Download presentation
Presentation is loading. Please wait.
1
Federations: Introduction Justin Knight, Jisc Justin.knight@jisc.ac.uk
UbuntuNet Connect 2018 Federations: Introduction Justin Knight, Jisc
2
Recap Yesterday Identities and good identity management Registries Status and outlook where you are
3
This session Introduction to federation types: identity and roaming key similarities key differences key benefits value proposition local to global late mover advantage – tomorrow’s session
4
Acknowledgements Guy, scott and chris
5
Two federation types Identity sso to web-based resources *non-web also exists, but not our focus roaming
6
Key similarities Foundation of federated identity: Trust Trust is good; built into policy to Provide a basis for a mutual understanding of responsibilities Make the boundaries of the trust relationship clear to all parties Reduce the risk that the relationship will break down as the result of inadvertent or malicious actions by a minority
7
Key similarities Three common components Identity Provider (IdP) Service Provider (SP) Operator of central infrastructure Federation Operator (Identity) National Roaming Operator (NRO) (eduroam) An organisation can be both and IdP and an SP Common in terminology, not in technology (we’ll come on to this)
8
Key similarities Good identity management at the institution is critical Starting point for institutions Setting up a user’s identity poorly can lead to lack of access to services/WiFi Poor user experience = poor usage, uptake and reputation
9
Key similarities Easy access to services Goal of both is to make user experience of service access easier Single credential for accessing multiple resources (IDENTITY FEDERATION) Single credential for accessing wireless networks in multiple locations (eduroam)
10
Key similarities The role of the operator is to facilitate the trust relationship between IdPs and SPs Infrastructure Policy
11
Purpose Operators underlying technologies/infrastructure
Key differences Purpose Operators underlying technologies/infrastructure
12
Purpose – identity federation
Video courtesy of Jisc (and quite old now!)
13
Purpose - eduroam Video courtesy of AARNet
14
Purpose summary Identity federation single credential for accessing multiple web-based resources Global wireless roaming access service Single credential for accessing wireless networks in multiple locations
15
Key differences Operators
16
eduroam NROs Coordinate eduroam within their country or territory
Own the trademark for eduroam® in their service area Define national policy Responsible for ensuring compliance with global policy Operate a RADIUS proxy Generally one RO per country (NRO), but there are exceptions to this
17
eduroam – an important note
It is “eduroam” not “Eduroam” or “EduRoam” (or other student favourites EuroDam and EduRam) Why does the case matter? Wireless networks are case sensitive – we want users to connect automatically so we all need to call our networks the same thing Helps with trademark enforcement
18
Identity Federation operators
Choose deployment method SAML OIDC Mesh Hub & Spoke edu-ID (user centric) Set policy for IdPs and SPs to participate in their federation, and support them Aggregate, sign and publish the metadata of entities, facilitating the trust relationship between them Opt into or out of entity categories such as R&S, GEANT CoCO, and SIRTFI Can apply to join eduGAIN, the global inter-federation service (more on this later)
19
Underlying technology / infrastructure
Key differences Underlying technology / infrastructure
20
Identity federation underlying technology/infrastructure
Several options available SAML (popular with R&E) Shibobleth (IdP, SP) SimpleSAMLphp OIDC (popular with commercial operators) Shibboleth (IdP)
21
eduroam underlying technology/infrastructure
eduroam is a global wireless roaming network, based on: WPA2 & 802.1X (network access control) RADIUS (infrastructure to transport credentials) Trust fabric (RADIUS hierarchy and policy)
22
Key benefits (Identity federation)
23
Key benefits (Identity federation)
24
Value proposition (identity federation)
25
Key benefits (eduroam)
26
Value proposition (eduroam)
Modest implementation & maintenance costs Making it easier to get access to the Internet promotes co-operations and collaborative research It also makes students less dependent on geography Users expect access to the Internet to just work
27
Value proposition (eduroam IdP)
Allows your staff and students to gain access the Internet for free all over the world Improves their productivity; makes them happy Gives you the peace of mind that its probably more secure than a public hot-spot Relatively straight-forward and low risk If it doesn’t work, only your staff and students know
28
Value proposition (eduroam SP)
Makes it easier for visitors to use your network good for your reputation; good for their productivity makes your campus more attractive for academic events In most cases, leverages off your existing wireless infrastructure Cost savings by reducing: the amount of support your help desk does for visitors the number of temporary visitor accounts you create One South African university saw a 25% decrease in the first year
29
Value proposition Summary collaboration opportunities reputation and branding security (network and identity) cost and time
30
Discovery services in identity federations Example
31
Discovery Example (cont)
32
Discovery Example was through the UK Federation, which uses the shibboleth central discovery service (CDS) That software is eol (2016) in the shibboleth project for support There are other discovery services available switch wayf (Where are you from) cesnet service ra21 work worth investing time in what is most suitable for you
33
Local to global Both identity and roaming federations are deployed at national level global architectures exist for both
34
Local to global National identity federations inter-federate via Global Authentication infrastructure opening global services to users whose institutions are registered in national identity federations user > institutional identity > identity federation (> national services) > edugain > global services
35
eduGAIN provides policy framework and standard to build trust between members.
The MDS (Metadata Distribution Service) fetches, aggregates and republishes metadata – like collating a global phonebook of white/yellow pages from federations.
36
https://technical.edugain.org/documents
37
Identity federations November 2018
38
November 2018
39
Local to global Global eduroam Governance Committee GeGC is responsible for the overall technical standards for eduroam Also indirectly for the top level RADIUS proxies Has a chair representatives from the African region: Mohamed Aliouat, (ARN, Algeria) Kennedy Aseda (KENET, Kenya) Samuel Ouya (snRER, Senegal) Have I missed you?
40
November 2018
41
Late mover advantage Maps show level of deployment in Africa advantages of drawing on experience of others session tomorrow on resources, tools and help
42
Thank you! Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.