3. >Web Single Sign-On based on SAML
>1131 member organisations; 2278 entities
>Research and Education: 100% HE, ~80% FE,
and representation from schools, government,
public libraries, NHS
>Federation to solve problem of N2 interactions*
>Interfederation through eduGAIN allows interoperability
with thousands more entities from
50 other federations*
Some numbers...
* some conditions apply
4. Data: 1-Mar-2018 00:00:00
Registered Entities by Type
Entities
0
300
600
900
1200
1500
Dec 06 Feb 08 Apr 09 Jun 10 Aug 11Oct 12Dec 13 Feb 15 Apr 16 Jun 17
SPs IdPs
Type of entities 1
5. >500 Shibboleth IdPs (66%) and
Open Athens (30%)
>Recent security advisories reported on
Shibboleth announce list:
>LDAPS connector using non-standard
configuration
>ROBOT
>Shibboleth IdP v2 to v3 transition, minority of
IdPs still on v2 (End of life was July 2016)
Type of
entities 2:
IdPs
6. >Publishers, collaboration tools, research project
sites, gateways to e-Infrastructures, business
apps, student sites, inventories...
>Linear growth “for ever”
>Over 1000 Shibboleth SPs (75%) with a long
tail of other types of software (many open
source libraries, some products)
>Security advisories in last 12 months distributed
on Shibboleth announce:
>XMLtooling x 2
>ROBOT
>MDQ client misconfiguration
Type of
entities 3:
SPs
7. >99% support SAML 2 so can we just turn off SAML 1?
>Unfortunately, support != use
>Using WAYF protocol with the Central Discovery
Service implies SAML 1, so in June 2017 we
deprecated the WAYF protocol
>MDUI support (primarily logos) at 30%
>Algorithmic agility for XML cryptography
Protocol support
10. >Not really “new” any more - live for over a year
>What is it?
>Traditional MD distribution is regular syncing of the
MD aggregate – currently 36MB
>MDQ is just-in-time fetching of bits of metadata
instead
>FAR lower resource requirements for software
– IdP uses far less memory
– SP will startup far faster
>Currently ~10% of clients now using MDQ.
>But the traffic for that 10% is 0.0001% of total
MDQ
13. >UKf CDS services ~4,000,000 CDS flows/month
>Very stable and reliable, but running on old code
>Currently deciding what to replace it with
>Awaiting results of RA21 working group
>Don’t worry – look and feel will remain as consistent
as possible (hopefully identical)
Central Discovery Service
16. >Web portal on the Jisc community website to manage
your own entities, domains, etc.
>Can still make use of helpdesk if you’re worried or
unsure about making changes!
>Coming later this year (finally)
Self Service
20. >For example:
>Improving quality of UKf Metadata
>UKf Working with eduGAIN to improve quality of
international metadata – better global interoperability
>Managed Federation – rebuilding UKf backend
systems in a containerised deployable way, to let us
run other federation’s backend systems.
>Rebuilding distribution infrastructure for MFS – UKf
infrastructure should become even more resilient and
performant
>Tracking OIDC and other emerging technologies
Behind the scenes tweaking
21. Rhys Smith
Chief technical architect, trust and identity
rhys.smith@jisc.ac.uk
We have been...
service@ukfederation.org.uk
jisc.ac.uk/uk-federation
Alex Stuart
Principal technical support specialist (UK federation)
alex.stuart@jisc.ac.uk