Download presentation
Presentation is loading. Please wait.
Published byMargery Tyler Modified over 6 years ago
1
Federation peering à la European The eduGAIN way
Diego R. Lopez - RedIRIS
2
As Federations Grow The risk of dying of success
Do we really need to go on selling the federated idea? Different communities, different needs Not even talking about international collaboration Different (but mostly alike) solutions Grids and libraries as current examples And many to come: Governments, professional associations, commercial operators,… Don’t hold your breath waiting for the Real And Only Global Federation
3
Confederations Federate Federations
Same federating principles applied to federations themselves Own policies and technologies are locally applied Independent management Identity and authentication-authorization must be properly handled by the participating federations Commonly agreed policy Linking individual federation policies Coarser than them Trust fabric entangling participants Whitout affecting each federation’s fabric E2E trust must be dynamically built
4
First Steps Simplifying user collaboration across whatever border is an excellent selling argument Making the whole promise of the VO idea eduroam fast worldwide success is a clear example Lingua franca Syntax: SAML profiles Converging to 2.0 Semantics: eduPerson, SCHAC Trust fabric Public key technologies (if not infrastructures) Component identifiers and registries Metadata repositories
5
Policy and Legal Matters
The PMA model has proven extremely useful Consensual set of guidelines Peer-reviewed accreditation Legal matters: Hic sunt leones For techies like us Privacy Liability More or less manageable in the case of (national) federations
6
The AAI Goal in GÉANT2 To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e-science resources We started from Scattered AAI implementations in the EU and abroad And growing The basic idea of federating them, preserving hard-won achievements
7
Applying Confederation Concepts
An eduGAIN confederation is a loosely-coupled set of cooperating identity federations That handle identity management, authentication and authorization using their own policies Trust between any two participants in different federations is dynamically established Members of a participant federation do not know in advance about members in the other federations Syntax and semantics are adapted to a common language Through an abstract service definition
8
The eduGAIN Components
Bridging Elements (BE) Interconnection points Federation-wide (LFA) or distributed (LA) Federation Peering Point (FPP) Able to announce BE metadata The Metadata Service (MDS) Publishing interface (to FPPs) Querying interface (to BEs)
9
The eduGAIN Model MDS R-FPP H-FPP R-BE H-BE Resource(s)
Connect. Communicate. Collaborate The eduGAIN Model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies)
10
An Adaptable Model From centralized structures...
Connect. Communicate. Collaborate An Adaptable Model From centralized structures... MDS FPP FPP BE BE IdP IdP SP SP IdP SP IdP IdP SP SP SP SP SP IdP SP IdP
11
An Adaptable Model ...to fully E2E ones...
Connect. Communicate. Collaborate An Adaptable Model ...to fully E2E ones... MDS SP BE SP BE IdP BE SP BE SP BE IdP BE SP BE IdP BE IdP BE SP BE SP BE IdP BE IdP BE SP BE SP BE IdP BE
12
An Adaptable Model ...including any mix of them
Connect. Communicate. Collaborate An Adaptable Model ...including any mix of them MDS FPP IdP BE FPP BE IdP BE IdP BE IdP BE SP SP BE SP SP BE IdP SP IdP SP SP BE SP BE SP IdP
13
The (X.509) Trust Fabric Validation procedures include
Normal certificate validation Trust path evaluation, signatures, revocation,… Peer identification Certificates hold the component identifier It must match the appropriate metadata Applicable to TLS connections between components Two-way validation is mandatory Verification of signed XML assertions
14
Component Identifiers
eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers Based on URNs delegated by the eduGAIN registry to the participating federation Identifiers establish the kind of component they apply to by means of normalized prefixes Identifiers follow the hierarchy of the trust establishing process
15
A General Model for eduGAIN Interactions
Connect. Communicate. Collaborate A General Model for eduGAIN Interactions ?cid=someURN <samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“ …”> . . . </samlp:Request> <samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . . </samlp:Response> MDS TLS Channel <EntityDescriptor . . . entityID= ”urn:geant2:..:responder"> . . . <SingleSignOnService . . . Location= “ /> TLS Channel(s) urn:geant2:...:responder urn:geant2:...:requester Requester Responder Resource Id Repository
16
Operation Mapping Maps the abstract service definition into actual protocols Current version is based on SAML 1.1 Profiling the standard to fit abstract parameters A SAML 2.0 implementation will be available along the lifetime of the project The abstract service specification protects components and applications from these changes Authentication assertions and attribute exchange mechanisms are designed to be Shibboleth 1.3 compatible And Shibboleth 2 in the future
17
Metadata Service Based on REST interfaces transporting SAML 2.0 metadata Usable by non-eduGAIN components Metadata are published through POST operations Metadata are retrieved through GET operations URLs are built as MDSBaseURL/FederationID/entityID?queryString Using component names The query string transports data intended to locate the appropriate home BE (Home Locators) Hints provided by the user Contents of certificate extensions (SubjectInformationAccess)
18
A Layered Model for Implementation
Connect. Communicate. Collaborate A Layered Model for Implementation Component logic eduGAINBase Profile Access eduGAINBase + eduGAINVal + eduGAINMeta SAML toolkit (OpenSAML) SOAP/TLS/XMLSig libraries
19
eduGAIN Profiles Oriented to Enable direct federation interaction
Enable services in a confederated environment Four profiles discussed so far WebSSO (Shibboleth browser/POST) AC (automated cilent: no human interaction) UbC (user behind non-Web client: use of SASL-CA) WE (WebSSO enhanced client: delegation) Others envisaged Extended Web SSO (allowing the send of POST data) eduGAIN usage from roaming clients (DAMe) Based on SAML 1.1 Mapping to SAML 2.0 profiles along the transition period
20
Connect. Communicate. Collaborate
The AC Profile
21
Connect. Communicate. Collaborate
The UbC Profile
22
Connect. Communicate. Collaborate
The WE Profile
23
Connect. Communicate. Collaborate
The WebSSO Profile
24
The European Way (Too) many governments, languages, national priorities/laws/prides/… A little of weakness, a little of strength The will for convergence Without imposing dramatic inner changes Adopt whatever is worth from overseas With a scent of style and history (Humble) model for the rest of the world We are a little world in itself
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.