Your SlideShare is downloading. ×
0
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
GÉANT Federation Lab
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

GÉANT Federation Lab

1,217

Published on

The GÉANT Federation Lab project presented at a Kantara Initiative Telecommunication ID Work Group meeting at the Telenor offices, Oslo, Norway.

The GÉANT Federation Lab project presented at a Kantara Initiative Telecommunication ID Work Group meeting at the Telenor offices, Oslo, Norway.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,217
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Federation Labhttps://fed-lab.orgAndreas Åkre Solberg UNINETT andreas@uninett.no
  • 2. About SolbergAndreas Åkre Me› Work at UNINETT in the Feide team:the Norwegian Identity Federation for Education and Research› Blog about Identity research at http://rnd.feide.no› Initial developer and project leader ofthe award-winning SAML software product SimpleSAMLphp.›!Implemented the collaboration tool Foodle: https://foodl.org› Been part of building the nordic cross-federation http://kalmar2.org› Been part of the eduGAIN project - building an European cross-federation.› Author of the Interoperable SAML Deployment Profile http://saml2int.org› Now leading an EC-funded research project called «Identity Federations»within the GÉANT3 Programme.... where we are building the «Federation Lab».
  • 3. Federation Lab› Container for useful tools, libraries, debugging, testing and validation.› Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Profiles for test SPs
  • 4. Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
  • 5. Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
  • 6. Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Profile defining how an aggregatro should handle border-cases.
  • 7. UI Scalability Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be asked before logging in, Foodle forside Sign in to Foodle Select your Provider where to login. – If there are thousands of Feide HjelpBrukerinnstillingerLogg inn English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski alternative answers, making intuitive UI is Brukere i norske utdanningsinstitusjoner Velkommen til Foodle not trivial. Attempts so far, has failed. Protect Network Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional som do not have an account, register here. Du er ikke logget inn. Feide OpenIdP Lag en ny Foodle If you do not have an institutional account, register here. Statusoppdateringer TERENA Secretariat DiscoJuice Statistikk Terena offices Netherlands Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV Mer informasjon Twitter version 1.0 Programvaren Foodle GEANT GIdP for Homeless Personvern i Foodle Feide RnD blogg Centraal bureau voor Schimmelcultures (KNAW) Du er ikke logget inn. Bureau (KNAW) my provider Help me, I cannot find Hogeschool van Arnhem en Nijmegen Show providers in Netherlands Hogeschool Zuyd Show all providers DiscoJuice © 2011, UNINETT Official launch at TNC2011 in May
  • 8. DiscoJuice› Local Memory (cookie)› Remote Memory (DiscoReadWrite protocol + IdP Discovery)› Javascript only, super simple to deploy› DiscoJuiceJSON compact UI-focused Metadata format(MDUI friendly)› Presents logos, searchable keywords, name, descr, country...› Automatically discovery of country› HTML5 Geo-location API› Gracefull non-javascript fallback› Inline incremental search› Flexible integration API using JS callbacks.› Protocol agnostics, demoed with alternative protocols.
  • 9. DiscoJuice ArchitectureService Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
  • 10. Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment configurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufficient to ensure a compatible configuration of two products.
  • 11. Where interoperability issues occurSAML weak points › Border cases (using less-used SAML elements, and less common flows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
  • 12. Ensuring interoperabilityTake 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing configuration of options in SAML Significantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.
  • 13. Ensuring interoperabilityTake 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.
  • 14. Registry with MetaeditJS Demo URLhttps://fed-lab.org/simplesaml-register/module.php/metaedit2/?
  • 15. Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
  • 16. Revising saml2intbased upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
  • 17. Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!
  • 18. Useful tools: Web-based debugger
  • 19. Useful tools: Firefox plugin
  • 20. Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
  • 21. Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Provisioning Engine (software) › Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS
  • 22. Thanks http://rnd.feide.no

×