CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013

870 views
709 views

Published on

CANARIE operates the Canadian Access Federation, a program with a set of services delivering Federated Single Sign On (FedSSO), and eduroam as services.
This presentation at REFED.org's day at Internet2 identity week is a high level view of what CAF is engaged in and interested in.

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
870
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013

  1. 1. REFEDS Update on Canadian Access Federation Chris Phillips | Nov11,2013 | Internet2 idweek2013 | San Francisco www.canarie.ca
  2. 2. About CANARIE Operates Canada’s ultrahigh-bandwidth research network •  Connects one million users at 1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia •  19,000km of fibre with a 40 Gbps backbone •  Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector Operator of the Canadian Access Federation •  SAML federation based on Shibboleth •  Canadian Eduroam 802.1x wireless roaming operator •  eduGAIN participant Primary investment from Government of Canada - $480 M since 1993 Map date: 29 May 2012 www.canarie.ca 2
  3. 3. About CANARIE Operates Canada’s ultrahigh-bandwidth research network •  Connects one million users at 1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia •  19,000km of fibre with a 40 Gbps backbone •  Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector Additional Programs Operator of the Canadian DAIR - Digital Accelerator for Innovation and Research Access Federation An on-demand, advanced R&D cloud environment that supports Canada’s •  SAML federation based on Shibboleth tech innovators. Openstack based, with 2 regions (Alberta, Quebec). •  Canadian Eduroam 802.1x wireless roaming operator RPI - Research Platform Infrastructure •  eduGAIN participant An investment in middleware by CANARIE that leverages existing platforms & Primary investment is the evolution of the NEP program. Reduces duplication, increases re-use from Government of and collaboration between programs. http://science.canarie.ca/ Canada - $480 M since 1993 NEP - Network Enabled Platforms Similar in nature to GEANT opencall. Research initiatives showing innovative uses of the network. Has evolved to be even more collaborative and generates new interfaces/ RPI services to be reused between projects. Map date: 29 May 2012 www.canarie.ca 3
  4. 4. This is what it feels like trying to collaborate…. Image: Phil Roeder - Flickr www.canarie.ca 4
  5. 5. This is how we want it to feel. www.canarie.ca 5
  6. 6. How? Facilitate collaboration at the largest scale possible. www.canarie.ca
  7. 7. How? t st bu Easie ! d ruste t v Facilitate collaboration at the largest scale possible. ! lessly Seam v www.canarie.ca
  8. 8. Roaming wireless •  •  •  •  International wireless roaming Ability to automatically sign on using your home credential Reduces barriers to mobile users Worldwide and expanding coverage: •  Canada: 64 sites •  65 countries worldwide Successful Logins 2,000,000 1,500,000 1,000,000 500,000 - •  •  •  •  International Canada ~3M logins Sept 2013 2.5x traffic growth in 1yr 48 sites ~50% universities in Canada 40% growth in sites in 1yr Federated identity •  Federated Single Sign On for services •  Web and non web sign on •  Authentication •  Authorization •  Attribute release •  Across different security domains Interfederation •  International wireless roaming •  • eduGAIN to automatically sign on Ability as primary, exploring other direct relationships using your home credential •  • Bridge to internationalto mobile Reduces barriers community •  Enables CAF participants to: users •  Accept identities inbound •  Worldwide and expanding from outside Canada to coverage: • Canadian services Canada: 48 sites •  • Use Canadian identities in 60 countries worldwide services outside Canada Total CAF enabled users – SAML & eduroam 1,040,000 1,020,000 1,000,000 980,000 960,000 940,000 920,000 900,000 880,000 1,011,793 1,020,387 986,765 937,000 •  24 Service Providers – 160% increase in 1yr •  21 Identity Providers www.canarie.ca •  Int’l NREN CEO Forum placed eduGAIN as a key effort •  CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
  9. 9. A Glimpse at eduroam traffic eduroam Successful Logins - up to Oct 30,2013 4,000,000 25.00% 3,500,000 20.00% 2,500,000 15.00% 2,000,000 10.00% 1,500,000 1,000,000 5.00% 500,000 - 0.00% www.canarie.ca % No Reply from Server Successful Log ins 3,000,000 International Canada
  10. 10. Closing the gap •  Eduroam evidence of success àWhy not same for FSSO? •  Talked to new & old participants, other federations •  Analyzed over a years worth of data http://www.flickr.com/photos/asparagus_hunter/483841638/ asparagus hunter www.canarie.ca
  11. 11. Regular Approach Identity Appliance Choose RADIUS server Install & Configure Test & Connect Supported Server installed Pre-configured Tested & Connected Choose platform Install & Configure Test & Connect Supported platform installed Pre-Configured Tested & Connected Why? •  •  •  •  Evolved approach to better match campus IT reality Reduced cost/effort to be CAF participant Simplifies CAF installation experience Easier day to day operations http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy www.canarie.ca
  12. 12. Regular Approach Identity Appliance Choose RADIUS server Install & Configure Test & Connect Supported Server installed Pre-configured Tested & Connected Choose platform Install & Configure Test & Connect Supported platform installed Pre-Configured Tested & Connected Why? Deeper A Bit •  •  •  •  •  •  •  Reviewed many styles, better match doing both eduroam Evolved approach tobut no one really campus IT reality AND Federated cost/effort to Reduced SSO w/SAML be CAF participant Inspired by many DevOps style approaches, adopted installer Simplifies CAF installation experience based model (SWAMID approach, others influencial too) Easier dayalpha now, FedSSO going through test cycles eduroam in to day operations •  Sites will be connected to both eduroam & eduGAIN http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy www.canarie.ca
  13. 13. Inter-federation •  In use and business as usual •  Eduroam Configuration Assistant Tool(CAT) driving current IdPs •  Appliance approach will see sites joining eduGAIN when they join CAF. www.canarie.ca
  14. 14. Eduroam CAT service (accessed via eduGAIN) •  Builds & hosts profile installers for all platforms and devices(MSFT,App le, Linux) •  Profile = specific configuration on your device to connect to the network www.canarie.ca
  15. 15. Signing on to Manage Your eduroam Site •  Access is only for site admins •  Requires Federated Single Sign On + invitation one time link •  Can create multiple admins •  Can create multiple ‘profiles’ for testing prior to release. •  Production Profiles can be downloaded via CAT www.canarie.ca
  16. 16. Once Signed in Snapshot of eduroam CAT •  •  •  •  # of federations with at least 1 production Idp: 30 Total idps registered: 391 IdPs which enabled public download interface: 264 End User Downloads of installersso far : 162,289 www.canarie.ca
  17. 17. Sub-national Topic •  Different groups across Canada expressed interest in ‘CAF+ . . .’ •  Needs were diverse yet common: additional schema, workflow for special sets of entities only, allow entities to be members of multiple sets, notify about joining set. •  View is that it can be done centrally through CAF, but tools & processes need improvements www.canarie.ca
  18. 18. Unified Collaboration & Interconnection CAF SP SP SP Idp Idp Idp Special Interest Trust Groups SP SP Idp Higher Assurance Local Fed Idp SP SP Local Fed Idp SP SP •  Efficient, least effort for SP/IdP •  Local fed incubates federation aware apps •  SITG can leverage common infrastructure, and overlay special attribute sets & specific policies Idp www.canarie.ca
  19. 19. Improving Tools •  Federation Operations needed to rise to the challenge •  Federation Registry tools space has very rich offerings (AAF: Fed’n Mgr, HEANET: Resource Registry, REEP to name a few) •  Tough to choose because of the great work out there •  Gravitated to HEANET RR http://www.flickr.com/photos/chazferret/2075442918/ www.canarie.ca
  20. 20. Skating to where the puck will be •  Our usual ‘customers’ are changing, we need to as well. •  Centralized services with delegation functionality avoid duplication of effort in the community and saves time and effort for sites http://www.flickr.com/photos/mag3737/1997114236/ mag3737 www.canarie.ca
  21. 21. Seed Topics for the ACAMP •  Effective Attribute release from IdPs •  Centralized authorization and user preferences being sought – should we run an instance of grouper or CoManage? •  Non web SAML for restful webservices, looking for some interesting approaches •  Interested in any mobile plays for Fed. SSO on smartphones. http://www.flickr.com/photos/the_yes_man/4648999621/sizes/l/in/photostream/ www.canarie.ca
  22. 22. www.canarie.ca
  23. 23. Additional Material www.canarie.ca
  24. 24. Digital Accelerator for Innovation and Research (DAIR) An on-demand, advanced R&D environment that supports Canada’s tech innovators and entrepreneurs in designing, prototyping, validating and demonstrating their new technology apps, products and services. www.canarie.ca/en/dair INTERNET Cloud Computing and Storage + Optical Regional Advanced Networks (ORANs) Réseaux optiques régionaux évolués (ROREs) www.canarie.ca Infonuagique et stockage

×