Federated peering the NREN way: eduGAIN and eduroam
Download
Report
Transcript Federated peering the NREN way: eduGAIN and eduroam
Connect. Communicate. Collaborate
The eduGAIN Way
Diego R. Lopez - RedIRIS
As Federations Grow
Connect. Communicate. Collaborate
• The risk of dying of success
– Do we really need to go on selling the federated idea?
• Different communities, different needs
– Not even talking about international collaboration
– Different (but mostly alike) solutions
– Grids and libraries as current examples
– And many to come: Governments, professional
associations, commercial operators,…
• Don’t hold your breath waiting for the Real And Only Global
Federation
Confederations Federate
Federations
Connect. Communicate. Collaborate
• Same federating principles applied to federations themselves
– Own policies and technologies are locally applied
• Independent management
– Identity and authentication-authorization must be properly
handled by the participating federations
• Commonly agreed policy
– Linking individual federation policies
– Coarser than them
• Trust fabric entangling participants
– Whitout affecting each federation’s fabric
– E2E trust must be dynamically built
Applying Confederation
Concepts in eduGAIN
Connect. Communicate. Collaborate
• An eduGAIN confederation is a loosely-coupled set of
cooperating federations
– That handle identity management, authentication and
authorization using their own policies
• Trust between any two participants in different federations
is dynamically established
– Members of a participant federation do not know in
advance about members in the other federations
• Syntax and semantics are adapted to a common language
– Through an abstract service definition
The eduGAIN Model
Metadata
Query
Metadata
Publish
Connect. Communicate. Collaborate
MDS
R-FPP
R-BE
AA
Interaction
Resource(s)
Metadata
Publish
H-FPP
AA Interaction
H-BE
AA
Interaction
Id Repository(ies)
An Adaptable Model
Connect. Communicate. Collaborate
From centralized structures...
MDS
FPP
FPP
BE
BE
IdP
SP
SP
IdP
SP
IdP
IdP
IdP
SP
SP
IdP
IdP
SP
SP
SP
SP
An Adaptable Model
Connect. Communicate. Collaborate
...to fully E2E ones...
MDS
SP
SP
BE
IdP
SP
BE
BE
BE
SP
BE
SP
IdP
BE
IdP
BE
BE
IdP
BE
IdP
IdP
BE
SP
SP
BE
BE
BE
IdP
BE
SP
BE
SP
BE
An Adaptable Model
Connect. Communicate. Collaborate
...including any mix of them
MDS
FPP
IdP
BE
IdP
IdP
SP
FPP
BE
IdP
BE
BE
BE
SP
SP
IdP
SP
SP
IdP
SP
SP
IdP
BE
BE
SP
BE
SP
BE
A General Model for
eduGAIN Interactions
Connect. Communicate. Collaborate
https://mds.geant.net/
MDS
<EntityDescriptor . . .
?cid=someURN
<samlp:Request ......
<samlp:Response
entityID=
ResponseID=”092e50a08…”
RequestID=”e70c3e9e6…”
”urn:geant2:..:responder">
IssueInstant=“2006-06…”>
InResponseTo=“e70c3e9e…”>
. . .
. . .
<SingleSignOnService . . .
</samlp:Request>
</samlp:Response>
Location=
“https://responder.dom/” />
. . .
urn:geant2:...:requester
Requester
TLS Channel(s)
Responder
urn:geant2:...:responder
Resource
Id Repository
A Layered Model for
Implementation
Component logic
eduGAINBase Profile Access
eduGAINBase + eduGAINVal + eduGAINMeta
SAML toolkit (OpenSAML)
SOAP/TLS/XMLSig libraries
Connect. Communicate. Collaborate
The eduGAIN APIs:
Trust Evaluation
Connect. Communicate. Collaborate
Is this trust material (cert/signature)
valid?
Does it correspond to component X*?
Configuration
Valid/not valid
Corresponds to component X
eduGAINVal
Sign this piece of XML
Key Store
Signature
Trust Store
Which trust material to use for connecting
Trust material
The eduGAIN APIs:
Metadata Access
Connect. Communicate. Collaborate
Publish these metadata through MDS
server
Publishing result
Which component(s) can be queried to
retrieve data about someone with these
Home Locators?
eduGAINMeta
Configuration
Component metadata
Give me metadata about this part of
eduGAIN
Metadata
eduGAINVal
The eduGAIN APIs:
Abstract Service
Connect. Communicate. Collaborate
Create/manipulate an abstract service
object
Abstract service object
Transform these abstract service object
to/from wire protocol
eduGAINBase
Configuration
Abstract service object or
Protocol element
Send ASO: (AuthN/Attr/AuthR) request
(Vanilla profile)
Corresponding ASO response
eduGAINMeta
eduGAINVal
The eduGAIN APIs:
Profile Access
Connect. Communicate. Collaborate
Is this AuthN/Attr material valid?
Valid/not valid
Provide data from the requester
Data
Create/modify a security token
Configuration
eduGAIN
Profile API
eduGAINBase
Token
eduGAINMeta
Is this request authorized?
eduGAINVal
Authorization response
eduGAIN Profiles
Connect. Communicate. Collaborate
• Oriented to
– Enable direct federation interaction
– Enable services in a confederated environment
• Four profiles discussed so far
– WebSSO (Shibboleth browser/POST)
– AC (automated cilent: no human interaction)
– UbC (user behind non-Web client: use of SASL-CA)
– WE (WebSSO enhanced client: delegation)
• Others envisaged
– Extended Web SSO (allowing the send of POST data)
– eduGAIN usage from roaming clients (DAMe)
• Based on SAML 1.1
– Mapping to SAML 2.0 profiles along the transition period
The WebSSO Profile
Connect. Communicate. Collaborate
The AC Profile
Connect. Communicate. Collaborate
The UbC Profile
Connect. Communicate. Collaborate
The WE Profile
Connect. Communicate. Collaborate
The Paved Way
Connect. Communicate. Collaborate
• The first eduGAIN enabled resource is already available
– http://www.rediris.es/jra5wiki/
– As a result of the implementation of the WebSSO profile
• Prototypes for
– The MDS
– The component ID registry
– The PKI components
• eduGAIN base APIs available at the GN2 SVN server
• Cookbook and reference material
The Road Ahead
Connect. Communicate. Collaborate
• Implementing the rest of initial profiles
– Direct collaboration with initial user activities
– And initial liaisons with some others
• Migration to SAML2
– Plans to align as much as possible with Shibboleth 2
• Building stable support services
– Many component IDs foreseen
– Web-based and extensible PKI services
• Keeping coolness
– CardSpace
– OpenID
• And policy!