Transcript - Wierenga
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008 Outline • • • • Introducing eduGAIN eduGAIN in real life eduGAIN FAQ Future plans Connect. Communicate. Collaborate Outline • • • • Introducing eduGAIN eduGAIN in real life eduGAIN FAQ Future plans Connect. Communicate. Collaborate Introduction: Concepts Connect. Communicate. Collaborate • eduGAIN federates federations • Federation policy and technology remain untouched • Providing trust among partners • Using standards INTRODUCTION: Introduction: Architecture ARCHITECTURE Connect. Communicate. Collaborate Connect. Communicate. Collaborate Bridging Elements • Adapt eduGAIN messages to local protocols • Query the MDS for other BEs in the infrastructure • Several BEs available Connect. Communicate. Collaborate Federation Peering Point • Publishes SAML 2.0 metadata to the MDS • Metadata describes federation interfaces in eduGAIN, such as IdPs, SPs, AAs.. Connect. Communicate. Collaborate Metadata Service • Allows storage and retrieving of federation information • Follows REST approach • Metadata must be signed by the FPP Outline • • • • Introducing eduGAIN eduGAIN in real life eduGAIN FAQ Future plans Connect. Communicate. Collaborate eduGAIN in real life • Two approaches – Components • URN Registry • eduGAIN PKI • MDS-based WFAYF • eduGAINFilter – Applications / Projects • autoBAHN • Web applications • perfSONAR, DAMe Connect. Communicate. Collaborate Components: URN Registry • • • • Connect. Communicate. Collaborate Each eduGAIN component MUST have a unique URN Registry can be delegated Can produce XML output Format: urn:geant:edugain:component:be:rediris:rediris.es • URL: http://registry.edugain.org Components: eduGAIN PKI Connect. Communicate. Collaborate • Each eduGAIN component MUST have a X.509 certificate – Which includes the previously registered URN • Different RAs can be delegated from eduGAINSCA • URL: http://sca.edugain.org • eduGAIN supports multiple roots of trust – Certs MUST include a proper URN – CA MUST comply to eduGAIN PMA policy Components: MDS-based WFAYF (1) Connect. Communicate. Collaborate • WFAYF = Which Federation Are You From • Queries the MDS for available federations and IdPs Connect. Communicate. Collaborate Components: MDS-based WFAYF (2) RedIRIS federation -Organization info - IdPs -… • Highlight available federations • Federation info available through javascript events • Servlet can be queried by other interfaces Components: eduGAINFilter • • • • • Connect. Communicate. Collaborate Implementation of the javax.servlet.Filter interface eduGAINizes any application inside a servlet container… … without any federation software! Operates as an eduGAIN Remote Bridging Element Beta version available at GÉANT2 SVN Applications: autoBAHN (1) Connect. Communicate. Collaborate • AutoBAHN is a research activity for engineering, automating and streamlining the inter-domain setup of guaranteed capacity (Gbit/s) end-to-end-paths • A chained-solution is adopted: – A user is authenticated and his/her BoD request is authorized successively in each domain on the path where bandwidth should be scheduled. – The scheduled resource are enabled in each domain by the Domain Manager (DM) only after AA Extract from a presentation by Victor Reijs (HEAnet) http://tnc2007.terena.org/meetings/aai-slides/autoBAHN_AAI_TNC2007-vr-03.ppt Connect. Communicate. Collaborate Applications: AutoBAHN (2) • User authN is performed through eduGAINFilter • DM fetches user data and includes it in the WS message using SAML Parser • Each IDM may use the data to perform authorization locally Applications: WebSSO Connect. Communicate. Collaborate • eduGAINized applications – Wikis • JRA5 wiki: http://wiki.rediris.es/jra5 • DemoWiki: http://demowiki.feide.no – OTRS: http://edugain-rnd.srce.hr/otrs/customer.pl • Lessons learned – We need attribute conversion – We need to agree on access policies – It works :-) Outline • • • • Introducing eduGAIN eduGAIN in real life eduGAIN FAQ Future plans Connect. Communicate. Collaborate The common reaction Para ver esta película, debe disponer de QuickTime™ y de un descompresor . Connect. Communicate. Collaborate eduGAIN FAQs Connect. Communicate. Collaborate • Question: What the $%&/ is eduGAIN about? – Answer: Watch the presentation from the beginning • Q: Does this freak stuff really work? – A: YES • Q: What do I need to become part of the infrastructure? – A: The recipe is: Choose your SW, add a pinch of URN and mix it with certificates; cook your metadata on slow fire, take it from the fire and place it in a MDS. It can be seasoned with your own CA. • Q: My problem can’t be solved with the current eduGAIN profiles – A: Contact us! Outline • • • • Introducing eduGAIN eduGAIN in real life eduGAIN FAQ Future plans Connect. Communicate. Collaborate Future plans • • • • • • Connect. Communicate. Collaborate Complete the implementation, make it stable Add SAML 2.0 support Shib 2.0 testing Transition to service Dynamic metadata discovery Explore new profiles and use cases Thanks to… Connect. Communicate. Collaborate For More Information Connect. Communicate. Collaborate • http://www.edugain.org • http://www.geant2.net • For latest news and factsheets http://www.geant2.net/media • For research activities http://www.geant2.net/research