Edugate/IE Federation - Glenn Wearen, Edugate Federation Operator, HEAnet

Uploaded on

The Edugate federation has been in operation in Ireland for two years. As your nearest neighbouring federation, we have looked on with envy as the gardens of the UK federation matured, but we have …

The Edugate federation has been in operation in Ireland for two years. As your nearest neighbouring federation, we have looked on with envy as the gardens of the UK federation matured, but we have been busy growing on our side of the fence too and we will present some of the tools that can be borrowed from our shed and show our finest exhibits that are ready for cross-pollination.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. EdugateGlenn Wearen HEAnet.
  • 2. IntroductionHEAnet Ireland’s Research and Education NetworkEdugate Irelands Federated Access Management system for Higher Education
  • 3. Edugate• 31+ Higher Education Institutions (IdP’s) • All Universities • All Institutes of Technology • No private colleges• 42+ Member Service Providers (SP’s) • 12 Publishers • 6 HEAnet shared services • 5 Student Discount• 29+ Non-member Service Providers• 50k logins per day
  • 4. Edugate ModelDistributed (Mesh) federation • Identity Providers 100% Shibboleth, deployed on-campus. • Service Providers 80% Shibboleth 10% SimpleSAMLphp Others (Tivoli FIM, ADFS, WIF2)Centralised management • Web GUI to manage attribute release policy and bilateral trusts • Statistics collection (Raptor & Cactii) • Monitoring (IdP up/down, clock sync)
  • 5. Edugate RulesPolicy based on UK Federation• addition of ‘Attribute Declarations’ • Serivce Providers must declare and justify what attributes they require or desire on joining • Identity Provider must publish its release policy • Federation, Specific, Custom & Default• exclusion of ‘Interfederation’ • Rewrite of rules required for eduGAIN and UK MDX
  • 6. Edugate RulesPolicy based on UK Federation• Provide logs in the event of dispute, including raw SAML statements• No auditing of identity data• Minimum uptime per-entity required (9 months out of 12)
  • 7. Edugate Technical SpecificationSchema • eduPersonTargetedID • eduPersonPrincipalName • eduPersonEntitlement • givenName, surname • email • organizationName • eduPersonScopedAffiliation**
  • 8. Edugate Technical SpecificationProtocol • SAML2 only (SAML2int specifically) • Some publishers only recently adding SAML2 support (but WAYF/DiscoveryService often overlooked) • Absence of AttributeQuery (backchannel) lowers the burden for Edugate operations team and institutional administrators, but excludes advanced use cases
  • 9. Edugate Operations• Deploy and configure identity provider • Including ‘best practicies’ • PersistentID • Customised login page • uApprove consent• Integration guidance and advice for Service Providers (who are new to SAML)• Deploy and configure for HEAnet web hosting customers• Workshops
  • 10. Edugate ToolsEdugate Resource Registry Produces Metadata and Shibboleth Attribute Release PolicyRaptor & Cactii Central federation statisticsNagios Central federation monitoring
  • 11. Edugate Resource Registry
  • 12. Resource RegistryOpensource’d on in two more federationsManage your campus federation.
  • 13. Edugate Statistics & MonitoringCactii Polls each Shibboleth IdP URL for statistics
  • 14. Specific IdP
  • 15. Aggregate
  • 16. RaptorTrialed since June 2012Production deployment December• What is the most widely used Edugate service?• What service does my institution use most?• Can I stop releasing attriubutes to service X?• Identifies unexpected patterns.
  • 17. Raptor
  • 18. NagiosPing up/downSSL Certificate checkShibboleth OK message define command{ command_name check_https_shibidp command_line $USER1$/check_http -S -H $HOSTADDRESS$ -u /idp/profile/Status -e HTTP/1.1 200 -s "ok » }
  • 19. Weathermap
  • 20. Interfederation / MDXUK MetaData eXchange (in progress)Use-cases • All Ireland Research Projects • Gaelic language projects • UK & Ireland etaillers (student discount) • Publishers (‘Select your region - UK & Ireland’) • More use-cases? Expression of Interest.
  • 21. Thank you HEAnet Middleware @EdugateIE