Federation peering à la European The eduGAIN way
description
Transcript of Federation peering à la European The eduGAIN way
![Page 1: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
Federation peering à la EuropeanThe eduGAIN way
Diego R. Lopez - RedIRIS
![Page 2: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/2.jpg)
Connect. Communicate. CollaborateAs Federations Grow• The risk of dying of success
– Do we really need to go on selling the federated idea?• Different communities, different needs
– Not even talking about international collaboration– Different (but mostly alike) solutions– Grids and libraries as current examples– And many to come: Governments, professional
associations, commercial operators,…• Don’t hold your breath waiting for the Real And Only Global
Federation
![Page 3: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/3.jpg)
Connect. Communicate. Collaborate
Confederations Federate Federations• Same federating principles applied to federations themselves
– Own policies and technologies are locally applied• Independent management
– Identity and authentication-authorization must be properly handled by the participating federations
• Commonly agreed policy– Linking individual federation policies– Coarser than them
• Trust fabric entangling participants– Whitout affecting each federation’s fabric– E2E trust must be dynamically built
![Page 4: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/4.jpg)
Connect. Communicate. CollaborateFirst Steps• Simplifying user collaboration across whatever border is an excellent
selling argument
– Making the whole promise of the VO idea
– eduroam fast worldwide success is a clear example• Lingua franca
– Syntax: SAML profiles• Converging to 2.0
– Semantics: eduPerson, SCHAC• Trust fabric
– Public key technologies (if not infrastructures)– Component identifiers and registries– Metadata repositories
![Page 5: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/5.jpg)
Connect. Communicate. CollaboratePolicy and Legal Matters• The PMA model has proven extremely useful
– Consensual set of guidelines– Peer-reviewed accreditation
• Legal matters: Hic sunt leones– For techies like us– Privacy– Liability– More or less manageable in the case of (national)
federations
![Page 6: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/6.jpg)
Connect. Communicate. CollaborateThe AAI Goal in GÉANT2
• To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e-science resources
• We started from– Scattered AAI implementations in the EU and abroad
• And growing– The basic idea of federating them, preserving hard-
won achievements
![Page 7: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/7.jpg)
Connect. Communicate. Collaborate
Applying Confederation Concepts• An eduGAIN confederation is a loosely-coupled set of
cooperating identity federations– That handle identity management, authentication and
authorization using their own policies• Trust between any two participants in different federations
is dynamically established– Members of a participant federation do not know in
advance about members in the other federations• Syntax and semantics are adapted to a common language
– Through an abstract service definition
![Page 8: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/8.jpg)
Connect. Communicate. CollaborateThe eduGAIN Components
• Bridging Elements (BE)– Interconnection points– Federation-wide (LFA) or distributed (LA)
• Federation Peering Point (FPP)– Able to announce BE metadata
• The Metadata Service (MDS)– Publishing interface (to FPPs)– Querying interface (to BEs)
![Page 9: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/9.jpg)
Connect. Communicate. CollaborateThe eduGAIN Model Connect. Communicate. Collaborate
Id Repository(ies)Resource(s)
MDS
R-FPP
MetadataPublish
R-BE
MetadataQuery
AAInteraction
H-FPP
MetadataPublish
H-BE
AAInteraction
AA Interaction
![Page 10: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/10.jpg)
Connect. Communicate. CollaborateAn Adaptable ModelFrom centralized structures... Connect. Communicate. Collaborate
MDS
FPP
BE
FPP
BE
SPSP
SPSP
SP
IdP
IdP
IdP
IdP
IdP
IdP
IdPSP SP SP SP
![Page 11: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/11.jpg)
Connect. Communicate. CollaborateAn Adaptable Model...to fully E2E ones... Connect. Communicate. Collaborate
MDS
SPBE
IdPBE
SPBE
SPBE
SPBE
SPBE
IdPBE
IdPBE
IdPBE
SPBE
IdPBE
IdPBEIdP
BE
SPBE
SPBE
SPBE
![Page 12: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/12.jpg)
Connect. Communicate. CollaborateAn Adaptable Model...including any mix of them Connect. Communicate. Collaborate
MDS
SPBE
IdPBE
IdPBEIdP
BE
SPBE
SPBE
SPBE
FPP
BE
SPSP
SPSP
SP
IdP
IdP
IdP
IdPBE
FPP
![Page 13: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/13.jpg)
Connect. Communicate. CollaborateThe (X.509) Trust Fabric• Validation procedures include
– Normal certificate validation• Trust path evaluation, signatures, revocation,…
– Peer identification• Certificates hold the component identifier• It must match the appropriate metadata
• Applicable to– TLS connections between components
• Two-way validation is mandatory– Verification of signed XML assertions
![Page 14: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/14.jpg)
Connect. Communicate. CollaborateComponent Identifiers
• eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers
• Based on URNs delegated by the eduGAIN registry to the participating federation
• Identifiers establish the kind of component they apply to by means of normalized prefixes
• Identifiers follow the hierarchy of the trust establishing process
![Page 15: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/15.jpg)
Connect. Communicate. Collaborate
A General Model for eduGAIN Interactions Connect. Communicate. Collaborate
Requester Responder
Id RepositoryResource
TLS Channel(s)
MDS
TLS Channel
https://mds.geant.net/ ?cid=someURN <EntityDescriptor . . .
entityID= ”urn:geant2:..:responder">. . .<SingleSignOnService . . . Location= “https://responder.dom/” /> . . .
<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . .</samlp:Request>
<samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . .</samlp:Response>
urn:geant2:...:responder
urn:geant2:...:requester
![Page 16: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/16.jpg)
Connect. Communicate. CollaborateOperation Mapping• Maps the abstract service definition into actual protocols• Current version is based on SAML 1.1
– Profiling the standard to fit abstract parameters• A SAML 2.0 implementation will be available along the
lifetime of the project– The abstract service specification protects components
and applications from these changes• Authentication assertions and attribute exchange
mechanisms are designed to be Shibboleth 1.3 compatible– And Shibboleth 2 in the future
![Page 17: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/17.jpg)
Connect. Communicate. CollaborateMetadata Service• Based on REST interfaces transporting SAML 2.0 metadata
– Usable by non-eduGAIN components• Metadata are published through POST operations• Metadata are retrieved through GET operations• URLs are built as MDSBaseURL/FederationID/entityID?queryString
– Using component names– The query string transports data intended to locate the appropriate
home BE (Home Locators)• Hints provided by the user• Contents of certificate extensions
(SubjectInformationAccess)
![Page 18: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/18.jpg)
Connect. Communicate. Collaborate
A Layered Model for Implementation Connect. Communicate. Collaborate
Component logic
eduGAINBase + eduGAINVal + eduGAINMeta
SAML toolkit (OpenSAML)
SOAP/TLS/XMLSig libraries
eduGAINBase Profile Access
![Page 19: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/19.jpg)
Connect. Communicate. CollaborateeduGAIN Profiles• Oriented to
– Enable direct federation interaction – Enable services in a confederated environment
• Four profiles discussed so far– WebSSO (Shibboleth browser/POST)– AC (automated cilent: no human interaction)– UbC (user behind non-Web client: use of SASL-CA)– WE (WebSSO enhanced client: delegation)
• Others envisaged– Extended Web SSO (allowing the send of POST data)– eduGAIN usage from roaming clients (DAMe)
• Based on SAML 1.1– Mapping to SAML 2.0 profiles along the transition period
![Page 20: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/20.jpg)
Connect. Communicate. CollaborateThe AC Profile Connect. Communicate. Collaborate
![Page 21: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/21.jpg)
Connect. Communicate. CollaborateThe UbC Profile Connect. Communicate. Collaborate
![Page 22: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/22.jpg)
Connect. Communicate. CollaborateThe WE Profile Connect. Communicate. Collaborate
![Page 23: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/23.jpg)
Connect. Communicate. CollaborateThe WebSSO Profile Connect. Communicate. Collaborate
![Page 24: Federation peering à la European The eduGAIN way](https://reader035.fdocuments.net/reader035/viewer/2022062521/56814d52550346895dba8c20/html5/thumbnails/24.jpg)
Connect. Communicate. CollaborateThe European Way• (Too) many governments, languages, national
priorities/laws/prides/…– A little of weakness, a little of strength
• The will for convergence– Without imposing dramatic inner changes
• Adopt whatever is worth from overseas– With a scent of style and history
• (Humble) model for the rest of the world– We are a little world in itself