June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van...

June 9, 2009

SURFfederatie: implementing a multi-protocol federationHans Zandbelt & Joost van Dijk, SURFnet

SURFnet. We make innovation work2

Overview- Identity Federation Models- SURFfederatie gateway- Implementation/Deployment- Features/Experiences- SURFnet Service Provider- Conclusion


Federation Models- 1-1

- Business: SAML 1.x- de-facto

- NxN- Shared trust, pt2pt- Education VS/Europe- Shibboleth

- 2xN- Central gateway (CFC)- Protocol translation- SURFfederation SURFnet =

CFC, IDP, SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SPCFC


Functional View

CentralFederation

Components

A-Select Cross

A-Select Cross

Shibboleth

SAML 2.0

WS-Fed / ADFS

SAML 2.0

WS-Fed / ADFS

Identity Providers Service ProvidersSURFfederatie CORE

ApplicationsCredentials


Authentication Redirect Flow

SP SFS IDPweb service authenticationbackend

browser requestauth request

SSO1 request

SSO22 request

LDAP/Radius/..

access & attributes

SSO1 response

SSO22 response

auth response


Deployment View

server1 server2 server3

phpFederate phpFederate phpFederate

PingFederate PingFederate PingFederate

management

failover

PingFed/Mgmt

wayf.surfnet.nl

sfs.surfnet.nl

round-robin DNS

phpFederate

PingFederate

PingFed/Mgmt


Server Node

apache2

mod_fcgid

php5_cgi

phpFederate

memcached(state sharing)

mysql(logging)

sendmail(error reporting)

heartbeat2(failover)

pingFederate


Connections- Federation Protocols

- IDP:- SAML 2.0 (5), ADFS (15) , A-Select (10)

- SP:- SAML 2.0 (5), Shibboleth 1.3 (5), A-Select (3)

- Federation Products- Microsoft ADFS, Shibboleth (1/2), A-Select,

Novell Access Manager, simpleSAMLphp, Oracle IdM, PingFederate


Implementation- PHP:

- implementation programming language- metadata/configuration store- configuration and processing language- provisioning tool

- Provision connections to PingFederate- Federate connections transparency across

protocols (!= simpleSAMLphp); caveat: identifiers- IDPs “see” 1 SP; SPs “see” 1 or all IDPs

- IDP ARPs: (configured) filter by SURFfederatie gateway


Features- Pure stateless switch vs. stateful processing

gateway- Transparent vs. single-point-of-entry- Detailed and accurate logging/statistics- ARP and ACLs implemented in PHP

- TBD: attribute processing/enrichment…- SP “personalized” IDP discovery and authorisation

- Limited SP access for IDPs- EduGAIN, OpenID, InfoCard- Optional: management APIs for members (IaaS)

- Metadata/configuration- ARP, IDP/SP authorisation


Experiences- Multi-protocol abilities speed up institutional

deployment: fits in their home ICT environment (!= JAVA, = Microsoft)

- Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs

- SAML 2.0 implementations are hard (specs/products/knowledge) -> slow SP take-up

- Scalability is ok: up to national level- Trust model of centralized federation is functionally

equivalent to distributed federations: federation-operator is TTP (signed responses vs. signed metadata)


Future Developments- Web-services (gateway as WS-Trust STS!)- Cross-layer identity (unified SSO)- Identity-as-a-Service extensions- User Centric privacy extensions: user consent- Geneva- SURFnet services: OpenID- Confederations: Kennisnet, EduGAIN


SURFnet Service Provider- SURFnet plays three roles in the SURFfederatie:

- Federation operator, gateway- IDP, for SURFnet employees- SP, for services offered by SURFnet to federation

members- Services are connected via a proxy- Proxy is running phpFederate


SURFnet Service Provider

SURFnetService Provider

SURFfederatiegateway

IDP

SURFmedia

SURFmailfilter

SURFdomeinen

SP

SP IDP

IDP

Proxy benefits- Protocol translation:

- Hook up any service using A-Select/Shibboleth/SAML/WS-Federation

- Centralize features needed for all services:- Access Control- Attribute enrichment- Guest access to selected services- Migrating user data when users switch identity



Guest access


Guest IDP

SURFfederatieIDP

IDPIDP

SURFmedia

SURFmailfilter

SURFdomeinen


Attribute enrichment


SURFmedia

SURFmailfilter

SURFdomeinen

SURFfederatieIDP

IDPIDP

attributedatabase

Attributes

Current developments- OpenID Gateway:

- SURFnet SP as OpenID RP (guest access)- SURFfederatie as OpenID Provider (requires user

consent)- Federated Groups

- Join people from multiple IDPs into groups- Centrally managed- Across multiple services

- Federated directory- Step-up authentication (introduce second factor)

- OTP per SMS- Mobile PKI (authN using private key on SIM)



OpenID protocol handler


OpenID Provider

SURFfederatieIDP

IDPIDP

SURFmedia

SURFmailfilter

SURFdomeinen

OpenIDRP


Mobile PKIMobile PKI web page accessMobile PKI web page access

You are accessing a web service using Mobile PKI

Signing access code: 52745


Conclusions- Rapid deployment: 500.000 users

- From gateway towards Identity-as-a-Service

- Outlook: from use-once-a-month content towards every-day use hosted web applications

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van...

Documents

Transcript of June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van...