UK fed 2.0: Redesigning your federation for the next 10 years 16/09/2018 Dr Rhys Smith

UK federation 1.0 – 2004-present 16/09/2018 UK federation 2.0

Free for our core R&E customers, chargeable for others Where we are today Quick history of UK fed Development federation in 2004 Production federation since 2006 A Jisc service, most operations out-sourced to EDINA (Edinburgh University) Free for our core R&E customers, chargeable for others 16/09/2018 UK federation 2.0

Boring stats (as of 9th June 2016) 1049 members HE / FE / schools / health / local gov / commercial 1928 entities 748 IdPs, 1182 SPs 50-50 in-sourced vs out-sourced deployment model eduGAIN imported entities make up 48% of the UK federation 16/09/2018 UK federation 2.0

UK federation services to members Entity management – email Free tech support – email Central Discovery Service WAYFless URL Generator (Wugen) Test IdP / SP Mailing Lists Usage stats via Raptor 16/09/2018 UK federation 2.0

Federation Management Manual management of SAML MD by service desk staff SVN backend, edit in Eclipse Shib MDA checking all SAML MD Shib MDA creating aggregates Manual signing via private key (held on secure smarcard) 16/09/2018 UK federation 2.0

Existing systems have served us nicely for 10 years But So why are we changing? Existing systems have served us nicely for 10 years But The world is changing around us 16/09/2018 UK federation 2.0

Drivers for change 16/09/2018 UK federation 2.0

UK HE & FE pretty well covered, but… Funding models changing Our sector is changing UK HE & FE pretty well covered, but… Funding models changing Funding changing Increased adoption of managed services Lower barriers to adoption, respond to trend for out-sourcing Partially in R&E, but especially for other sectors 16/09/2018 UK federation 2.0

Connecting across sectors R&E sector pretty well served But other sectors/communities not so much Impedes our sector’s collaboration opportunities Direct costs through workarounds, indirect through lost opportunity R&E sector increasing diversity of provision, sector boundaries blurring, growth of PPP, drive to cloud/hybrid …are just going to make this worse! 16/09/2018 UK federation 2.0

Just started a pilot with UK public libraries Other public sector Just started a pilot with UK public libraries Connect UK federation registered SAML IdPs to Library Management Systems (LMS) All library patrons would be able to authenticate to e-resources bought by the library using their library card credentials. 51% of the UK population (64.1M) have a library card Pilot is until March 2017, 31 libraries involved Working with Cabinet Office, exploring connections between citizen space SAML (gov.uk Verify) and UK fed 16/09/2018 UK federation 2.0

And beyond… Legal sector Pharmaceuticals Engineering Etc. 16/09/2018 UK federation 2.0

Also some technical drivers SAML Metadata doesn’t scale Aggregates getting stupidly big Three infrastructures that do the same thing UKf, eduroam, Assent Limitations in flexibility for indication of policy compliance ECs, etc, all good in theory, but in practice ends up with LCD 16/09/2018 UK federation 2.0

Our Response UK fed 2.0 16/09/2018 UK federation 2.0

Streamline and automate processes where possible Save staff effort Aims and Objectives Streamline and automate processes where possible Save staff effort Provide self-service to customers Increase flexibility for Jisc Integrate with our managed services agenda Keep or increasing existing levels of service and security 16/09/2018 UK federation 2.0

Developing a managed services capability Ultimate goal – a single product that: Connects to home LDAP via OpenVPN tunnel Web UI for managing And is capable of acting as: SAML IdP (Shib IdP v3 based) FreeRADIUS eduroam IdP FreeRADIUS Jisc Assent/Moonshot IdP URL rewriting web proxy Initially SAML, other features to be added next 16/09/2018 UK federation 2.0

Automating Federation Management New APIs for managing metadata Member management API Entity management API Approvals API Built on top of Shibboleth MDA (all open sourced) Level 3 RESTful API 16/09/2018 UK federation 2.0

The Modified Shib MDA behind manages API keys per organisation Using the API The Modified Shib MDA behind manages API keys per organisation UI built into Jisc community site uses API Custom stuff, plus modified saml-metadata-editor from PEER Can give 3rd party direct access for bigger out-sourced providers Also can be used by our managed services Spin up managed IdP for customer, it registers itself onto the federation(s) automatically 16/09/2018 UK federation 2.0

Behind the API Git repositories Member repository Entity repository XML file representing all members & related information Entity repository Raw SAML MD files per entity Three branches Master Immediate (for emergency changes) Deferred (for scheduled changes) Tags for every aggregation & publication event. 16/09/2018 UK federation 2.0

Moving to a more online-signing model Putting existing private keys onto HSM Scheduled (once daily) publishing of MD Customer can (in UI) request emergency change, and trigger immediate signing and publishing – for their change only 16/09/2018 UK federation 2.0

Deploying the infrastructure Building initially on Azure Manually built HSM and signing components in a secure Jisc data centre 16/09/2018 UK federation 2.0

The more things change, the more they remain the same 16/09/2018 UK federation 2.0

Superb service desk support UI for self-management is only an option! Configuring SAML MD can be tricky, many customers will still want help. Especially with trickier operations, such as certificate rollover. Can still interact with the helpdesk who can make changes on behalf of a customer 16/09/2018 UK federation 2.0

Much more flexible than a DBMS backend VCS all the way VCS behind the scene Much more flexible than a DBMS backend E.g. can test new things by editing XML by hand, UI doesn’t have to know about them. Smaller chance of breaking MD Not converting XML to tuple in DB and back again. Full history of all changes, rollback, auditing, etc. 16/09/2018 UK federation 2.0

Excellent tooling The Shibboleth MDA Although somewhat daunting to people unfamiliar with Spring Very flexible, reliable, and capable piece of software 16/09/2018 UK federation 2.0

UK fed 2.1 – the future 16/09/2018 UK federation 2.0

Automating Federation Infrastructure 6/9 months time (when we have a vm platform) Spin up your own federation with one click Repo, API,Aggregator, MD Dist / CDS / Test IdP SP / WUGEN / Backend management Allows us to set up test instances of our own federation Create new federations for new sectors in UK FaaS for existing federations? 16/09/2018 UK federation 2.0

Infrastructure Evolution Aggregate sizes MDQ will be deployed Q3/Q4 2016, customers suggested to switch. Our managed services will use from day 1. Possibly new signing key. Infrastructure duplicity (ongoing) Move towards Trust Router as core technology to underpin all three services This also greatly increases flexibility of community-specific policy requirements operating on a single, flexible infrastructure MDQ & TR (2018?) Moonshot validation of MDQ metadata, instead of simple keying Distributed model instead of centralised Use TR Community ideas 16/09/2018 UK federation 2.0

New Kids on the Block And our customers will want flexibility, especially for the mobile world Will demand OAuth/OIC, or even plain JWT We see as complimentary Will probably offer some central protocol translation, e.g. JWT/SAML or OAuth/SAML gateway, possibly 2017. 16/09/2018 UK federation 2.0

Title of presentation (Insert > Header & Footer > Notes and Handouts > Header > Apply to all) A shared world 16/09/2018 UK federation 2.0 16/09/2018

Concentrate on just a couple of backend tools Standardise tooling Why are so many of us using different toolsets doing essentially the same thing? Concentrate on just a couple of backend tools E.g Metadata management and aggregation Stop developing more! We as a community can’t sustainably manage more than that 16/09/2018 UK federation 2.0

Share the infrastructure Why do we all need to run separate infra doing essentially the same thing? Federation operators (generally) do not provide value by the toolsets they use, but by the relationships they have with their existing sector A move towards managed federation services (for both large and small federations) would: Reduce costs and effort for all Help with (some) interop issues 16/09/2018 UK federation 2.0

24x7, follow the sun, support? World class expertise Share the support Why do some of us run separate support infrastructure doing essentially the same thing? A move towards shared support desks would give interesting opportunities: 24x7, follow the sun, support? World class expertise Smaller federations could offer better support 16/09/2018 UK federation 2.0

Share the support Why do some of us run separate support infrastructure doing essentially the same thing? Challenges Language Software range Funding Etc. Should someone like GÉANT lead on organising? 16/09/2018 UK federation 2.0

Come find me afterwards and tell me why I’m wrong (or right!) 16/09/2018 UK federation 2.0

Chief Technical Architect, Trust & Identity Rhys Smith Chief Technical Architect, Trust & Identity rhys.smith@jisc.ac.uk 16/09/2018 UK federation 2.0