www.canarie.ca | www.swamid.se
Presenters:
Chris Phillips – CANARIE, Canada
Anders Lördal– SWAMID, Sweden
Think Globally, ...
www.canarie.ca | www.swamid.se
About CAF & SWAMID
CAF SWAMID
Size of Community
89 Universities, ~120
colleges
52 Instituti...
www.canarie.ca | www.swamid.se
Response to the challenge
•  Evolved approach to better match campus IT reality
•  Reduced ...
www.canarie.ca | www.swamid.se
Chris Phillips
Origin of the collaborative work
•  We both came to the table with something...
www.canarie.ca | www.swamid.se
Chris Phillips
Origin of the collaborative work
•  We both came to the table with something...
www.canarie.ca | www.swamid.se
https://www.flickr.com/photos/75905404@N00/7126146307 OZinOH
Principle Drives Design
•  It’...
www.canarie.ca | www.swamid.se
The Results – The IDP Installer
•  What is it?
–  Installation script with HTML
configurati...
www.canarie.ca | www.swamid.se
Installation Improvements
Outcomes
•  Install effort reduced from 2 discrete projects to 1 ...
www.canarie.ca | www.swamid.se
Installation Overview
Plan &
Prepare
installation
Review System
Requirements to
prepare you...
www.canarie.ca | www.swamid.se
Configuration Demo & Walk Through
http://youtu.be/7DpHL9akgrg
www.canarie.ca | www.swamid.se
https://www.flickr.com/photos/julia_manzerova/4748112382/ Julia Mnazernova
Weighing the Opt...
www.canarie.ca | www.swamid.se
Contrasting Implementation Styles
Model Benefit Drawback Example?
Centralized/
Command &
Co...
www.canarie.ca | www.swamid.se
Contrasting Implementation Techniques
Technique Benefits Drawbacks
Puppet/Chef based
In Pro...
www.canarie.ca | www.swamid.se
Usage & Feedback
CAF SWAMID
Status to respective
community
•  Available as ‘Beta’.
•  Await...
www.canarie.ca | www.swamid.se
Collaboration – Managing Change
•  GitHub public repository used
•  https://github.com/idp-...
www.canarie.ca | www.swamid.se
Your Invited!
•  Code base in use at CAF and SWAMID.
•  Clone one of ours now to try it out...
www.canarie.ca | www.swamid.se
Thank you!
Contact:
Chris Phillips Chris.Phillips@canarie.ca
Anders Lördal Anders.lordal@hi...
www.canarie.ca
Upcoming SlideShare
Loading in …5
×

TNC2014 Think Globally act locally: Simplifying Federated technologies

257 views
197 views

Published on

Identity federations play a pivotal role in facilitating easier collaboration and sharing of services around the globe. While the protocols, technology, and best practices of federations and their services are reasonably mature, the adoption and installation of needed tools and services to participate with them can be significantly improved.
A digital divide appears to have developed and is growing between those who are participating and those who want to, but feel they cannot. Pinpointing why this divide exists and how to close the gap is a source of debate but some simple statements can be made:

● Reducing the time to deploy services will help relieve pressure on time and resources for all
● Easier deployment of local components benefits both new participants grappling with the technology adoption curve and existing participants by growing the community
● Embedding best practices and core principles of security and service operation help avoid re-inventing the wheel for new participants as well as help maintain overall quality for the whole community.

Attempting to address this divide has been the work of a number of federation operators and NRENs each at different stages of their plans. This presentation will explore and discuss the various approaches that the NREN community has undertaken and contrast them with how SUNET’s SWAMID and CANARIE’s CAF collaboratively created approach compares. A key component of the approach is to streamline software deployments to support eduroam federated 802.1x authentication using FreeRADIUS and SAML2 federation services using Shibboleth software on a single VM instance. While each service on their own may have been done in the past, combining them in a federation aware context, and simplifying the overall experience is relatively new and revealed a great deal of overlap and efficiencies that could be gained doing so.
The presentation will discuss the various collaboration and decision challenges encountered with implementers in two different federations on two different continents and an eye to other federation’s needs. The implementers feel that design decisions have led to an implementation that is able to be extended to other federations which will also be explored and discussed. Time permitting, a demonstration of the solution deployment process will be shown.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
257
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

TNC2014 Think Globally act locally: Simplifying Federated technologies

  1. 1. www.canarie.ca | www.swamid.se Presenters: Chris Phillips – CANARIE, Canada Anders Lördal– SWAMID, Sweden Think Globally, Act Locally: Simplifying Federated Technologies May 18 ,2014| TNC2014 | Dublin, Ireleand
  2. 2. www.canarie.ca | www.swamid.se About CAF & SWAMID CAF SWAMID Size of Community 89 Universities, ~120 colleges 52 Institutions Size of Federation 103 SAML IdP:24 Shib,1 SSPHP, 33 SPs eduroam: 78 IdPs 78+ campus’ 333 SAML IdP: 45 Shib,1 SSPHP 4 ADFS, 1 pysaml, 278 SP eduroam: 39 IdPs 773 locations Coverage >48% > 98% Participate in eduGAIN? ✔ ✔ Challenge Uptake parity between eduroam & SAML related to time and skills Participants ability to remain current & maintain skills Shib=Shibboleth, SSPHP= SimpleSAMLPHP •  Even at different stages and coverage, we encounter similar challenges •  Opportunity to collaborate & leverage each others investments
  3. 3. www.canarie.ca | www.swamid.se Response to the challenge •  Evolved approach to better match campus IT reality •  Reduced cost/effort implement & support •  Simplifies installation experience http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy Choose RADIUS server Install & Configure Test & Connect Preferred Server installed Pre-configured Tested Classic Approach IdP Installer Approach Preferred platform installed Pre-Configured Tested Choose platform Install & Configure Test & Connect
  4. 4. www.canarie.ca | www.swamid.se Chris Phillips Origin of the collaborative work •  We both came to the table with something: •  SWAMID: original SAML installer & was refactoring •  CAF adopted paradigm for eduroam automation work •  Critical pieceà bootstrapped collaboration with ½ day in person session identifying key principles & mechanics
  5. 5. www.canarie.ca | www.swamid.se Chris Phillips Origin of the collaborative work •  We both came to the table with something: •  SWAMID: original SAML installer & was refactoring •  CAF adopted paradigm for eduroam automation work •  Critical pieceà bootstrapped collaboration with ½ day in person session identifying key principles & mechanics Simple as possible, complex as needed Core Principle
  6. 6. www.canarie.ca | www.swamid.se https://www.flickr.com/photos/75905404@N00/7126146307 OZinOH Principle Drives Design •  It’s not just the tool, but the techniques applied in the tool: •  Highly Extensible – be Federation aware, be tech agnostic.. •  Internalize complexity to simplify end users experience •  Internationalize by default instead of retrofit •  Embody best practices to avoid error in implementations
  7. 7. www.canarie.ca | www.swamid.se The Results – The IDP Installer •  What is it? –  Installation script with HTML configuration to image a blank VM •  What does it do? –  Auto installs and configures IdP server components –  Configures entire system, not just software –  Supports eduroam and Shibboleth •  Benefits –  Fewer steps –  Hides technical complexity from user VM" Shibboleth
 Identity
 Provider" (2.4.0)" freeRADIUS" (2.1.12)" Apache Tomcat (6.0)" Java (openjdk 1.7)" Operating System (centOS6.4+ or Ubuntu 12.0.4)"
  8. 8. www.canarie.ca | www.swamid.se Installation Improvements Outcomes •  Install effort reduced from 2 discrete projects to 1 on participant site •  Automated configuration reduces installation complexity and editing needs •  Speeds up installation •  Reduces errors
  9. 9. www.canarie.ca | www.swamid.se Installation Overview Plan & Prepare installation Review System Requirements to prepare your environment. Prepare your network Prepare your environment (settings for Directory, Certificates, etc) Review and choose a preferred deployment approach Review your federation specific post install steps Do Installation Create a configuration from your federations' configuration builder Save configuration as 'config' in this directory on your server Run the script ./ deploy_idp.sh Answer any inline questions (password creation for keystores) Post installation tailoring Based on items previously identified, finalize the installation Identity steps needed to be repeated in production Local acceptance testing Contact FedOp to complete registration [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
  10. 10. www.canarie.ca | www.swamid.se Configuration Demo & Walk Through http://youtu.be/7DpHL9akgrg
  11. 11. www.canarie.ca | www.swamid.se https://www.flickr.com/photos/julia_manzerova/4748112382/ Julia Mnazernova Weighing the Options •  A lot of great tools and techniques out there à had to choose wisely •  Driven by Principles and Requirements. How closely do these match yours?
  12. 12. www.canarie.ca | www.swamid.se Contrasting Implementation Styles Model Benefit Drawback Example? Centralized/ Command & Control Centralized control Remote management capabilities •  Complexity is high for backend •  Not easily hosted locally •  May not meet needs for hands off remote operation GAAR Download VM preconfigured •  Quick, good degree of consistency •  Reliable troubleshooting •  Large binary distribution (is it necessary?) •  Expectation of responsibility for patching •  VM may not have all components & site wants access to root. •  Hard to scale variants. •  Cost of maintaining unwieldy Eduroam in a box VM Installer tool (implemented) •  Pre-existing code base •  Least complexity •  Smallest footprint •  Knowledge readily available •  Interface translation friendly •  Keeping current with dependencies takes effort •  Testing complexity is higher •  SWAMID original installer •  DevOps tools
  13. 13. www.canarie.ca | www.swamid.se Contrasting Implementation Techniques Technique Benefits Drawbacks Puppet/Chef based In Producton Scales nationally Command and control with puppet Command and control required, some rigidity dilutes autonomy of sites Ansible based Able to get support DevOps friendly Not a broad skill set in the target community Various languages(java,perl, Expect) Various reasons (choose your favorite) Skill set hit and miss in the field. Existing investment in bash for installer Configuration in standalone HTML +javascript Ubiquiteous - Available inherent in system shell Maintainable Sophisticated or as primitive as you would like to use Easily tweaked because we know it will be Internationalization(i18n) friendly It’s bash & there’s a bit of baggage with that. HTML interface for cross browser compatibility
  14. 14. www.canarie.ca | www.swamid.se Usage & Feedback CAF SWAMID Status to respective community •  Available as ‘Beta’. •  Awaiting feedback from handful of sites so we may transition to ‘General Availability’ Widely available for sites to use and test Community feedback Positive. One pilot site: Found deploying eduroam easier and are transitioning to eduroam as the only campus SSID for Fall 2014. Positive. At least four sites running One with active/standby config.
  15. 15. www.canarie.ca | www.swamid.se Collaboration – Managing Change •  GitHub public repository used •  https://github.com/idp-installer-manager •  Core codebase in ‘idp-installer-global’ repo •  To use, strongly encouraged to fork your own ‘idp- installer-<Fed’n_name>’ •  Loosely couples code management •  Enables isolation for feature development •  (push) to global for review & promote to community. •  Other forks can retrieve (pull) from global at their own pace– as quick or as slowly as needed idp-installer-global idp-installer-CAF idp-installer- SWAMID ipd-installer- YOUR_FED_HERE
  16. 16. www.canarie.ca | www.swamid.se Your Invited! •  Code base in use at CAF and SWAMID. •  Clone one of ours now to try it out (http://bit.ly/caf-idp / http://bit.ly/swamid-idp ) •  Want your own? Come talk with us or fork your own from: http://bit.ly/global-idp http://www.flickr.com/photos/shutter/105497713/sizes/l/in/photostream/ Chris Owens
  17. 17. www.canarie.ca | www.swamid.se Thank you! Contact: Chris Phillips Chris.Phillips@canarie.ca Anders Lördal Anders.lordal@hig.se Chris & Anders in the hotel lobby IdP Installer hack-a-thon in San Francisco Nov’13 Identity week. Photo by Nicole Harris
  18. 18. www.canarie.ca

×