• Save
Inter-federating SURFfederatie - Joost van Dijk
Upcoming SlideShare
Loading in...5
×
 

Inter-federating SURFfederatie - Joost van Dijk

on

  • 868 views

 

Statistics

Views

Total Views
868
Views on SlideShare
868
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Proxy nodig om protocol vertaling te kunnen doen, voordeel: maar 1 koppeling te leggen. Betekent wel dat IDP maar 1 ‘SP’ ziet en niet per SP koppeling legt/enabled. Dat zullen wij dus voor ze moeten doen.
  • Paul van Dijk Product Manager SURFnet
  • example Case for eduGAIN: Apple won’t subscribe to all feds in europe individually

Inter-federating SURFfederatie - Joost van Dijk Inter-federating SURFfederatie - Joost van Dijk Presentation Transcript

  • Inter-federating SURFfederatie
    • And other developments in the Dutch Identity Federation for Higher Education
    FAM11 – Federated Access Management Conference 9 November 2011
  • Content
    • SURFfederatie
    • SURFconext
    • Interfederation efforts
    • tiqr
    • Future changes
  •  
  • Federation models (communication/login, not metadata)
    • 1-1
    • Business US: SAML 1.x
    • de-facto
    • NxN
    • Shared trust , pt2pt
    • Education US/Europe
    • 2xN
    • Central gateway (CFC)
    • protocol translation
    • SURFfederatie = CFC, IDP, SP
    CFC IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP
  • Functional view (Since August 2008) Identity Providers Service Providers SURFfederatie CFC Applications Credentials Central Federation Components A-Select Cross A-Select Cross Shibboleth SAML 2.0 WS-Fed / ADFS SAML 2.0 WS-Fed / ADFS
  • IDP Protocols
  • IDP Products
  • Some numbers
    • IdPs (83)
      • 42 SAML 2.0
      • 28* WS-Federation (ADFS)
        • (* 8 proxied)
      • 7 A-Select
    • SPs (55+)
      • Google apps, foodle, live@edu, CLARIN (7), several publishers, libraries, webshops, SURFconext, …
    • ≈ 700k users
    • ≈ 20k logins/sso per (working) day
    • (Technically) connected to eduGAIN
  • Metadata & proxying IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF A-1 A-2 A-3 B-1 B-2 B-3 IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all}
  • WAYF/WAYF-less operation IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF
  • Why Hub & Spoke? “Federation as a Service”
    • Protocol translation
    • Decouples IDPs from SPs: easier to
      • migrate
      • adapt to specific IDP/SP requirements
    • Minimal overhead for IDPs
      • One single connection to maintain for IDPs/SPs
      • Less expertise required for IDP/SP
    • Extra features easier to do
      • Web services
      • Group support
    • Easy to monitor
    • Easy to do statistics
    • SURFconext – Collaboration Infrastructure
    • SURFfederatie SAML
    • SURFteams (grouper)
    • OpenSocial
    • Collaboration tools
    + + + =
  •  
  •  
  • SURFfederatie vs SURFconext SURFfederatie SURFconext federation x federation y IDP 1 IDP 2 IDP 3 SP 4 SP 5 SP 1 SP 2 SP 3 proxy
  • Traditional Organisations
    • Supporting Services
    • SURFfederatie
    • SURFteams
    • OpenSocial
    Apps.Erasmus Apps.Groningen Apps.Leiden
  • Virtual Organisations Netherlands BioInformatics Centre (NBIC)
    • Supporting Services
    • SURFfederatie
    • SURFteams
    • OpenSocial
    N=6 N=10 N=30 Guests N=20 N=66 NBIC Group Apps.NBIC.nl My Experiment PubMed Grid res. Publishers Virtual IdP
  • eduGAIN
    • Enables Web SSO across federations
    • Opt-in model for IDPs and SPs
  • Inter-federation efforts
    • Kennisnet Federatie
      • 2011 pilot
      • selected services
    • CLARIN
      • SP federation
      • since 2010
    • Kalmar 2
      • 2012?
    • eduGAIN
      • since Juli 2011
  • Implementing eduGAIN support
    • Policy
      • abondon SP fees!
    • Technical
      • attributes
      • metadata
    • Operational
      • pull metadata from mds.edugain.org
      • publish metadata (for eduGAIN to pull from)
    • None of these required at our SPs/IDPs, except for opt-in procedure!
  • Importing eduGAIN SPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff eduGAIN SP z A-1 A-2 A-3 A-z B-1 B-2 B-3
  • Exporting IDPs IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff IDP3=B-3 eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3
  • Exporting SPs to eduGAIN IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3 IDP z
  • SP auth list (optional) IDP 1 IDP 2 IDP 3 SP 1 SP 2 SP 3 WAYF WAYF IDP1=B-1 IDP2=B-2 IDP3=B-3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3 {all} SPz=A-z {IDP2, IDP3} SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz eduGAIN A-1 A-2 A-3 A-z B-1 B-2 B-3 IDP z Per SP auth list SP3: - IDP1 - IDP2 - IDPz
    • Secure yet user friendly way to authenticate to (web)sites using your mobile phone
    • Mobile App behaves as a Challenge/Response token, using open standards
    • “ Handsfree” – no codes to retype. Uses 2D-barcodes (QR) and Internet connection
    • Open Source, Apps available for both iPhone and Android
    • See: https://tiqr.org /
  • How does it work? SURFnet. We make innovation work
  • Future plans
    • Integrate with SURFconext
      • Procedural/organisational
      • Technical (level of integration TBD)
    • Change of consent model
      • Opt-in  Opt-out
      • Addition of User Consent
    • Web Service support
      • Needed for (scientific) workflows
    • Rich client/beyond web SSO/mobile support
    • Rethink procedures/management
    • Keys/signing in Hardware Security Module (HSM)
  • Thank you! ?
      • Joost van Dijk
      • joost.vandijk [at] surfnet.nl
      • @joostd
    Presentation released under the Creative Commons “Attribution” license: ( http://creativecommons.org/licenses/by/3.0/ )