www.canarie.cawww.canarie.ca
CAF Workshop on Federation Tools
IDP Installer and Federation Management Tools
Chris Phillips...
www.canarie.ca
Agenda
8:00-8:30 – Coffee & Registration
8:30-8:45 – Introductions and Workshop Overview
8:45-10:15 – Using...
www.canarie.cawww.canarie.cawww.canarie.ca
In theory, there is no difference between theory
and practice.	

But, in practi...
www.canarie.ca
Introductions
www.canarie.ca
Outcomes for today
•  Improved understanding of the IdP Installer
•  Highlight key deployment consideration...
www.canarie.ca
Setting Today’s Context
www.canarie.cawww.canarie.ca
Roaming wireless
•  International wireless roaming
•  Ability to automatically sign on
using ...
www.canarie.ca
Identity
Providers
Service Providers
Universities
Colleges
Research inst.
Cloud providers
Specialized R&E A...
www.canarie.cawww.canarie.cawww.canarie.ca
CAF Roadmap
Federation Infrastructure & Governance
Knowledge Base + more tools!...
www.canarie.ca
IDP Installer
www.canarie.ca
IdP Installer
•  What is it?
–  VM image +
html configuration forms
•  What does it do?
–  Auto installs an...
www.canarie.ca
IdP Installer Consolidating & Reducing Effort
www.canarie.cawww.canarie.cawww.canarie.ca
Installation Overview
Download
installer
Plan &
Prepare
installation
Do
Install...
www.canarie.ca
Planning: Deployment Model – Test & Prod
www.canarie.ca
Planning: SSID strategy – augment or replace?
Recommendation: Consider consolidating to eduroam
•  Why:
–  ...
www.canarie.cawww.canarie.cawww.canarie.ca
Planning: Certificates
FedSSO / SAML2 Eduroam / 802.1x
16
•  2 certificates
§ ...
www.canarie.ca
Certificates & HeartBleed
•  Heartbleed risk present on hosts susceptible to OpenSSL handshake
–  FedSSO/SA...
www.canarie.ca
IdP Installer Test Shib walkthrough
www.canarie.ca
Break
www.canarie.ca
CAF Tools Walkthrough
•  Eduroam weathermap
–  http://weathermap.canarie.ca/caf/eduroam
•  Eduroam CAT
–  h...
www.canarie.ca
CAF Guidance on Attribute Release
•  Current CAF policy àmandatory release of eduPersonTargetedID
•  Examp...
www.canarie.ca
Federation Management Tools
www.canarie.ca
www.canarie.ca
Federation Community Manager
Features
•  UI-based provisioning of privacy and security policies (e.g. ARPs)...
www.canarie.cawww.canarie.cawww.canarie.ca
Collaboration via CAF & Community Groups
CAF Identity Providers
Regional
Commun...
www.canarie.cawww.canarie.cawww.canarie.ca
Community Group Responsibilities
PrivacyHelp Desk
Community
Groups Admin
Hosted...
www.canarie.ca
Closing Remarks / Q&A
Upcoming SlideShare
Loading in …5
×

CAF Workshop BCNet2014

451 views
340 views

Published on

On April 28th, a hands-on workshop was held at BCNet2014 in Vancouver by CANARIE's Canadian Access Federation (CAF) team.

The first part of the workshop explored CAF’s Identity Provider (IdP) Installer tool that automates the installation of FreeRADIUS for eduroam and Shibboleth for Federated SSO. The second part of the workshop will be dedicated to exploring CAF's new Federation Manager, an online tool that enables sites to manage their new or installed Shibboleth IdP installation, and easily manage attributes and enable services.

Published in: Internet, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
451
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CAF Workshop BCNet2014

  1. 1. www.canarie.cawww.canarie.ca CAF Workshop on Federation Tools IDP Installer and Federation Management Tools Chris Phillips | April 2014 | CANARIE | Vancouver
  2. 2. www.canarie.ca Agenda 8:00-8:30 – Coffee & Registration 8:30-8:45 – Introductions and Workshop Overview 8:45-10:15 – Using the IdP Installer, Sample Installation, Walkthrough 10:15-10:30 - Break 10:30-11:15 – CAF Tools walkthrough 11:15-12:15 – Federation Management Tools 12:15 – 12:30 – Q&A, Closing remarks
  3. 3. www.canarie.cawww.canarie.cawww.canarie.ca In theory, there is no difference between theory and practice. But, in practice, there is.
  4. 4. www.canarie.ca Introductions
  5. 5. www.canarie.ca Outcomes for today •  Improved understanding of the IdP Installer •  Highlight key deployment considerations •  Know where to go for CAF resources •  Socialize Federation management tools direction https://www.flickr.com/photos/reway2007/3137608759 reway2007
  6. 6. www.canarie.ca Setting Today’s Context
  7. 7. www.canarie.cawww.canarie.ca Roaming wireless •  International wireless roaming •  Ability to automatically sign on using your home credential •  Reduces barriers to mobile users •  Worldwide and expanding coverage: •  Canada: 78 sites •  60 countries worldwide •  Federated Single Sign On for services •  Web and non web sign on •  Authentication •  Authorization •  Attribute release •  Across different security domains Federated identity •  International wireless roaming •  Ability to automatically sign on using your home credential •  Reduces barriers to mobile users •  Worldwide and expanding coverage: •  Canada: 48 sites •  60 countries worldwide •  eduGAIN as primary, exploring other direct relationships •  Bridge to international community •  Enables CAF participants to: •  Accept identities inbound from outside Canada to Canadian services •  Use Canadian identities in services outside Canada Interfederation •  3.4M logins March 2014 •  2x traffic growth in 1yr •  78 sites - 500,000 1,000,000 1,500,000 2,000,000 Successful Logins International Canada •  33 Service Providers •  25 Identity Providers 937,000 986,765 1,011,793 1,020,387 880,000 900,000 920,000 940,000 960,000 980,000 1,000,000 1,020,000 1,040,000 Total CAF enabled users – SAML & eduroam •  Int’l NREN CEO Forum placed eduGAIN as a key effort •  CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
  8. 8. www.canarie.ca Identity Providers Service Providers Universities Colleges Research inst. Cloud providers Specialized R&E Apps Libraries Commercial SP Research teams Regional CommunityCommunity Group Gateway Partners BCNET Provincial governments Organizing bodies Applicants Parents Temporary staff Professor Student Researcher Researcher App Developer IDM Expert Group Admin CAF Ecosystem
  9. 9. www.canarie.cawww.canarie.cawww.canarie.ca CAF Roadmap Federation Infrastructure & Governance Knowledge Base + more tools! Federation Community Manager CAF Marketplace Operating Policies VALUE   Training  &  Technical  Support   Marke9ng  Material   Today  FY  2015  FY16   IDP Installer
  10. 10. www.canarie.ca IDP Installer
  11. 11. www.canarie.ca IdP Installer •  What is it? –  VM image + html configuration forms •  What does it do? –  Auto installs and configures IdP server components –  Easier connection to CAF servers –  Supports eduroam and Shibboleth •  Benefits –  Fewer steps –  Hides technical complexity from user Identity Appliance" Shibboleth
 Identity
 Provider" freeRADIUS" Apache Tomcat" Java" Operating System (centOS)"
  12. 12. www.canarie.ca IdP Installer Consolidating & Reducing Effort
  13. 13. www.canarie.cawww.canarie.cawww.canarie.ca Installation Overview Download installer Plan & Prepare installation Do Installation Post installation tailoring Local acceptance testing Contact CANARIE to complete registration 1.  Download Installer 1.  From http://bit.ly/caftools 2.  Plan & Prepare your installation 1.  Review System Requirements to prepare your environment. 2.  Prepare your network 3.  Prepare your environment (settings for Directory, Certificates, etc) 4.  Review and choose a preferred deployment approach 5.  Review your federation specific post install steps 3.  Do the installation 1.  Create a configuration from your federations' configuration builder 2.  Save configuration as 'config' in this directory on your server 3.  Run the script ./deploy_idp.sh 4.  Answer any inline questions (use self signed cert? password creation for keystores) 4.  Perform Post installation Tailoring 1.  Based on items previously identified, finalize the installation 2.  Identity steps needed to be repeated in production 5.  Locally Test Installation 6.  Repeat installation steps for production installation as needed [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
  14. 14. www.canarie.ca Planning: Deployment Model – Test & Prod
  15. 15. www.canarie.ca Planning: SSID strategy – augment or replace? Recommendation: Consider consolidating to eduroam •  Why: –  Less to configure for end users: •  setup once, use everywhere à why do one that only works for you? •  Less to manage as wifi infrastructure operator à reduces helpdesk support –  Eduroam can be VLAN’d based on authentication •  Local users VLAN’d to ‘local IP space’ and remote to remote1,2 –  Configuration Assistant Tool (CAT) performs configuration •  To resolve ‘how do I get on?’ for users, offer eduroam_help SSID –  Behaves as captive portal and only able to reach eduroam configuration information (cat.eduroam.org) and your specific information –  Working with UFV through IdP Installer with the –  Some Canadian sites already using just eduroam as singular SSID [1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus [2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/
  16. 16. www.canarie.cawww.canarie.cawww.canarie.ca Planning: Certificates FedSSO / SAML2 Eduroam / 802.1x 16 •  2 certificates §  End user facing(port 443) for SSO userid/password •  commercial root’ed certificate to avoid browser pain §  IdP/SP Certificate for metadata •  Self signed, 2048 bit SHA2 •  Autogenerated on install •  Usually long lived (10yrs) §  Possession & comparison of certs present in metadata crux of trust •  2 TLS pieces: CA + server cert. §  Laptops and mobile devices asked to trust both CA and server certificate §  If CA= commercial root, slightly less pain on MSFT clients (avoids popup of ‘trust this root?) §  eduroam CAT installer critical to help streamline installation & trust regardless of cert type. Recommendation: Use your usual commercial cert for end user facing port 443 Let tools do what they should do for long lived self signed Recommendation: Simply put: YMMV & up to you to tailor the experience Quick video example:eduroam CAT w/ comm. cert & w/ non commercial certificate. IDP Installer automatically uses self-signed everything & is a base for build outs.
  17. 17. www.canarie.ca Certificates & HeartBleed •  Heartbleed risk present on hosts susceptible to OpenSSL handshake –  FedSSO/SAML •  Metadata signing was not at risk since that key is never used in handshake & OpenSSL version was safe. •  Handful of SAML entities did have to do key roll over (regenerate and replace keys) •  Risk was possible exposure of private key and therefore emulation or decryption of traffic could have been done –  extremely remote and require extraordinary attack, but risk present nonetheless à must regenerate private key and metadata cert and do roll over. –  Eduroam •  Eduroam trust built on shared secrets therefore not susceptible in server to server trusts. •  HOWEVER, the RADIUS server certificate suffered same style attack vector but between RADIUS server and clients (mobile devices) –  Key compromise and therefore decrypt traffic if such was done –  risk extremely remote but present. The few sites patched and made necessary changes. •  Global eduroam had validator within hours of announcement and scanned many sites, including Canadian ones very early on. •  Within 72hrs all Heartbleed risk was eliminated from the affected few sites in FedSSO and eduroam in Canada. –  Would self signed or commercial have made a difference? No. Risk was same regardless of root. A private key is a private key and both would need to have been regenerated. –  Many thanks to admins who were very responsive to the issue!
  18. 18. www.canarie.ca IdP Installer Test Shib walkthrough
  19. 19. www.canarie.ca Break
  20. 20. www.canarie.ca CAF Tools Walkthrough •  Eduroam weathermap –  http://weathermap.canarie.ca/caf/eduroam •  Eduroam CAT –  https://cat.eduroam.org/ •  eduGAIN –  https://www.edugain.org/ •  FedSSO Discovery Guidance –  https://discovery.refeds.org •  CAF FAQ system –  http://tts.canarie.ca/otrs/public.pl •  Collaboration.canarie.ca –  http://collaboration.canarie.ca •  CAF Guest IdP & 'external identities' (aka social2SAML) –  http://id.canarie.ca –  External identity demo with SAML sharepoint sign on All available at: http://bit.ly/caftools
  21. 21. www.canarie.ca CAF Guidance on Attribute Release •  Current CAF policy àmandatory release of eduPersonTargetedID •  Example of the importance of attribute release •  What the community at large is doing –  In Canada à Examining various profiles for attribute ‘bundles’ •  Collaboration profile •  Canadian Researcher profile •  Canadian Student profile •  K-12 specific attributes –  Internationally –  Entity categories in metadata, rules in IdPs for release –  K-12 conversations in US. •  SAML metadata representation
  22. 22. www.canarie.ca Federation Management Tools
  23. 23. www.canarie.ca
  24. 24. www.canarie.ca Federation Community Manager Features •  UI-based provisioning of privacy and security policies (e.g. ARPs) •  Self-serve user interface for Partner, IDP and SP admins •  Consolidated view of all community groups, IDPs and SPs in CAF •  Auto-generates meta data Benefits •  Reduces development time à faster implementation •  Reduces errors and facilitates debugging Status •  Seeking pilot participants
  25. 25. www.canarie.cawww.canarie.cawww.canarie.ca Collaboration via CAF & Community Groups CAF Identity Providers Regional CommunityCommunity Group (CG) Shared Services CAF Service Providers •  Services available to IDPs within the community group •  Define operating polices (e.g. attribute release) specific to CG •  Gives IDPs access to national and international CAF SPs
  26. 26. www.canarie.cawww.canarie.cawww.canarie.ca Community Group Responsibilities PrivacyHelp Desk Community Groups Admin Hosted IDP Operations Local Outreach Central Operations Technical Support Technical Community Trust Assertion Governance National Outreach Tool Development Opera- tions International Representation CAF Participant Agreements Implementation Guidance Community Agreements Institutions CAF Partners CAF
  27. 27. www.canarie.ca Closing Remarks / Q&A

×