Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust Router Workshop 15 th October 2014. Introduction to the Day Moonshot Workshop.

Published byFred Boxwell Modified over 10 years ago

Similar presentations

Presentation on theme: "Trust Router Workshop 15 th October 2014. Introduction to the Day Moonshot Workshop."— Presentation transcript:

1 Trust Router Workshop 15 th October 2014

2 Introduction to the Day Moonshot Workshop

3 Agenda 10:00 – 10:10 Intro to the morning 10:00 – 12:30 Trust Router & Peering ( 11:00 Break) 12:30 – 13:30 Lunch 13:30 – 13:40 Summary 13:40 – 15:45 Set up a Trust Router ! (15:00 break) 15:45 – 16:00 Summary

4 Moonshot & Communities A quick reminder… What are communities?

5 Communities and Policy Authentication Policy Community / (Community of Registration) Authentication Policy Community / (Community of Registration) Community A Community B Community C Organisation validation to APC’s defined standards Policy coming from community requirements. Could include: Registration LoA AuthN LoA Operational Practices User behaviour Attribute release (RADIUS & SAML) Etc.

6 Moonshot & Communities Communities will consist of a subset of the entities connected to a particular APC.

7 Whole Trust Network

8 Community A

9 Community B

10 Community C

11 Trust Router

12 Hey TR, do you know bob.com? Yeah, he’s over there! P.S. I’ve done some DH magic. Yeah, he’s over there! P.S. I’ve done some DH magic. kthxbye Hi IdP, I’ve got someone claiming to be one of your users.

13 Trust Router

14

15 Hey TR1, do you know bob.com? Yeah, he’s over there! P.S. I’ve done some DH magic. Yeah, he’s over there! P.S. I’ve done some DH magic. Hmm, I don’t. TR2 is my default peer, I’ll ask it… Hey TR2, do you know bob.com? Hmm, I don’t. TR3 is my default peer, I’ll ask it… Hey TR3, do you know bob.com? He’s over there. P.S. DH magic.

16 Hi IdP, I’ve got someone claiming to be one of your users.

17 Routing between Trust Routers Eventually will have routing tables across the whole network For now, default peers can be configured.

18 Trust Router Peering Peering Policy APCs

19 Current Trust Network @dev.ja.net tr1.moonshot.ja.net ms-tr.cf.ac.uk ms-rp-ssh.cf.ac.uk

20 By End of Today @dev.ja.net tr1.moonshot.ja.net ms-tr.cf.ac.uk ms-rp-ssh.cf.ac.uk Your TR Your Test RP

21 By End of Today @dev.ja.net tr1.moonshot.ja.net ms-tr.cf.ac.uk ms-rp-ssh.cf.ac.uk Your TR Your Test RP

22 By End of Today @dev.ja.net tr1.moonshot.ja.net ms-tr.cf.ac.uk ms-rp-ssh.cf.ac.uk Your TR Your Test RP Your TR Your Test RP Your TR Your Test RP Your TR Your Test RP

23 Setting up a Trust Router is easy! In the world of Moonshot, a Trust Router is just a resource provider. The resource it’s providing is trust. Like any RP, the TR needs to query an Identity Provider to authenticate users…

24 TR’s own IdP The IdP used by a TR is just an ordinary moonshot IdP, with the identity realm ‘apc.moonshot.ja.net’ - this is the IdP representing the Authentication Policy Community.apc.moonshot.ja.net It keeps a list of credentials used by IdPs and RPs - the XML files that you’ve used to add your own IdPs and RPs to Janet’s TR. For this workshop this step will be skipped, as you’ve probably set up at least one IdP by now.

25 Process 1.Register your RP and TR in the portal as a new RPs – If you don’t have access to the portal, ask for assistance 2.Configure and deploy your TR – See next slide and readme files 3.Test! 4.Configure and deploy your RP 5.Test! 6.Bonus: Reconfigure your IdP to talk to your TR

26 Deploying a Trust Router RHEL/CentOS: – TR: https://wiki.moonshot.ja.net/x/hIQyhttps://wiki.moonshot.ja.net/x/hIQy – RP: https://wiki.moonshot.ja.net/x/vAEphttps://wiki.moonshot.ja.net/x/vAEp Debian: – TR: https://wiki.moonshot.ja.net/x/goQyhttps://wiki.moonshot.ja.net/x/goQy – RP: https://wiki.moonshot.ja.net/x/ugEphttps://wiki.moonshot.ja.net/x/ugEp Sample configurations and key material is available at: – https://portal.moonshot.ja.net/keys/ https://portal.moonshot.ja.net/keys/ – U: octoberws – P: homemade-push-whistle

27 peering.cfg { "default_servers":[ "tr1.moonshot.ja.net" ] }

28 Trusts.cfg communities: – APC, Followed by all CoIs Each has list of idp_realms and rp_realms idp_realms: – Details of each idp_realm (hostname, apc, shared config) rp_realms: – Details of each rp_realm (domain & realm constraints, filters, gss names) gss_names: – gss name for your trust router

29 Domain constraints: – What acceptor hostnames are legal. – (these hosts can claim to be in that realm) – Constrain gss acceptor hostname Realm Constraints: – Constrain gss acceptor realm names Filters: – RP Permitted filters – Future - more – Constraints

30 THANK YOU Janet, Lumen House Library Avenue, Harwell Oxford Didcot, Oxfordshire t: +44 (0) 1235 822200 f: +44 (0) 1235 822399 e: service@ja.net

Download ppt "Trust Router Workshop 15 th October 2014. Introduction to the Day Moonshot Workshop."

Similar presentations

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.

EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
John Chapman, Janet Fall 2012 Internet 2 Member Meeting 3 October 2012 Trust me, I’m an engineer: Engineering trust using a Trust Router infrastructure.

John Chapman, Janet Fall 2012 Internet 2 Member Meeting 3 October 2012 Trust me, I’m an engineer: Engineering trust using a Trust Router infrastructure.
Andrew Cormack Chief Regulatory Adviser, Access Management and Security WG.

Andrew Cormack Chief Regulatory Adviser, Access Management and Security WG.
Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.
Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman

Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Moonshot Workshop 14 th October 2014. Introduction to the Day Moonshot Workshop.

Moonshot Workshop 14 th October Introduction to the Day Moonshot Workshop.
1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops BGP Multihoming Workshop Agenda.

1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops BGP Multihoming Workshop Agenda.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Similar presentations

Ads by Google