SlideShare a Scribd company logo

GÉANT Federation Lab

Andreas Åkre Solberg
Andreas Åkre Solberg

The GÉANT Federation Lab project presented at a Kantara Initiative Telecommunication ID Work Group meeting at the Telenor offices, Oslo, Norway.

Technology
1 of 22
Download to read offline
Federation Lab https://fed-lab.org Andreas Åkre Solberg UNINETT andreas@uninett.no
About Solberg Andreas Åkre Me › Work at UNINETT in the Feide team: the Norwegian Identity Federation for Education and Research › Blog about Identity research at http://rnd.feide.no › Initial developer and project leader of the award-winning SAML software product SimpleSAMLphp. ›!Implemented the collaboration tool Foodle: https://foodl.org › Been part of building the nordic cross-federation http://kalmar2.org › Been part of the eduGAIN project - building an European cross-federation. › Author of the Interoperable SAML Deployment Profile http://saml2int.org › Now leading an EC-funded research project called «Identity Federations» within the GÉANT3 Programme. ... where we are building the «Federation Lab».
Federation Lab › Container for useful tools, libraries, debugging, testing and validation. › Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Profiles for test SPs
Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Profile defining how an aggregatro should handle border-cases.
UI Scalability Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be asked before logging in, Foodle forside Sign in to Foodle Select your Provider where to login. – If there are thousands of Feide HjelpBrukerinnstillingerLogg inn English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski alternative answers, making intuitive UI is Brukere i norske utdanningsinstitusjoner Velkommen til Foodle not trivial. Attempts so far, has failed. Protect Network Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional som do not have an account, register here. Du er ikke logget inn. Feide OpenIdP Lag en ny Foodle If you do not have an institutional account, register here. Statusoppdateringer TERENA Secretariat DiscoJuice Statistikk Terena offices Netherlands Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV Mer informasjon Twitter version 1.0 Programvaren Foodle GEANT GIdP for Homeless Personvern i Foodle Feide RnD blogg Centraal bureau voor Schimmelcultures (KNAW) Du er ikke logget inn. Bureau (KNAW) my provider Help me, I cannot find Hogeschool van Arnhem en Nijmegen Show providers in Netherlands Hogeschool Zuyd Show all providers DiscoJuice © 2011, UNINETT Official launch at TNC2011 in May
DiscoJuice › Local Memory (cookie) › Remote Memory (DiscoReadWrite protocol + IdP Discovery) › Javascript only, super simple to deploy › DiscoJuiceJSON compact UI-focused Metadata format (MDUI friendly) › Presents logos, searchable keywords, name, descr, country... › Automatically discovery of country › HTML5 Geo-location API › Gracefull non-javascript fallback › Inline incremental search › Flexible integration API using JS callbacks. › Protocol agnostics, demoed with alternative protocols.
DiscoJuice Architecture Service Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment configurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufficient to ensure a compatible configuration of two products.
Where interoperability issues occur SAML weak points › Border cases (using less-used SAML elements, and less common flows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
Ensuring interoperability Take 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing configuration of options in SAML Significantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.
Ensuring interoperability Take 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.
Registry with MetaeditJS Demo URL https://fed-lab.org/simplesaml-register/module.php/metaedit2/?
Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
Revising saml2int based upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!
Useful tools: Web-based debugger
Useful tools: Firefox plugin
Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Provisioning Engine (software) › Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS
Thanks http://rnd.feide.no

Recommended

Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...IPALab
 
Soflomo company presentation
Soflomo company presentationSoflomo company presentation
Soflomo company presentationJustus Bruns
 
Philips Case EMS March 2010
Philips Case EMS March 2010Philips Case EMS March 2010
Philips Case EMS March 2010guest49c269
 
Training Article
Training ArticleTraining Article
Training Articlemarkmcn
 
Abctechno fab
Abctechno fabAbctechno fab
Abctechno fabGovindan Sridar
 
11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحة11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحةguestbfd7302
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect FederationAndreas Åkre Solberg
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Andreas Åkre Solberg
 

Recommended

Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...
Semantic Reasoning in Context-Aware Assistive Environments to Support Ageing ...IPALab
 
Soflomo company presentation
Soflomo company presentationSoflomo company presentation
Soflomo company presentationJustus Bruns
 
Philips Case EMS March 2010
Philips Case EMS March 2010Philips Case EMS March 2010
Philips Case EMS March 2010guest49c269
 
Training Article
Training ArticleTraining Article
Training Articlemarkmcn
 
Abctechno fab
Abctechno fabAbctechno fab
Abctechno fabGovindan Sridar
 
11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحة11مفتاحا للقيادة الناجحة
11مفتاحا للقيادة الناجحةguestbfd7302
 
OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect FederationAndreas Åkre Solberg
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Andreas Åkre Solberg
 
Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten WorkshopAndreas Åkre Solberg
 
Dataporten
DataportenDataporten
DataportenAndreas Åkre Solberg
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, HellAndreas Åkre Solberg
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)Andreas Åkre Solberg
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Andreas Åkre Solberg
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)Andreas Åkre Solberg
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Andreas Åkre Solberg
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenAndreas Åkre Solberg
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014Andreas Åkre Solberg
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Andreas Åkre Solberg
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014Andreas Åkre Solberg
 
Feide connect tnc2014
Feide connect tnc2014Feide connect tnc2014
Feide connect tnc2014Andreas Åkre Solberg
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOTAndreas Åkre Solberg
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Andreas Åkre Solberg
 
Feide Connect
Feide ConnectFeide Connect
Feide ConnectAndreas Åkre Solberg
 
Feide Connect
Feide ConnectFeide Connect
Feide ConnectAndreas Åkre Solberg
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Andreas Åkre Solberg
 
UWAP Tjenesteplattform
UWAP TjenesteplattformUWAP Tjenesteplattform
UWAP TjenesteplattformAndreas Åkre Solberg
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

More Related Content

More from Andreas Åkre Solberg

Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)Andreas Åkre Solberg
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Andreas Åkre Solberg
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenAndreas Åkre Solberg
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 

More from Andreas Åkre Solberg (20)

Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten Workshop
 
Dataporten
DataportenDataporten
Dataporten
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, Hell
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014
 
Feide connect tnc2014
Feide connect tnc2014Feide connect tnc2014
Feide connect tnc2014
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOT
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
UWAP Tjenesteplattform
UWAP TjenesteplattformUWAP Tjenesteplattform
UWAP Tjenesteplattform
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Recently uploaded (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

GÉANT Federation Lab

  • 1. Federation Lab https://fed-lab.org Andreas Åkre Solberg UNINETT andreas@uninett.no
  • 2. About Solberg Andreas Åkre Me › Work at UNINETT in the Feide team: the Norwegian Identity Federation for Education and Research › Blog about Identity research at http://rnd.feide.no › Initial developer and project leader of the award-winning SAML software product SimpleSAMLphp. ›!Implemented the collaboration tool Foodle: https://foodl.org › Been part of building the nordic cross-federation http://kalmar2.org › Been part of the eduGAIN project - building an European cross-federation. › Author of the Interoperable SAML Deployment Profile http://saml2int.org › Now leading an EC-funded research project called «Identity Federations» within the GÉANT3 Programme. ... where we are building the «Federation Lab».
  • 3. Federation Lab › Container for useful tools, libraries, debugging, testing and validation. › Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Profiles for test SPs
  • 4. Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
  • 5. Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
  • 6. Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Profile defining how an aggregatro should handle border-cases.
  • 7. UI Scalability Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be asked before logging in, Foodle forside Sign in to Foodle Select your Provider where to login. – If there are thousands of Feide HjelpBrukerinnstillingerLogg inn English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski alternative answers, making intuitive UI is Brukere i norske utdanningsinstitusjoner Velkommen til Foodle not trivial. Attempts so far, has failed. Protect Network Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional som do not have an account, register here. Du er ikke logget inn. Feide OpenIdP Lag en ny Foodle If you do not have an institutional account, register here. Statusoppdateringer TERENA Secretariat DiscoJuice Statistikk Terena offices Netherlands Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV Mer informasjon Twitter version 1.0 Programvaren Foodle GEANT GIdP for Homeless Personvern i Foodle Feide RnD blogg Centraal bureau voor Schimmelcultures (KNAW) Du er ikke logget inn. Bureau (KNAW) my provider Help me, I cannot find Hogeschool van Arnhem en Nijmegen Show providers in Netherlands Hogeschool Zuyd Show all providers DiscoJuice © 2011, UNINETT Official launch at TNC2011 in May
  • 8. DiscoJuice › Local Memory (cookie) › Remote Memory (DiscoReadWrite protocol + IdP Discovery) › Javascript only, super simple to deploy › DiscoJuiceJSON compact UI-focused Metadata format (MDUI friendly) › Presents logos, searchable keywords, name, descr, country... › Automatically discovery of country › HTML5 Geo-location API › Gracefull non-javascript fallback › Inline incremental search › Flexible integration API using JS callbacks. › Protocol agnostics, demoed with alternative protocols.
  • 9. DiscoJuice Architecture Service Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
  • 10. Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment configurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufficient to ensure a compatible configuration of two products.
  • 11. Where interoperability issues occur SAML weak points › Border cases (using less-used SAML elements, and less common flows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
  • 12. Ensuring interoperability Take 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing configuration of options in SAML Significantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.
  • 13. Ensuring interoperability Take 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.
  • 14. Registry with MetaeditJS Demo URL https://fed-lab.org/simplesaml-register/module.php/metaedit2/?
  • 15. Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
  • 16. Revising saml2int based upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
  • 17. Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!
  • 20. Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
  • 21. Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Provisioning Engine (software) › Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS
  • 22. Thanks http://rnd.feide.no