Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure

NRENs & Grids. Barcelona, September 2009 Across the Stack The Network The Application The Middleware Bottom layer of the application  Service location and discovery  {Con-, inter-}federation  Reputation  Logging and diagnostics Top layer of the network  Mobility  Network access  QoS  Measurement

NRENs & Grids. Barcelona, September 2009 eduGAIN in a Nutshell Based on the national identity federations, operated by NRENs  And a community-operated one: EFDA-Fed eduGAIN is a confederation infrastructure  Federates federations SAML 1.1 (and soon SAML 2.0) is the lingua franca Specific software developed  eduGAIN base libraries (Java)  simpleSAMLphp (PHP)  eduGAINFilter (javax.servlet.filter) Direct use of Shibboleth 2.0 possible (with a few restrictions)

NRENs & Grids. Barcelona, September 2009 eduGAIN Elements The Metadata Service – MDS  Updated by authorised components  Tagged according to user communities  Queried by user interfaces or autonomous services PKI and registry  Multi-rooted  Includes component identifiers AM/CC (Attribute Mapping / Credential Conversion)  Adapt syntax and semantics Bridging Elements - BE  Adapt protocols  Not required if eduGAIN profiles are natively supported  Hybrid model of integration

NRENs & Grids. Barcelona, September 2009 Fully Bridged eduGAIN

NRENs & Grids. Barcelona, September 2009 P2P eduGAIN

NRENs & Grids. Barcelona, September 2009 Hybrid eduGAIN

NRENs & Grids. Barcelona, September 2009 eduGAIN Profiles WebSSO  Shib 1.3 for SAML 1.1  SAML2 (except artifact-based) for SAML 2.0  Going into production service in GÉANT3 AC  Certificates plus optional attribute access UbC  Convey user credentials introduced at the client WE  Constrained delegation DAMe

NRENs & Grids. Barcelona, September 2009 The WebSSO Profile

NRENs & Grids. Barcelona, September 2009 The AC Profile

NRENs & Grids. Barcelona, September 2009 The UbC Profile

NRENs & Grids. Barcelona, September 2009 The WE Profile

NRENs & Grids. Barcelona, September 2009 Core Services in GN[\d] GN2 saw the first attempt to offer these core services as part of a multi-domain network infrastructure  Not perfect, but many lessons learned  Actual services and working examples  Taking advantage of previous collaborative initiatives GN3 is continuing this trail  Enhancing those already deployed or piloted  Addressing more core services  Providing dynamic integration and invocation  Considering SLAs as part of the process  Better development and deployment cycles A service integration model: the multi-domain ESB

NRENs & Grids. Barcelona, September 2009 A framework to define, discover, access, and combine network services  From the infrastructure up to application elements  Federated, multi-domain ESB  Able to integrate any service within the GÉANT infrastructure  Flexible negotiation of service provision capabilities Addressed to  NREN staff  e-Science service providers  and users!! Collaborative architecture  Open to collaboration beyond the academic community  Prosumer-oriented Plug-and-play plus Plug-and-be-played The GEMBus Promise

NRENs & Grids. Barcelona, September 2009 α-interfaces  Directly usable by applications β-interfaces  Govern systems and resources γ-interfaces  Abstract access to resources δ-interfaces  Actual control over the resources Source: MANA Position Paper, 2009 Service Interfaces

NRENs & Grids. Barcelona, September 2009 GEMBus will provide a set of α-interfaces  Plus the corresponding orchestration systems Specify how β-interfaces have to be published and registered  From individual GÉANT (and external) services γ-interfaces for core services  Those required for direct integration support  Usable by individual services Source: MANA Position Paper, 2009 What Service Interfaces

NRENs & Grids. Barcelona, September 2009 A Couple of Archetypal Use Cases An institution willing to distribute an arts performance subject to IPR to a variable number of sites needs to:  Create a multicast group  Generate keys for controlling access to the group  Distribute keys to participant sites according to their attributes and the institution authorization policy  Monitor the usage and performance of the distribution at several points of the network A research team defining a workflow to gather and publish a data flow originated by a singular instrument through a federated repository needs to:  Make informed real-time decisions on the route to be used for storing the data  Enforce certain properties in the selected links  Provide the data processors with appropriate credentials to access data stores  Obtain general, location-independent pointers, to the final data

NRENs & Grids. Barcelona, September 2009 Building by Composition Service Components  AutoBAHN DM  perfSONAR MA  eduGAIN AuthN  Composite Services  e-science workflow  A&H performance  eduGAINized repositories  … Service Frameworks  Other NRENs  Governmental  Commercial  … AutoBAHN eduG AIN Grid GÉBusCLARINAPANI2ESNetIPSphereOGSATelcosCanarie Interface descriptions Compositional procedures and orchestration Standard interfaces and support for policy agreements