA 1 SP: TERENA (MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals ) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo. Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + approved edugain IDPs 17 (C) 2011 SURFnet B.V.

Metadata https://aai-viewer.switch.ch/interfederation-test/test/ Wij nu niet saml2int compliant. (behandelen attribs als format unspecified, moet uri zijn volgens spec) 18 (C) 2011 SURFnet B.V.