Scalability of trust and metadata exchange across federations

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Update SURFnet Bart Kerver TF-EMC2-meeting, Utrecht, 17 Oktober 2006.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Naam van de Auteur 7 januari 2008 Kennisnet Entree: federated authentication Pieter BruringTechnical Product Manager.

SWITCHaai Team Federated Identity Management.

Introduction to Digital Libraries hussein suleman uct cs honours 2004.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

SWITCHaai Team Introduction to Shibboleth.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

Digital Object Architecture

MPEG-21 : Overview MUMT 611 Doug Van Nort. Introduction Rather than audiovisual content, purpose is set of standards to deliver multimedia in secure environment.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Design of a Search Engine for Metadata Search Based on Metalogy Ing-Xiang Chen, Che-Min Chen,and Cheng-Zen Yang Dept. of Computer Engineering and Science.

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

1 4/23/2007 Introduction to Grid computing Sunil Avutu Graduate Student Dept.of Computer Science.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

United States Department of Justice Global Security Working Group Update Global Advisory Committee November 2, 2006 Washington, D.C.

SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

Kalmar Union lessons: Findings in federation harmonisation REFEDS Mikael Linden, CSC.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

PAPI 2 Distributed trust model and AA interoperability.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Open Collaboration Exchange Alexander Blanc, Niels van Dijk, Jocelyn Manderveld, Remco Poortinga - van Wijnen VAMP 2013, Espoo.

Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS

A Semi-Automated Digital Preservation System based on Semantic Web Services Jane Hunter Sharmin Choudhury DSTC PTY LTD, Brisbane, Australia Slides by Ananta.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.

Web SSO with Cloud Resources using AD Federation Services

Access Policy - Federation March 23, 2016

Presented by Edith Ngai MPhil Term 3 Presentation

Cross-sector and user-centric AAI

The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –

Mechanisms of Interfederation

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

Identity Federations - Overview

Géant-TrustBroker Dynamic inter-federation identity management

Incident Response for Federated Identities

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

OIDC Federation for Infrastructures

Discovery and Federated Identity

GEOSS AIP-5 Data Sharing Working Group

Federations: Introduction Justin Knight, Jisc

Community AAI with Check-In

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

The Attribute and the ecosystem

Authentication and Authorisation for Research and Collaboration

eIDAS-enabled Student Mobility

Presentation transcript:

Scalability of trust and metadata exchange across federations Bob Hulsebosch Mortaza Bargh Hans Zandbelt (SURFnet) 3 TNC2011 Prague

Outline Introduction (problem statement) Current solution Proposed solution Conclusions & recommendations Addressing scalability of metadata exchange

Introduction: cross federative identity management Federation A Federation B entities IdP SP IdP: Identity Provider SP: Service Provider user 3 3

Introduction: problem description scalability = - # of trust relationships (mainly) - metadata exchange process ∆ a trust relationship: - same collaboration framework - authentic metadata SP IdP trust in metadata, established through federation(s) requires ?? signed metadata file (XML) SP IdP metadata exchange partly requires SP IdP SAML data exchange inter-entity trust requires 4 4

Introduction: example Assume: 20 federations 150 IdPs per federation 2000 SPs per federation How many trust relationships needed? 5,700,000 relationships (established by the entity or federation)

Current solution Centralized metadata aggregation (so-called “simple metadata aggregation”) Starting point Pulling metadata by the central metadata aggregator Central metadata document Easy metadata discovery eduGAIN prototype Kalmar confederation 6

Federation model SP IdP MA federation A trusted metadata federation central metadata MA: metadata aggregator 7

Current solution ↑ core trust fabric ↓ core trust fabric 8 Central MA federation E federation F federation C federation D MA MA SP IdP SP IdP IdP SP IdP SP IdP SP IdP SP federation A federation B 8

Proposed solution core trust fabric 9 meta MA federation E federation F federation C federation D MA MA SP IdP SP IdP IdP SP IdP SP IdP SP IdP SP federation A federation B 9

Proposed solution 4 4’ 5’ 5 3 6 WAYF 2 1 10 meta MA pub key and URL of MA-A, … pub key and URL of meta-MA 4 4’ MD: pub key and URL of MA-A signed by meta-MA federation A fed B 5’ 5 MD of IdP signed by MA-A MA MA 3 6 MD of IdP signed by MA-B IdP SP pub key and URL of MA-B WAYF 2 1 10

Reflection ≈20 ≈5,700,000 11 core trust fabric local trust fabric requires SP IdP trust in meta-metadata, (e.g., in public keys) MA SP IdP meta-metadata (e.g., public keys) requires MA ≈5,700,000 SP IdP SAML data exchange inter-entity trust metadata exchange trust in metadata, established through federations requires partly requires MA 11 11

Reflection # of trust relationships Metadata distribution process With a central entity (meta-MA): ≈ 20 relationships Metadata distribution process No need for a central entity Between MAs 12

Conclusions/recommendations Use local MAs for meta-data exchange More scalable Use meta-MA for trust establishment between MAs Lightweight, no SPOF, less trust relations to manage Implement and test the proposed architecture to gain insight to interoperability, protocols, scalability, … Design a number of core services E.g., WAYF service, self-registration service, cross federation group management service, join/departure notification service Trustful metadata distribution for Virtual Collaborations to gain insight and experience over interoperability issues, required new functionalities, scalability and performance indicators, strategies for metadata aggregation that optimize the costs associated with metadata update and metadata usage, etc. The testbed can be realized in a national setting (e.g., between SURFnet and Kennisnet) or an international setting (e.g. within eduGAIN). 13

Questions? Addressing scalability of metadata exchange