Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware...

Diego R. Lopez, RedIRIS

JRES2005, Marseille

On eduGAIN and the Coming GÉANT Middleware Infrastructure

NRENs & Grids. Barcelona, September 2009

Across the Stack

The Network

The Application

The Middleware

• Bottom layer of the application Service location and discovery {Con-, inter-}federation Reputation Logging and diagnostics

• Top layer of the network Mobility Network access QoS Measurement


eduGAIN in a Nutshell

• Based on the national identity federations, operated by NRENs And a community-operated one: EFDA-Fed

• eduGAIN is a confederation infrastructure Federates federations

• SAML 1.1 (and soon SAML 2.0) is the lingua franca• Specific software developed

eduGAIN base libraries (Java) simpleSAMLphp (PHP) eduGAINFilter (javax.servlet.filter)

• Direct use of Shibboleth 2.0 possible (with a few restrictions)


eduGAIN Elements

• The Metadata Service – MDS Updated by authorised components Tagged according to user communities Queried by user interfaces or autonomous services

• PKI and registry Multi-rooted Includes component identifiers

• AM/CC (Attribute Mapping / Credential Conversion) Adapt syntax and semantics

• Bridging Elements - BE Adapt protocols Not required if eduGAIN profiles are natively supported Hybrid model of integration


Fully Bridged eduGAIN


P2P eduGAIN


Hybrid eduGAIN


eduGAIN Profiles

• WebSSO Shib 1.3 for SAML 1.1 SAML2 (except artifact-based) for SAML 2.0 Going into production service in GÉANT3

• AC Certificates plus optional attribute access

• UbC Convey user credentials introduced at the client

• WE Constrained delegation

• DAMe


The WebSSO Profile


The AC Profile


The UbC Profile


The WE Profile


Core Services in GN[\d]

• GN2 saw the first attempt to offer these core services as part of a multi-domain network infrastructure Not perfect, but many lessons learned Actual services and working examples Taking advantage of previous collaborative initiatives

• GN3 is continuing this trail Enhancing those already deployed or piloted Addressing more core services Providing dynamic integration and invocation Considering SLAs as part of the process Better development and deployment cycles

• A service integration model: the multi-domain ESB


• A framework to define, discover, access, and combine network services From the infrastructure up to application elements Federated, multi-domain ESB Able to integrate any service within the GÉANT

infrastructure Flexible negotiation of service provision capabilities

• Addressed to NREN staff e-Science service providers and users!!

• Collaborative architecture Open to collaboration beyond the academic community Prosumer-oriented

• Plug-and-play plus Plug-and-be-played

The GEMBus Promise


• α-interfaces Directly usable by

applications

• β-interfaces Govern systems and

resources

• γ-interfaces Abstract access to

resources

• δ-interfaces Actual control over the

resourcesSource: MANA Position Paper, 2009

Service Interfaces


• GEMBus will provide a set of α-interfaces Plus the corresponding

orchestration systems• Specify how β-interfaces

have to be published and registered From individual GÉANT

(and external) services• γ-interfaces for core

services Those required for direct

integration support Usable by individual

servicesSource: MANA Position Paper, 2009

What Service Interfaces


A Couple of Archetypal Use Cases


Building by Composition

Interface descriptions

Compositional procedures and orchestration

Standard interfaces and support for policy agreements

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware...

Documents

Transcript of Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware...