SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation

SURFnet - We make innovation work1 Content -History of SURFfederatie -Federation models -Functional view -Consequences of hub & spoke -eduGAIN -Future changes

Once upon a time… SURFnet - We make innovation work2 Student Chipcard: authentication A-Select: intra-organisational web-SSO DigiD: government eID based on A-Select Federative AAI, A-Select (open source) FIdM service (gateway) in production Elsevier, EBSCO, Google Apps

Federation models (communication/login, not metadata) SURFnet - We make innovation work Business VS: SAML 1.x -de-facto -NxN -Shared trust, pt2pt -Education VS/Europa -2xN -Central gateway (CFC) -protocol translation -SURFfederatie = CFC, IDP, SP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP CFC

Functional view (Since August 2008) SURFnet - We make innovation work4 Central Federation Components A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS Identity Providers Service Providers SURFfederatie CORE Applications Credential s

Metadata & proxying SURFnet - We make innovation work5 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF A-1 A-2 A-3 A-1 A-2 A-3 B-1 B-2 B-3 B-1 B-2 B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all}

WAYF/WAYF-less operation SURFnet - We make innovation work6 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF

hub & spoke pros/cons Pros -1 connection for IDP/SP -Minimal overhead for IDPs -Centralized (technical) management -Specialist SN -Less needed for IDP/SP -Scales well at national level -Extra features easier to do -Web services -Group support SURFnet - We make innovation work7 Cons -Procedures -release consent per SP -Key/cert/metadata changes -Lack of IDP -Double-edged sword… -Scalability European level -Can only support common denominator

Importing eduGAIN SPs SURFnet - We make innovation work8 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SPx=ddd SPy=eee SPz=fff eduGAIN SPzSPz SPzSPz A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3

Exporting IDPs SURFnet - We make innovation work9 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff IDP3=B-3 SPx=ddd SPy=eee SPz=fff IDP3=B-3 eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3

Exporting SPs to eduGAIN SURFnet - We make innovation work10 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 SPx=ddd SPy=eee SPz=fff SP3=SP3 eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3 IDP z

SP auth list (optional) SURFnet - We make innovation work11 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz Per SP auth list SP3: - IDP1 - IDP2 - IDPz

SP auth list (optional) SURFnet - We make innovation work12 IDP 1 IDP 2 IDP 3 SP1SP1 SP1SP1 SP2SP2 SP2SP2 SP3SP3 SP3SP3 WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z A-1 A-2 A-3 A-z B-1 B-2 B-3 B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz Per SP auth list SP3: - IDP1 - IDP2 - IDPz

Future plans -Integrate with SURFconext -Procedural/organisational -Technical (level of integration TBD) -Change of consent model -Opt-in  Opt-out -Addition of User Consent -Web Service support -Needed for (scientific) workflows -Rich client/beyond web SSO/mobile support -Rethink procedures/management SURFnet - We make innovation work13

SURFnet - We make innovation work14 Remco Poortinga – van Wijnen Presentation released under Creative Commons

SURFnet - We make innovation work15

Backup slides SURFnet - We make innovation work16

(C) 2011 SURFnet B.V.17 URLs SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal) ain 2 IDPS: SN & TERENA 1 SP: TERENA (MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo. Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs

(C) 2011 SURFnet B.V.18 Metadata test/test/ Wij nu niet saml2int compliant. (behandelen attribs als ‘format unspecified’, moet ‘uri’ zijn volgens spec)