Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Federation Labhttps://fed-lab.orgAndreas Åkre Solberg     UNINETT andreas@uninett.no
About SolbergAndreas Åkre             Me› Work at UNINETT in the Feide team:the Norwegian Identity Federation for Educatio...
Federation Lab› Container for useful tools, libraries, debugging, testing and validation.› Focus on scalability, harmoniza...
Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of ...
Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata ...
Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth ...
UI Scalability        Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be ...
DiscoJuice› Local Memory (cookie)› Remote Memory (DiscoReadWrite protocol + IdP Discovery)› Javascript only, super simple ...
DiscoJuice ArchitectureService Provider                                                                      Federation - ...
Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmoni...
Where interoperability issues occurSAML weak points › Border cases (using less-used SAML elements, and less common flows) ›...
Ensuring interoperabilityTake 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires s...
Ensuring interoperabilityTake 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they w...
Registry with MetaeditJS                       Demo URLhttps://fed-lab.org/simplesaml-register/module.php/metaedit2/?
Automated Testing         DEMO             DEMO         Microsoft ADFS   SimpleSAMLphp
Revising saml2intbased upon experience    Experiences from testing   Experiences from     Experiences from        various ...
Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers run...
Useful tools: Web-based debugger
Useful tools: Firefox plugin
Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Pro...
Thanks    http://rnd.feide.no
Upcoming SlideShare
Loading in …5
×

GÉANT Federation Lab

1,559 views

Published on

The GÉANT Federation Lab project presented at a Kantara Initiative Telecommunication ID Work Group meeting at the Telenor offices, Oslo, Norway.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

GÉANT Federation Lab

  1. 1. Federation Labhttps://fed-lab.orgAndreas Åkre Solberg UNINETT andreas@uninett.no
  2. 2. About SolbergAndreas Åkre Me› Work at UNINETT in the Feide team:the Norwegian Identity Federation for Education and Research› Blog about Identity research at http://rnd.feide.no› Initial developer and project leader ofthe award-winning SAML software product SimpleSAMLphp.›!Implemented the collaboration tool Foodle: https://foodl.org› Been part of building the nordic cross-federation http://kalmar2.org› Been part of the eduGAIN project - building an European cross-federation.› Author of the Interoperable SAML Deployment Profile http://saml2int.org› Now leading an EC-funded research project called «Identity Federations»within the GÉANT3 Programme.... where we are building the «Federation Lab».
  3. 3. Federation Lab› Container for useful tools, libraries, debugging, testing and validation.› Focus on scalability, harmonization, interoperability and usability. Federation Lab http://fed-lab.org Debugger Test IdPs Automated Best-Practice SP Guides Testing DiscoJuice SAMLmetaJS SAML Harmonization Registry Profiles for test SPs
  4. 4. Scalability: our situation Interconnecting… › Tens of Identity Federations › Hundreds of Service Providers › Thousands of Identity Providers
  5. 5. Dynamic metadata Basic challenge is about getting scalable dynamic metadata distribution. Metadata aggregation › Metadata is aggregated at federation level and at inter- federation level. Cross- Federation Federation Federation SP IdP SP IdP
  6. 6. Metadata Challenges Commercial vendors does not support dynamic metadata loading :( AFAIK only SimpleSAMLphp + Shibboleth supports that. Several implementations of «Metadata aggregators» pops up, and we need to harmonize these. Therefore we wrote the › Basic Metadata Aggregation Profile defining how an aggregatro should handle border-cases.
  7. 7. UI Scalability Foodle Versjon 3.2 ∘ les nyheter om Foodle... ∘ meld deg på foodle sin e-postliste The user must be asked before logging in, Foodle forside Sign in to Foodle Select your Provider where to login. – If there are thousands of Feide HjelpBrukerinnstillingerLogg inn English | Bokmål | Nynorsk | Dansk | Svenska | Suomeksi | Nederlands | Français | Deutsch | Español | Sloven!"ina | #e!tina | Hrvatski alternative answers, making intuitive UI is Brukere i norske utdanningsinstitusjoner Velkommen til Foodle not trivial. Attempts so far, has failed. Protect Network Foodle er en tjeneste for enkle spørreundersøkelser eller meningsmålinger og for å bestemme en møtedato If youpasser for alle. institutional som do not have an account, register here. Du er ikke logget inn. Feide OpenIdP Lag en ny Foodle If you do not have an institutional account, register here. Statusoppdateringer TERENA Secretariat DiscoJuice Statistikk Terena offices Netherlands Foodle har blitt besvart 103 ganger i løpet av de siste 7 dagene. SURFnet BV Mer informasjon Twitter version 1.0 Programvaren Foodle GEANT GIdP for Homeless Personvern i Foodle Feide RnD blogg Centraal bureau voor Schimmelcultures (KNAW) Du er ikke logget inn. Bureau (KNAW) my provider Help me, I cannot find Hogeschool van Arnhem en Nijmegen Show providers in Netherlands Hogeschool Zuyd Show all providers DiscoJuice © 2011, UNINETT Official launch at TNC2011 in May
  8. 8. DiscoJuice› Local Memory (cookie)› Remote Memory (DiscoReadWrite protocol + IdP Discovery)› Javascript only, super simple to deploy› DiscoJuiceJSON compact UI-focused Metadata format(MDUI friendly)› Presents logos, searchable keywords, name, descr, country...› Automatically discovery of country› HTML5 Geo-location API› Gracefull non-javascript fallback› Inline incremental search› Flexible integration API using JS callbacks.› Protocol agnostics, demoed with alternative protocols.
  9. 9. DiscoJuice ArchitectureService Provider Federation - central AS AS AS SP SimpleSAMLphp SimpleSAMLphp MDX API Service Provider Metadata aggregator AS Application Foodle js callback simple DiscoJuiceJSON <script ...> DiscoJuice reference This deployed architecture is just one example of how DiscoJuice is deployed at a demo service
  10. 10. Interoperability › No chance whatsoever to test all interconnected SPs and IdPs. › We need to establish a reliable harmonization of deployment configurations of SAML entities. › Interoperability issues are not seen by operators, but by real end-users. In general user error messages in SAML products are far from userfriendly. › The metadata format is not sufficient to ensure a compatible configuration of two products.
  11. 11. Where interoperability issues occurSAML weak points › Border cases (using less-used SAML elements, and less common flows) › Single Logout › XML Signatures › XML Encryption › Assertion Binding (SSL, authentication, etc) › Software bugs › Error handling
  12. 12. Ensuring interoperabilityTake 1: Profiling Interoperable SAML Deployment Profile [saml2int] http://saml2int.org › Requires support for basic features, bindings and protocols › Discourage use of non-standard features › Harmonizing configuration of options in SAML Significantly decreases the chances of interoperability issues. › Although saml2int is getting attension, it is difficult to validate configurations. Working more as a dispute resolution.
  13. 13. Ensuring interoperabilityTake 2: Automated Testing › Open SP registry allowing anyone to register Service Providers they would like to test. › Registry features a new MetadataJS editor. › Automated SP Testing instatly runs through approx 80 different flows with various SAML options, and reports flaws, errors and non-reccomended settings.
  14. 14. Registry with MetaeditJS Demo URLhttps://fed-lab.org/simplesaml-register/module.php/metaedit2/?
  15. 15. Automated Testing DEMO DEMO Microsoft ADFS SimpleSAMLphp
  16. 16. Revising saml2intbased upon experience Experiences from testing Experiences from Experiences from various products cross-federation Kantara Interoperabilty through the Tester projects Matrix Testing saml2int Revisions
  17. 17. Test-suite of Identity Providers Registered Service Provider shoud be able to access a feed of test Identity Providers running various SAML software. Will be setup to fascilitate DiscoJuice for discovery soon(!) › Feide OpenIdP ›!Federation Lab OpenIdP › ProtectNetwork IdP › TestShib We want more Identity Providers! Please!
  18. 18. Useful tools: Web-based debugger
  19. 19. Useful tools: Firefox plugin
  20. 20. Best Practice Documents › Single Logout › De-Provisioning › Monitoring and diagnostics (soon)
  21. 21. Tools to come › Automated Testing of Identity Providers (service) › Metadata validation service (service) › Federation Provisioning Engine (software) › Official realeases of software and libriaries: › Firefox plugin: SAMLtracer › DiscoJuice ›!SAMLmetaJS
  22. 22. Thanks http://rnd.feide.no

×