Croatian Research and Education Identity Federation · 2017. 5. 29. · Miroslav Milinović...
Transcript of Croatian Research and Education Identity Federation · 2017. 5. 29. · Miroslav Milinović...
-
Miroslav Milinović
University of Zagreb, University Computing Centre (SRCE)
CESSDA SAW Workshop
Zagreb, March 1-2, 2017
AAI@EduHr
Croatian Research and EducationIdentity Federation
http://www.srce.unizg.hr/otvoreni-pristuphttp://www.srce.unizg.hr/http://creativecommons.org/licenses/by-nc/4.0/deed.hr
-
2/25
Contents
• Identity federations
• AAI@EduHr
• eduGAIN
• AAI@EduHr for SPs / developers
-
3/25
e-infrastucture
Network services
Data centers
Computing resources(servers, storage, HPC, grid, …)
Middleware(identity federations, AAA, …)
Data services(digital archives, repositories, …)
Information systems and applications
-
4/25
Identity federation model
IdP SPtrust
1
2
3
consumes attributes;
allows access
authenticates user;
provides attributes
user accesses service
-
5/25
Mash federation model
SP 1
WAYF
(MDS)
IdP B
login
IdP A
login
SP 2
-
6/25
Hub-and-spoke federation model
SP 1
IdP B
IdP A
SP 2
Hub(WAYF)
login
-
7/25
Virtual Organisations (VOs) / Attribute Authorities (AAs)
SP
Entry point
AAI
component
User
IdP
AAI
component
(LDAP)
directory
AA
AAI
component
data
-
8/25
AAI@EduHr: Croatian R&E Identity Federation
• Autentikacijska i autorizacijska infrastruktura znanosti i (visokog) obrazovanja u RH
• in production since March 1, 2006
• hub-and-spoke architecture
• Policy document: Pravilnik o ustroju, ver.1.3.1(http://www.aaiedu.hr/docs/[email protected])
• March 1, 2017:
• 229 IdPs
• 603 SPs
• 878.173 e-identites
• connected to:
• global services: eduroam and eduGAIN
• National e-gov service: NIAS (e-Građani)
• Web: http://www.aaiedu.hr(notice: most of the documentation is in Croatian language only)
http://www.aaiedu.hr/docs/[email protected]://www.aaiedu.hr/
-
9/25
AAI@EduHr in numbers
Successful Web SSO authN:
last 30 days: 2.964.140
last 24 hours: 104.587
Successful RADIUS authN:
last 30 days: 14.013.800
last 24 hours: 603.678
(March 1, 2017)0
500000
1000000
1500000
2000000
2500000
3000000
01/15 03/15 05/15 07/15 09/15 11/15 01/16 03/16 05/16 07/16 09/16 11/16
successful SSO authN
-
10/25
More statistics …
http://f-ticks.aaiedu.hr/statistike/
http://f-ticks.aaiedu.hr/statistike/
-
11/25
Connections with other services
www.eduroam.org
www.edugain.org
NIAS
(e-Građani)
-
12/25
AAI@EduHr: Hub-and-spoke federation
SP 1
IdP B
IdP A
SP 2
Hub(WAYF)
login
Central services
provided by Srce
-
13/25
AAI@EduHr architecture
SP
entry point
AAI@EduHr
component
Central
AAI@EduHr services
(RADIUS proxy, FWS,
MDS, login/SSO, VO/AA)
user [email protected]
IdP
AOSI-WS
&
RADIUS server
LDAP directory
HTTPS / SAML
RADIUS
HTTPS / SAML
eduGAINsocial networks eduroam
RADIUS
RADIUS
HTTPS / SOAP
OpenID, …
NIAS
HTTPS / SAML
-
14/25
AAI@EduHr: IdM
RADIUS
AOSI - WS
LDAP
AOSI - Web
AAI@EduHr
IdP
-
15/25
What is eduGAIN?
• educational Global Authentication Infrastructure
• basic components:• eduGAIN Policy Framework (https://technical.edugain.org/documents)
• MDS (Metadata Distribution Service; mds.edugain.org)
https://technical.edugain.org/documentshttps://mds.edugain.org/
-
16/25
eduGAIN
• in production since 2011
• 41 member federations
• www.edugain.org
• technical.edugain.org
http://www.edugain.org/http://technical.edugain.org/
-
17/25
AAI@EduHr in eduGAIN
• AAI@EduHr is eduGAIN member
• Srce represents AAI@EduHr in eduGAIN bodies
• AAI@EduHr entites in eduGAIN:• all IdPs are automatically „in” eduGAIN
• attribute release based on eduGAIN Attribute Profile
• an IdP can opt-out
• all SPs are „out”
• an SP has to opt-in (ask Srce to be included)
• an SP has to fulfill organisational and technical requirements
-
18/25
AAI@EduHr for SPs (Web SSO scenario)
SP
entry point
AA component
Central AAI@EduHr
services
user [email protected]
IdP
AOSI-WS
LDAP directory
HTTPS / SAML 2.0
login
-
19/25
AAI@EduHr for SPs (Developers)
• supported protocols:
• SAML 2.0
• RADIUS (network access, special cases of non-web-based services)
• supported platforms:
• PHP (simpleSAMLphp)
• Java (Spring Security SAML, …)
• .NET (OIOSAML.NET):
• Python / Django
• Shibboleth compatible tools/platforms
• any platform compatible with SAML 2.0
• testing environment: AAI@EduHr Lab
-
20/25
SP set-up in AAI@EduHr
• study:
• AAI@EduHr Policy(http://www.aaiedu.hr/docs/[email protected])
• documentation for SPs
• (http://www.aaiedu.hr/za-davatelje-usluga)
• register your application via resource registry:
• www.aaiedu.hr/aairr
• indicate special cases: eduGAIN and/or additional login via social networks
• make necessary ajustments in your application:
• install missing components (e.g. SSP, SAML modules, …)
• use AAI@EduHr LAB for testing
• AAI@EduHr team provides support via e-mail address [email protected]
http://www.aaiedu.hr/docs/[email protected]://www.aaiedu.hr/za-davatelje-uslugahttp://www.aaiedu.hr/aairr
-
21/25
AAI@EduHr and social networks
http://www.unizg.hr/authdemo/
http://otrs-test.srce.hr/http://www.unizg.hr/authdemo/
-
22/25
How to opt-in eduGAIN with your SP?
• let Srce know:• we provide support / know-how
• we publish your metadata / register your app. in eduGAIN
• ajust your service policy:• privacy policy / CoCo (see eduGAIN documentation)
• ajust technical components of your service:• attribute handling
• discovery service (login screen / WAYF)
• metadata handling
• verify before production
-
23/25
Discovery service examples
https://foodl.org/
http://monitor.eduroam.org/db_web
https://foodl.org/http://monitor.eduroam.org/db_web/http://monitor.eduroam.org/db_web
-
24/25
Learning opportunity
• we organize a workshop for SPs / application developers on April 4
• check http://www.srce.unizg.hr/dei/radionice
http://www.srce.unizg.hr/dei/radionice
-
Srce politikom otvorenog pristupa široj javnosti
osigurava dostupnost i korištenje svih rezultata rada
Srca, a prvenstveno obrazovnih i stručnih informacija
i sadržaja nastalih djelovanjem i radom Srca.
Ovo djelo je dano na korištenje pod licencom
Creative Commons Imenovanje-Nekomercijalno
4.0 međunarodna.
www.srce.unizg.hr creativecommons.org/licenses/by-nc/4.0/deed.hr www.srce.unizg.hr/otvoreni-pristup
AAI@EduHr
http://www.aaiedu.hr
http://www.srce.unizg.hr/http://creativecommons.org/licenses/by-nc/4.0/deed.hrhttp://www.srce.unizg.hr/otvoreni-pristuphttp://www.srce.unizg.hr/otvoreni-pristuphttp://www.srce.unizg.hr/http://creativecommons.org/licenses/by-nc/4.0/deed.hrhttp://www.aaiedu.hr/