Brook Schofield, TERENA TICAL th May Europe'La*n'America' Collabora*ve'e Infrastructure' for'research'ac*vi*es' ' TICAL2014'' '

Transcription

1 Brook Schofield, TERENA TICAL th May 2014 Europe'La*n'America' Collabora*ve'e Infrastructure' for'research'ac*vi*es' ' TICAL2014'' '

2 ' About'me ' Brook%Schofield% skype://brookschofield tel: linkedin.com/in/brookschofield I work at TERENA. edugain Task Leader in the GN3plus Project. eduroam Global Governance Secretary. ELCIRA Project participant.

3 The'Situa*on'on'Campus:' Lots'of'Applica*ons' More%applica1ons%for%students%and%researchers% Applica1ons%require%authen1ca1on%and%authoriza1on%

4 Lots'of'Applica*ons'!'Lots'of'Passwords' One%password%for%each%applica1on%does%not%scale% Tons%of%passwords%to%manage%for%users%and%service%operators% Varying%degree%of%password%security% Increased%helpdesk/user%work%due%to%password%resets% Collabora1ve%usage%of%applica1ons%is%difficult%

5 The'Solu*on:' Iden*ty'Management' Create%an%(iden1ty)%federa1on:% Mul1ple%organisa1ons/services%agree%on%% common%technical%and%legal%standards' Deploy%Iden1ty%and%Service%Providers% Mutually%trust%each%other's%asser1ons% Collaborate,%e.g.%common%eOlearning% One%login%name%and%password%for%users% Password%entered%only%at%home%login%page%% Many%countries%have%na1onal%academic%iden1ty%% federa1ons%today!% First%Academic%Iden1ty%Federa1ons%started%in%midO2000s%

6 Authen*ca*on'services'you' already'use '

7 Hub&Spoke'Federa*on'with' Central'Login' ~5%'of%all%Federa1ons% Organisation FEIDE% Also%used%by% Facebook% DB DB IdP DB TwiWer% Google+% Requires% trust %in%% the%operator% DB User Directory Service Provider Hub with Central Login SAML Assertion Flow Connection to User Directory

8 Hub&Spoke'Federa*on'with' Distributed'Login' ~15%'of%Federa1ons% SURFconext% WAYF%(Denmark)% SIR% Organisation DB IdP TAAT% Confia% Operator%can%see%the%% content %of%auth%% messages% Service Provider User Directory DB IdP Identity Provider DS Hub IdP Central Discovery Service IdP DB IdP DB % SAML Assertion Flow Connection to User Directory

9 ' Full'Mesh'Federa*on' ~80%'of%Federa1ons% COFRe% CAFe% InCommon% UKAMF% SWAMID% HAKA% AAF% Organisation DB DB IdP (Local) Discovery Service IdP DS DS IdP DS DB DS Central Discovery Service DS IdP DB SWITCHaai%...% User Directory Identity Provider Service Provider SAML Assertion Flow Connection to User Directory

10 Iden*ty'Federa*ons' World'Wide' Last update May Production Federations 17 Pilot Federations

11 Iden*ty'Federa*ons'Are' Tradi*onally'Na*onal' All'Federa*ons:' " Support%SAML2% " educa1on%&%research% " Use%same/similar%% user%awributes%

12 eduroam' 'roam'across'borders' eduroam Pilot :-( 12%

13 eduroam'in'la*n'america' %8%produc1on%deployments% Argen1na,%Brazil,%Chile,% Colombia,%Costa%Rica,% Ecuador,%Mexico,%Peru! %4%pilot%deployments% El%Salvador,%Nicaragua,% Uruguay,%Venezuela% %>%9%Missing% Bolivia,%%Guatemala,% Honduras,%Panama,%Paraguay,% Guyana% Caribbean% Belize,%French%Guiana,% Suriname% ' eduroam Pilot :-(

14 Global'Authen*ca*on' INfrastructure'

15 Who,'What,'Where,'When,' Why'and'How'of'eduGAIN' Provide'legal'and'technical'frameworks'to'make'Iden*ty' Federa*ons'interoperate'=='interfederate'

16 ' Who'is'Behind'eduGAIN?' Key'Personnel' Opera1onal%Team%(Tomasz%Wolniewicz,%UMK,%PL)% Policy%&%Code%of%Conduct%(Mikael%Linden,%CSC,%FI)% Emerging%Federa1ons%(Brook%Schofield/Nadia%Sluer,% TERENA,%NL)% FaaS%(Marina%Vermezovic,%AMRES,%RS/Valter%Nordh,% SWAMID,%SE)% Engaging%User%Communi1es%(Lukas%Hämmerle/Ann% Harding,%SWITCH,%CH)% %

17 ' and'how'is'it'governed?' Governing'Structure' edugain'steering'group'(esg)' Each%member%federa1on%has%one%representa1ve.% Votes%on%which%new%federa1ons%are%accepted%or% policy%changes.%% edugain'execu*ve'commi]ee'(eec)' Approves%changes%to%the%cons1tu1on%and%has%veto% right.%nominated%by%geant%execu1ve%commiwee.% %

18 Interfedera*on'with' edugain' Global%Authen1ca1on%INfrastructure%for%educa1on% An%interfedera1on%service%primarily%for%Research%&% Educa1on% Connects%exis1ng%SAMLObased%academic%iden1ty% federa*ons% Developed%and%funded%by%European%GÉANT%projects% ( federa1ons% Web site: %

19 What'Is'it?' and'how'does'it'work?' % edugain Declaration edugain Constitution Web SSO Profile Metadata Profile Attribute Profile Code of Conduct MDS%fetches,%aggregates%and%republishes%metadata%% edugain%provides%policy%framework%and%standards%to%build% trust%

20 More'"Realis*c"' Architecture'

21 ' Phonebook 'Tools Ques*on' SWITCH'RR' Fed'Reg'AAF' JAGGERcRR' pyff' JANUScS' IncHouse' Which% Federa1on?% SWITCHaai,% Haka,%NIIF,% Edugate% AAF,%Tuakiri% (NZ),%CAFe% Edugate,% RCTSaai,% IDEM,%CAF,% iamres,% FaaS % SWAMID,% ACOnet% WAYF,% SURFconext% Belnet,% RENATER,% AAI@EduHR% Customisa1on% Lots% Limited% Community% Community% Lots% Language% PHP% Java%(v1)% Groovy%(v2)% Scala% Missing% Features% Dependent% on%version% of%soqware.% optoin/out,% MDUI,%MD% Aggrega1on% PHP% Python% PHP% XSLT,%Perl,% PHP% UI,%UX,% Signing,% Real1me% Aggrega1on% SelfOService% * optoin/ out,%md% Aggrega1on% SelfOService,% op1n/out,% MDUI,% MD% Aggregate% *Process%available%but%requires%documenta1on.% % NB:O%Signing%of%metadata%outside%the%scope%of%these%tools% %solu1ons%exist.%

22 edugain:' Legal'Trust'and'Profiles' edugain%declara1on%(3%pages)% Signed%by%each%Member%Federa1on% Contains%13%rules%that%federa1ons% promise%to%obey% edugain%cons1tu1on%(10%pages)% Profiles%for%SAML,%Metadata,% AWributes,%...% GEANT%Data%Protec1on%Code%of% Conduct%% Declara1on%of%Service%Providers%to% "behave%well"%with%user%data% Applicable%in%EU/EEA%or%similar%

23 ' h]p://edugain.org/policy'

24 ' GÉANT'Code'of'Conduct' 25 EEA Data Protection 5 EEA Compatible DP 1 Safe Harbor (USA) 17 Federation outside GÉANT CoC (5 in or joining)

25 GÉANT'Data'Protec*on' Code'of'Conduct' Only%Argen1na%in%La1n%America%is%covered% Significant%piece%of%work%with%huge%impact% Poten'ally%covers%a%large%por1on%of%the%community% 30%of%the%47%Federa1ons%(31%of%48%countries)% Adop1on%+%use%s1ll%required.% Technology%works%with%Shibboleth%IdP.% In%Development%for%simpleSAMLphp%+%Federa1on%Metadata%Registry% Tools.% Scalable%solu1on%for%the%other%17/18%Federa1ons/ Countries?% Export%out%of%Europe%is%the%problem%to%be%solved!%

26 History'of'eduGAIN' 2006% %Research%project%within%GN2% Trailed%various%architectures,%technologies%+% protocols% 2009% %Promoted%to%a%service%in%GN3% Path%forward%was%Mesh%&%SAML2% 2011% %Launched%to%the%federa1on%community% 2013% %Renewed%as%a%service%in%GN3+% 2014% %All%produc1on%federa1ons%have%joined%

27 ' edugain'&'federa*ons' 1 April edugain Members 2 Joining edugain 9 Candidate Federation!

28 ' edugain'&'federa*ons' 1 April edugain Members 6 Joining edugain 1 Candidate Federation!

29 ' edugain'&'federa*ons' 15 April edugain Members 7 Joining edugain 0 Candidate Federation

30 ' edugain'&'federa*ons' 15 April edugain Members 7 Joining edugain 0 Candidate Federation

31 ' edugain'&'federa*ons' 15 April edugain Members 7 Joining edugain 0 Candidate Federation! 17 Other Federations

32 edugain:' Some'Sta*s*cs' April'2011:'Official%start%of%eduGAIN' Nov'2013:'21'Federa*ons%are%members%(50%)% Apr'2014:'24'Federa*ons%are%members%(51%)' En**es:'253'IdPs,'117's'(369'in'total)' One%IdP%can%represent%for%dozens%of%organisa1ons%and%services% depending%on%federa1on%architecture%=>%actual%numbers%are%higher' Whole'(academic)'SAML'landscape:' 47'Federa*ons,'2539'IdPs,'5280's' Not%all%of%them%need%to%be%interfederated,%e.g.% many%internal%s% Numbers%from%May%2014%

33 Iden*ty'Federa*ons'' and'la*n'america' edugain%par1cipant% Brazil%(CAFe)% Chile%(COFRe)% edugain%candidate% Colombia%(COLFIRE)% Emerging%Federa1ons% Argen1na,%Costa%Rica,% Ecuador,%El%Salvador,%% Mexico,%Peru% % edugain Member Joining edugain Candidate Federation! Pilot Federation MoU Signed with ELCIRA

34 Why'do'eduGAIN?'

35 ' Interfedera*on'Use'Cases' Researchers' Oqen%work%together%in%interna1onal%research%projects,%which%operate%many% webobased%services%that%need%authen1ca1on.%services%are%in%different% countries/federa1ons.%thanks%to%interfedera1on%researchers%can%use%their% ins1tu1on's%account.% % % Lecturers' Can%start%eOlearning%collabora1ons%across%country%borders.%Create%(costly)%eO learning%content%collabora1vely%or%easier%"sell"%it%to%other%universi1es%abroad.% % % Content'Publishers' Companies%like%Elsevier/Thomson%Reuters/etc.%already%joined%mul1ple%iden1ty% federa1ons.%cumbersome%for%them%and%for%federa1on%operators.%% Thanks%to%Interfedera1on:%Join%one,%be%connected%to%many!%

36 Lots'of'Federa*ons' Slide 36

37 Which'federa*on'do'I'join' first?' Large%federa1ons%are% more%interes1ng%for% commercial%suppliers% How%to%focus%on%customers% %not%size?% why%not%focus%on%customers%and%size!% edugain%is%not%a%federa1on % but%if%it%was%it%would%be%the%6 th %largest%

38 hwp://memegenerator.net/ instance/ %

39 How'do'I'eduGAIN?'

40 Federa*on'Development' Campus% Username/Password%Store%for%AuthN% IdP% Expose%Campus%IdM%via%SAML/RADIUS% Federa1on% Aggregates%IdPs%&%s;%Builds%Trust% edugain% Aggregates%Federa1ons%

41 Federa*on'Development' Criteria' Pilot% Name,%Webpage,%Metadata%Feed% Produc1on% Policy%for%IdPs%&%s% Candidate% Metadata%Registra1on%Prac1ce%Statement% edugain% Declara1on%Signed,%Metadata%Feed%Validated%

42 *'''INCA'(Peru)' INCA%run%by%RAAP% Iden1dad%Nacional%para%el%Conocimiento%y% auten1cación%(inca)%% Iden1ty%for%Na1onal%Knowledge%and%Authen1ca1on% (INKA)%% Started%opera1on%in%lateO2013%midO2014% Joined%eduGAIN%in%lateO2013%earlyO2015%;O)% *This%is%NOT%their%logo!!%

43 *'''MATE'(Argen*na)' MATE%run%by%INNOVA RED% Marco%para%el%Acceso%a%la%Tecnología%y%la% Educación%(MATE)% Model%for%Access%to%Technology%and%Educa1on% (MATE)% Started%opera1on%in%late%2013%2014% Joined%eduGAIN%in%earlyO2014%lateO2014%;O)% % *This%is%NOT%their%logo%(nor%their%name)!!%

44 Federa*on'Development' Technology% % % % % %%% % % % %%%Policy%

45 Federa*on'Development' Technology% ==%Pilot% % % % %%% % % % %%%Policy% % % % %%%==Produc1on%

46 Federa*on'Development' Technology% =>Campus% % % % %%% % % % %%%Policy% % % % %%% % % % %=>NREN%

47 Technology'=='Pilot' Federa1on%Core%Services% Rou1ng % Discovery% Federa1on% En11es %(IdPs/s)% Shibboleth% simplesamlphp% PySAML% ADFS%

48 Technology'=='Pilot' NREN%as%Federa1on%Operator% Rou1ng % Discovery% Campus,%Content%Providers,%Research%Infrastructures% Shibboleth% simplesamlphp% PySAML% ADFS%

49 ' Federa*on'Architectures'

50 Rou*ng '&'Discovery' Full%Mesh% Hub&Spoke%with % Centralised%Login% Distributed%Login% Can%be%a%combina1on%

51 Rou*ng 'Tools Ques*on' SWITCH'RR' Fed'Reg'AAF' JAGGERcRR' pyff' JANUScS' IncHouse' Which% Federa1on?% SWITCHaai,% Haka,%NIIF,% Edugate% AAF,%Tuakiri% (NZ),%CAFe% Edugate,% RCTSaai,% IDEM,%CAF,% iamres,% FaaS % SWAMID,% ACOnet% WAYF,% SURFconext% Belnet,% RENATER,% AAI@EduHR% Customisa1on% Lots% Limited% Community% Community% Lots% Language% PHP% Java%(v1)% Groovy%(v2)% Scala% Missing% Features% Dependent% on%version% of%soqware.% optoin/out,% MDUI,%MD% Aggrega1on% PHP% Python% PHP% XSLT,%Perl,% PHP% UI,%UX,% Signing,% Real1me% Aggrega1on% SelfOService% * optoin/ out,%md% Aggrega1on% SelfOService,% op1n/out,% MDUI,% MD% Aggregate% *Process%available%but%requires%documenta1on.% % NB:O%Signing%of%metadata%outside%the%scope%of%these%tools% %solu1ons%exist.%

52 More'that'one'choice'is' simplesamlphp% PHP% good ' Mul1Olingual%support% Shibboleth% IdP%is%Java,%%is%C/mod_shib% Runs%within%Apache%Tomcat% PySAML2%% Python% Many%plugOins%or%modules%available%for%common%tools.% Benefits%are%greater%than%using%LDAP.%

53 NRENs'Role' </pilot>! % % % % %%% % % % %%%Policy% % % % %%%==Produc1on%

54 Policy' Don t%write%your%own % That s%not%what%we%meant%to%do % You ll%make%mistakes% %even%edugain%made%mistakes% GÉANT% Policy%Template %useful%for%federa1ons% Policy%is%in%English% %but%this%isn t%a%problem% Analysed%15%policy%documents% Found%the% best%of %and%provided%example%text% See%EuroCAMP%November%2012%for%more %

55 Iden*ty'Federa*on'Policy' document'suite' Technology Profile eduroam Technology Profile Web single sign-on Level of Assurance Profiles Identity Federation Policy (main) Data Protection Profile Federation Operational Practices Appendix Governance Appendix Fees Appendices Identity Federation Policy document

56 Metadata'Registra*on' Prac*ce'Statement' This%is%a%requirement%for%eduGAIN% All%statements%published%on%eduGAIN% website% hwp://edugain.org/technical/status.php% Inconsistent%format%between%federa1on% REFEDS%FOP%to%the%rescue%

57 Federa*on'Operator' Prac*ce'document'suite' Metadata Registration Practice Statement Key Management Practice Statement Federation Operator Practice Monitoring Practice Statement Assurance Practice Statement Appendix x Appendix y Appendices Federation Operator Identity Practice Federation Statement Policy document

58 What'to'NOT'focus'on?' Wai1ng%un1l% % NRENx%has%their%federa1on%in% produc1on.% NRENy%is%a%member%of%eduGAIN.% A% killer%app %is%found.% Other %or%future%federa1on%technologies% OpenID%Connect%+%OAuth%are%being%explored.% Hub&Spoke%gateways%already%exist.% Connec1ng%to% other %federa1ons% Let%eduGAIN%do%that%for%you.% Bilateral%peerings%only%solves%THEIR%problem.%

59 ' What'to'focus'on?' Federa1ng%your%campus%systems% Talk%to%your%researchers,%staff%&%students% Inves1gate%key%services% Intranet%and%Website% Webmail% Google%Apps%for%Educa1on,%Microsoq%365% eolearning% %Moodle,%Desire2Learn% Talk%to%your%librarian%about%Journal%Access% Find%your%own% killer%app.%

60 Next'steps ' Deploy%eduroam%!%Use%it%at%TICAL2015% Pick%a%campus%federa1on%architecture:% Hub&Spoke%or%Mesh% Deploy%an%IdP% PySAML2,%simpleSAMLphp,%Shibboleth% Connect%with%your%NRENs%pilot%Federa1on% Connect%with%the%community% Country,%La1n%America%and%Globally% Federate%your%services%

61 A'family'of'services'

62 Join'eduGAIN'and'solve' problems ' ' ' ' ' ' ' ' ' ' Solving'problems'is'a'partnership.'

63 </end>' Brook%Schofield%