Presentation is loading. Please wait.

Presentation is loading. Please wait.

UK fed 2.0: Redesigning your federation for the next 10 years

Published byEmil Pap Modified over 6 years ago

Similar presentations

Presentation on theme: "UK fed 2.0: Redesigning your federation for the next 10 years"— Presentation transcript:

1 UK fed 2.0: Redesigning your federation for the next 10 years
16/09/2018 Dr Rhys Smith

2 UK federation 1.0 – 2004-present
16/09/2018 UK federation 2.0

3 Free for our core R&E customers, chargeable for others
Where we are today Quick history of UK fed Development federation in 2004 Production federation since 2006 A Jisc service, most operations out-sourced to EDINA (Edinburgh University) Free for our core R&E customers, chargeable for others 16/09/2018 UK federation 2.0

4 Boring stats (as of 9th June 2016)
1049 members HE / FE / schools / health / local gov / commercial 1928 entities 748 IdPs, 1182 SPs 50-50 in-sourced vs out-sourced deployment model eduGAIN imported entities make up 48% of the UK federation 16/09/2018 UK federation 2.0

5 UK federation services to members
Entity management – Free tech support – Central Discovery Service WAYFless URL Generator (Wugen) Test IdP / SP Mailing Lists Usage stats via Raptor 16/09/2018 UK federation 2.0

6 Federation Management
Manual management of SAML MD by service desk staff SVN backend, edit in Eclipse Shib MDA checking all SAML MD Shib MDA creating aggregates Manual signing via private key (held on secure smarcard) 16/09/2018 UK federation 2.0

7 Existing systems have served us nicely for 10 years But
So why are we changing? Existing systems have served us nicely for 10 years But The world is changing around us 16/09/2018 UK federation 2.0

8 Drivers for change 16/09/2018 UK federation 2.0

9 UK HE & FE pretty well covered, but… Funding models changing
Our sector is changing UK HE & FE pretty well covered, but… Funding models changing Funding changing Increased adoption of managed services Lower barriers to adoption, respond to trend for out-sourcing Partially in R&E, but especially for other sectors 16/09/2018 UK federation 2.0

10 Connecting across sectors
R&E sector pretty well served But other sectors/communities not so much Impedes our sector’s collaboration opportunities Direct costs through workarounds, indirect through lost opportunity R&E sector increasing diversity of provision, sector boundaries blurring, growth of PPP, drive to cloud/hybrid …are just going to make this worse! 16/09/2018 UK federation 2.0

11 Just started a pilot with UK public libraries
Other public sector Just started a pilot with UK public libraries Connect UK federation registered SAML IdPs to Library Management Systems (LMS) All library patrons would be able to authenticate to e-resources bought by the library using their library card credentials. 51% of the UK population (64.1M) have a library card Pilot is until March 2017, 31 libraries involved Working with Cabinet Office, exploring connections between citizen space SAML (gov.uk Verify) and UK fed 16/09/2018 UK federation 2.0

12 And beyond… Legal sector Pharmaceuticals Engineering Etc. 16/09/2018
UK federation 2.0

13 Also some technical drivers
SAML Metadata doesn’t scale Aggregates getting stupidly big Three infrastructures that do the same thing UKf, eduroam, Assent Limitations in flexibility for indication of policy compliance ECs, etc, all good in theory, but in practice ends up with LCD 16/09/2018 UK federation 2.0

14 Our Response UK fed 2.0 16/09/2018 UK federation 2.0

15 Streamline and automate processes where possible Save staff effort
Aims and Objectives Streamline and automate processes where possible Save staff effort Provide self-service to customers Increase flexibility for Jisc Integrate with our managed services agenda Keep or increasing existing levels of service and security 16/09/2018 UK federation 2.0

16 Developing a managed services capability
Ultimate goal – a single product that: Connects to home LDAP via OpenVPN tunnel Web UI for managing And is capable of acting as: SAML IdP (Shib IdP v3 based) FreeRADIUS eduroam IdP FreeRADIUS Jisc Assent/Moonshot IdP URL rewriting web proxy Initially SAML, other features to be added next 16/09/2018 UK federation 2.0

17 Automating Federation Management
New APIs for managing metadata Member management API Entity management API Approvals API Built on top of Shibboleth MDA (all open sourced) Level 3 RESTful API 16/09/2018 UK federation 2.0

18 The Modified Shib MDA behind manages API keys per organisation
Using the API The Modified Shib MDA behind manages API keys per organisation UI built into Jisc community site uses API Custom stuff, plus modified saml-metadata-editor from PEER Can give 3rd party direct access for bigger out-sourced providers Also can be used by our managed services Spin up managed IdP for customer, it registers itself onto the federation(s) automatically 16/09/2018 UK federation 2.0

19 Behind the API Git repositories Member repository Entity repository
XML file representing all members & related information Entity repository Raw SAML MD files per entity Three branches Master Immediate (for emergency changes) Deferred (for scheduled changes) Tags for every aggregation & publication event. 16/09/2018 UK federation 2.0

20 Moving to a more online-signing model
Putting existing private keys onto HSM Scheduled (once daily) publishing of MD Customer can (in UI) request emergency change, and trigger immediate signing and publishing – for their change only 16/09/2018 UK federation 2.0

21 Deploying the infrastructure
Building initially on Azure Manually built HSM and signing components in a secure Jisc data centre 16/09/2018 UK federation 2.0

22 The more things change, the more they remain the same
16/09/2018 UK federation 2.0

23 Superb service desk support
UI for self-management is only an option! Configuring SAML MD can be tricky, many customers will still want help. Especially with trickier operations, such as certificate rollover. Can still interact with the helpdesk who can make changes on behalf of a customer 16/09/2018 UK federation 2.0

24 Much more flexible than a DBMS backend
VCS all the way VCS behind the scene Much more flexible than a DBMS backend E.g. can test new things by editing XML by hand, UI doesn’t have to know about them. Smaller chance of breaking MD Not converting XML to tuple in DB and back again. Full history of all changes, rollback, auditing, etc. 16/09/2018 UK federation 2.0

25 Excellent tooling The Shibboleth MDA
Although somewhat daunting to people unfamiliar with Spring Very flexible, reliable, and capable piece of software 16/09/2018 UK federation 2.0

26 UK fed 2.1 – the future 16/09/2018 UK federation 2.0

27 Automating Federation Infrastructure
6/9 months time (when we have a vm platform) Spin up your own federation with one click Repo, API,Aggregator, MD Dist / CDS / Test IdP SP / WUGEN / Backend management Allows us to set up test instances of our own federation Create new federations for new sectors in UK FaaS for existing federations? 16/09/2018 UK federation 2.0

28 Infrastructure Evolution
Aggregate sizes MDQ will be deployed Q3/Q4 2016, customers suggested to switch. Our managed services will use from day 1. Possibly new signing key. Infrastructure duplicity (ongoing) Move towards Trust Router as core technology to underpin all three services This also greatly increases flexibility of community-specific policy requirements operating on a single, flexible infrastructure MDQ & TR (2018?) Moonshot validation of MDQ metadata, instead of simple keying Distributed model instead of centralised Use TR Community ideas 16/09/2018 UK federation 2.0

29 New Kids on the Block And our customers will want flexibility, especially for the mobile world Will demand OAuth/OIC, or even plain JWT We see as complimentary Will probably offer some central protocol translation, e.g. JWT/SAML or OAuth/SAML gateway, possibly 2017. 16/09/2018 UK federation 2.0

30 Title of presentation (Insert > Header & Footer > Notes and Handouts > Header > Apply to all) A shared world 16/09/2018 UK federation 2.0 16/09/2018

31 Concentrate on just a couple of backend tools
Standardise tooling Why are so many of us using different toolsets doing essentially the same thing? Concentrate on just a couple of backend tools E.g Metadata management and aggregation Stop developing more! We as a community can’t sustainably manage more than that 16/09/2018 UK federation 2.0

32 Share the infrastructure
Why do we all need to run separate infra doing essentially the same thing? Federation operators (generally) do not provide value by the toolsets they use, but by the relationships they have with their existing sector A move towards managed federation services (for both large and small federations) would: Reduce costs and effort for all Help with (some) interop issues 16/09/2018 UK federation 2.0

33 24x7, follow the sun, support? World class expertise
Share the support Why do some of us run separate support infrastructure doing essentially the same thing? A move towards shared support desks would give interesting opportunities: 24x7, follow the sun, support? World class expertise Smaller federations could offer better support 16/09/2018 UK federation 2.0

34 Share the support Why do some of us run separate support infrastructure doing essentially the same thing? Challenges Language Software range Funding Etc Should someone like GÉANT lead on organising? 16/09/2018 UK federation 2.0

35 Come find me afterwards and tell me why I’m wrong (or right!)
16/09/2018 UK federation 2.0

36 Chief Technical Architect, Trust & Identity
Rhys Smith Chief Technical Architect, Trust & Identity 16/09/2018 UK federation 2.0

Download ppt "UK fed 2.0: Redesigning your federation for the next 10 years"

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
The CEMS Faculty Information System Project 23 June 2006.

The CEMS Faculty Information System Project 23 June 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.

Athens – integrated AMS services Ed Zedlewski JISC/CNI Conference Edinburgh, June 2002.
Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.

Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.

Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.

Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.
Networks ∙ Services ∙ People www.geant.org Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
8a Certified. About Us  Headquarters in Vienna, VA  Service Disabled Veteran-owned Small Business  SBA 8(a) program participant  Small Disadvantaged.

8a Certified. About Us  Headquarters in Vienna, VA  Service Disabled Veteran-owned Small Business  SBA 8(a) program participant  Small Disadvantaged.

Similar presentations

Ads by Google