Transcript SIR, FedSSH and more to come… Diego R. Lopez, RedIRIS TF-EMC2, Umea

SIR, FedSSH and more to
come…
Diego R. Lopez, RedIRIS
TF-EMC2, Umea
SIR
Servicio de Identidad de RedIRIS
• Provide a single entry point to digital identity
services for the academic community
• Multiprotocol
 Simplify management
 Guarantee evolution
• Flexible
 Compatible with any level of IdM deployment
 Able to live in parallel with other infrastructures
• http://www.rediris.es/sir/
TF-EMC2. Umea, July 2008
The SIR Model
One Ring to bring
them all and in the
darkness bind
them
In the Land of
Mordor where the
Shadows lie.
TF-EMC2. Umea, July 2008
IdPs in SIR
• Institutions in the RedIRIS constituency
 Virtual organizations related to them
• Must install a connector
 Able to produce assertions in the PAPI v1 protocol
 Minimum set of attributes in the iris-* schemas
 PHP, Java (JSP & Filter), Apache mod_perl, ASP,
Sun AM, OSSO and some specific ones
 Community process for developing new ones
• Must register for the service
 Accepting the conditions of use
 Providing their metadata
TF-EMC2. Umea, July 2008
SIR Services
• Interconnection with SAML infrastructures
• Access to PAPI-based
services
• eduGAIN BE
• OpenID producer
• Validation services
 Attribute exchange
 SAML
 OpenID
TF-EMC2. Umea, July 2008
SIR: SAML (including eduGAIN)
• Virtual IdP per institution
 Using simpleSAMLphp capabilities
• Metadata distribution for regional federations
 Direct integration of SAML IdPs is feasible
• Central eduGAIN BE
 Plus virtual BEs for institutions requesting them
• Commercial providers




Microsoft
Elsevier
Requests ongoing for Ovid, JSTOR, EBSCO,…
Driven by the user institutions
TF-EMC2. Umea, July 2008
SIR: PAPI
• Two ways for connection:
 GPoA SIR
 Virtual AS for each institution
• Access to the the national license on ISI WoK
• RedIRIS inner services
 Conferences
 Service control panel
 Portals
• Proxies
TF-EMC2. Umea, July 2008
SIR: OpenID
• Virtual producer per institution
• Additional controls
 Match URL with attribute values
 Specify acceptable RPs
 User consent for extensions related to personal data
• Identifiers in whatever Spanish language
yo.rediris.es/soy/[email protected]
jo.rediris.es/soc/[email protected]
eu.rediris.es/son/[email protected]
ni.rediris.es/[email protected]/naiz
 Simplified versions possible for OpenID2
TF-EMC2. Umea, July 2008
SIR: Some ideas for the future
• New protocols and identity services
 OAuth
 Cardspace
 COmanage
• New applications (beyond WebSSO)
 SSH access
 Distributed storage
 Attribute authorities (a-la-COManage)
• Grid interconnection
 SLCS
 VOMS
• Usage of DNIe
 And the PEPS
TF-EMC2. Umea, July 2008
FedSSH
• Based on the ideas
discussed byTF-EMC2
along past summer
• Common public key
servers are updated
through specific SPs
• A modified version of
the SSH server able to
use an external
repository for public
keys
TF-EMC2. Umea, July 2008
Deploying FedSSH
• Deployed as a pilot by
CONFIA, the Southern
Spanish federation
 Applied to teaching
environments
 Connected to a federated
account provision system
• Plans to explore the
applicability to storage
services
TF-EMC2. Umea, July 2008
Riding the Hype
• Make the case for
identity services
among the wider user
community
 Some of the big players
are behind
• Explore direct potential
applications
 There are smart people
working on this
TF-EMC2. Umea, July 2008
Identity a-la-carte
• “Use your identity
everywhere”
 Easy deployment of
additional control
 Makes it more valuable
to users
• OpenID identifiers for
catch-all, low-LoA
IdPs
TF-EMC2. Umea, July 2008
Lightweight federation?
SP checks for trusted IdP
•
IdP checks for trusted SP
•
•
•
•
Mutual authentication
possible
TF-EMC2. Umea, July 2008
No changes to the
basic protocol
required
ARPs could be
implemented as well
Simpler to deploy?
Easier to integrate?
Closer to commercial
providers?
OAuth for auto-registration
Fed IdP
Fed SP
Initiate registration
Request attributes
Process attributes
• Decide on values
• Update databases
• Associate with agreed
identifiers
TF-EMC2. Umea, July 2008
Edificio CICA
Avenida Reina Mercedes s/n
41012 Sevilla. España