Inter-federating SURFfederatie <ul><li>And other developments in the Dutch Identity Federation for Higher Education </li><...
Content <ul><li>SURFfederatie </li></ul><ul><li>SURFconext </li></ul><ul><li>Interfederation efforts </li></ul><ul><li>tiq...
 
Federation models  (communication/login,  not  metadata) <ul><li>1-1 </li></ul><ul><li>Business US: SAML 1.x </li></ul><ul...
Functional view (Since August 2008) Identity Providers Service Providers SURFfederatie CFC Applications Credentials Centra...
IDP Protocols
IDP Products
Some numbers <ul><li>IdPs (83) </li></ul><ul><ul><li>42 SAML 2.0 </li></ul></ul><ul><ul><li>28* WS-Federation (ADFS) </li>...
Metadata & proxying IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF A-1 A-2 A-3 B-1 B-2 B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 ...
WAYF/WAYF-less operation IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF
Why Hub & Spoke? “Federation as a Service” <ul><li>Protocol translation </li></ul><ul><li>Decouples IDPs from SPs: easier ...
<ul><li>SURFconext – Collaboration Infrastructure </li></ul>
<ul><li>SURFfederatie  SAML </li></ul><ul><li>SURFteams  (grouper) </li></ul><ul><li>OpenSocial </li></ul><ul><li>Collabor...
 
 
SURFfederatie vs SURFconext SURFfederatie SURFconext federation x federation y IDP 1 IDP 2 IDP 3 SP 4 SP 5 SP 1 SP 2 SP 3 ...
Traditional Organisations <ul><li>Supporting Services </li></ul><ul><li>SURFfederatie </li></ul><ul><li>SURFteams </li></u...
Virtual Organisations Netherlands BioInformatics Centre (NBIC) <ul><li>Supporting Services </li></ul><ul><li>SURFfederatie...
eduGAIN <ul><li>Enables Web SSO across federations </li></ul><ul><li>Opt-in model for IDPs and SPs </li></ul>
Inter-federation efforts <ul><li>Kennisnet Federatie </li></ul><ul><ul><li>2011 pilot </li></ul></ul><ul><ul><li>selected ...
Implementing eduGAIN support <ul><li>Policy </li></ul><ul><ul><li>abondon SP fees! </li></ul></ul><ul><li>Technical </li><...
Importing eduGAIN SPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {...
Exporting IDPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, I...
Exporting SPs to eduGAIN IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-...
SP auth list (optional) IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2...
<ul><li>Secure yet user friendly way to authenticate to (web)sites using your mobile phone </li></ul><ul><li>Mobile App be...
How does it work? SURFnet. We make innovation work
Future plans <ul><li>Integrate with SURFconext </li></ul><ul><ul><li>Procedural/organisational </li></ul></ul><ul><ul><li>...
Thank you! ? <ul><ul><li>Joost van Dijk </li></ul></ul><ul><ul><li>joost.vandijk [at] surfnet.nl </li></ul></ul><ul><ul><l...
Upcoming SlideShare
Loading in...5
×

Inter-federating SURFfederatie - Joost van Dijk

637

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
637
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Proxy nodig om protocol vertaling te kunnen doen, voordeel: maar 1 koppeling te leggen. Betekent wel dat IDP maar 1 ‘SP’ ziet en niet per SP koppeling legt/enabled. Dat zullen wij dus voor ze moeten doen.
  • Paul van Dijk Product Manager SURFnet
  • example Case for eduGAIN: Apple won’t subscribe to all feds in europe individually
  • Transcript of "Inter-federating SURFfederatie - Joost van Dijk"

    1. 1. Inter-federating SURFfederatie <ul><li>And other developments in the Dutch Identity Federation for Higher Education </li></ul>FAM11 – Federated Access Management Conference 9 November 2011
    2. 2. Content <ul><li>SURFfederatie </li></ul><ul><li>SURFconext </li></ul><ul><li>Interfederation efforts </li></ul><ul><li>tiqr </li></ul><ul><li>Future changes </li></ul>
    3. 4. Federation models (communication/login, not metadata) <ul><li>1-1 </li></ul><ul><li>Business US: SAML 1.x </li></ul><ul><li>de-facto </li></ul><ul><li>NxN </li></ul><ul><li>Shared trust , pt2pt </li></ul><ul><li>Education US/Europe </li></ul><ul><li>2xN </li></ul><ul><li>Central gateway (CFC) </li></ul><ul><li>protocol translation </li></ul><ul><li>SURFfederatie = CFC, IDP, SP </li></ul>CFC IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP
    4. 5. Functional view (Since August 2008) Identity Providers Service Providers SURFfederatie CFC Applications Credentials Central Federation Components A-Select Cross A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS
    5. 6. IDP Protocols
    6. 7. IDP Products
    7. 8. Some numbers <ul><li>IdPs (83) </li></ul><ul><ul><li>42 SAML 2.0 </li></ul></ul><ul><ul><li>28* WS-Federation (ADFS) </li></ul></ul><ul><ul><ul><li>(* 8 proxied) </li></ul></ul></ul><ul><ul><li>7 A-Select </li></ul></ul><ul><li>SPs (55+) </li></ul><ul><ul><li>Google apps, foodle, live@edu, CLARIN (7), several publishers, libraries, webshops, SURFconext, … </li></ul></ul><ul><li>≈ 700k users </li></ul><ul><li>≈ 20k logins/sso per (working) day </li></ul><ul><li>(Technically) connected to eduGAIN </li></ul>
    8. 9. Metadata & proxying IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF A-1 A-2 A-3 B-1 B-2 B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all}
    9. 10. WAYF/WAYF-less operation IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF
    10. 11. Why Hub & Spoke? “Federation as a Service” <ul><li>Protocol translation </li></ul><ul><li>Decouples IDPs from SPs: easier to </li></ul><ul><ul><li>migrate </li></ul></ul><ul><ul><li>adapt to specific IDP/SP requirements </li></ul></ul><ul><li>Minimal overhead for IDPs </li></ul><ul><ul><li>One single connection to maintain for IDPs/SPs </li></ul></ul><ul><ul><li>Less expertise required for IDP/SP </li></ul></ul><ul><li>Extra features easier to do </li></ul><ul><ul><li>Web services </li></ul></ul><ul><ul><li>Group support </li></ul></ul><ul><li>Easy to monitor </li></ul><ul><li>Easy to do statistics </li></ul>
    11. 12. <ul><li>SURFconext – Collaboration Infrastructure </li></ul>
    12. 13. <ul><li>SURFfederatie SAML </li></ul><ul><li>SURFteams (grouper) </li></ul><ul><li>OpenSocial </li></ul><ul><li>Collaboration tools </li></ul>+ + + =
    13. 16. SURFfederatie vs SURFconext SURFfederatie SURFconext federation x federation y IDP 1 IDP 2 IDP 3 SP 4 SP 5 SP 1 SP 2 SP 3 proxy
    14. 17. Traditional Organisations <ul><li>Supporting Services </li></ul><ul><li>SURFfederatie </li></ul><ul><li>SURFteams </li></ul><ul><li>OpenSocial </li></ul>Apps.Erasmus Apps.Groningen Apps.Leiden
    15. 18. Virtual Organisations Netherlands BioInformatics Centre (NBIC) <ul><li>Supporting Services </li></ul><ul><li>SURFfederatie </li></ul><ul><li>SURFteams </li></ul><ul><li>OpenSocial </li></ul>N=6 N=10 N=30 Guests N=20 N=66 NBIC Group Apps.NBIC.nl My Experiment PubMed Grid res. Publishers Virtual IdP
    16. 19. eduGAIN <ul><li>Enables Web SSO across federations </li></ul><ul><li>Opt-in model for IDPs and SPs </li></ul>
    17. 20. Inter-federation efforts <ul><li>Kennisnet Federatie </li></ul><ul><ul><li>2011 pilot </li></ul></ul><ul><ul><li>selected services </li></ul></ul><ul><li>CLARIN </li></ul><ul><ul><li>SP federation </li></ul></ul><ul><ul><li>since 2010 </li></ul></ul><ul><li>Kalmar 2 </li></ul><ul><ul><li>2012? </li></ul></ul><ul><li>eduGAIN </li></ul><ul><ul><li>since Juli 2011 </li></ul></ul>
    18. 21. Implementing eduGAIN support <ul><li>Policy </li></ul><ul><ul><li>abondon SP fees! </li></ul></ul><ul><li>Technical </li></ul><ul><ul><li>attributes </li></ul></ul><ul><ul><li>metadata </li></ul></ul><ul><li>Operational </li></ul><ul><ul><li>pull metadata from mds.edugain.org </li></ul></ul><ul><ul><li>publish metadata (for eduGAIN to pull from) </li></ul></ul><ul><li>None of these required at our SPs/IDPs, except for opt-in procedure! </li></ul>
    19. 22. Importing eduGAIN SPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff eduGAIN SP z A-1 A-2 A-3 A-z B-1 B-2 B-3
    20. 23. Exporting IDPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff IDP3=B-3 eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3
    21. 24. Exporting SPs to eduGAIN IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3 IDP z
    22. 25. SP auth list (optional) IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz
    23. 26. <ul><li>Secure yet user friendly way to authenticate to (web)sites using your mobile phone </li></ul><ul><li>Mobile App behaves as a Challenge/Response token, using open standards </li></ul><ul><li>“ Handsfree” – no codes to retype. Uses 2D-barcodes (QR) and Internet connection </li></ul><ul><li>Open Source, Apps available for both iPhone and Android </li></ul><ul><li>See: https://tiqr.org / </li></ul>
    24. 27. How does it work? SURFnet. We make innovation work
    25. 28. Future plans <ul><li>Integrate with SURFconext </li></ul><ul><ul><li>Procedural/organisational </li></ul></ul><ul><ul><li>Technical (level of integration TBD) </li></ul></ul><ul><li>Change of consent model </li></ul><ul><ul><li>Opt-in  Opt-out </li></ul></ul><ul><ul><li>Addition of User Consent </li></ul></ul><ul><li>Web Service support </li></ul><ul><ul><li>Needed for (scientific) workflows </li></ul></ul><ul><li>Rich client/beyond web SSO/mobile support </li></ul><ul><li>Rethink procedures/management </li></ul><ul><li>Keys/signing in Hardware Security Module (HSM) </li></ul>
    26. 29. Thank you! ? <ul><ul><li>Joost van Dijk </li></ul></ul><ul><ul><li>joost.vandijk [at] surfnet.nl </li></ul></ul><ul><ul><li>@joostd </li></ul></ul>Presentation released under the Creative Commons “Attribution” license: ( http://creativecommons.org/licenses/by/3.0/ )

    ×