1 / 21

The eduGAIN Way

The eduGAIN Way. Diego R. Lopez - RedIRIS. As Federations Grow. The risk of dying of success Do we really need to go on selling the federated idea? Different communities, different needs Not even talking about international collaboration Different (but mostly alike) solutions

arellanoj
Télécharger la présentation

The eduGAIN Way

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The eduGAIN Way Diego R. Lopez - RedIRIS

  2. As Federations Grow • The risk of dying of success • Do we really need to go on selling the federated idea? • Different communities, different needs • Not even talking about international collaboration • Different (but mostly alike) solutions • Grids and libraries as current examples • And many to come: Governments, professional associations, commercial operators,… • Don’t hold your breath waiting for the Real And Only Global Federation

  3. Confederations Federate Federations • Same federating principles applied to federations themselves • Own policies and technologies are locally applied • Independent management • Identity and authentication-authorization must be properly handled by the participating federations • Commonly agreed policy • Linking individual federation policies • Coarser than them • Trust fabric entangling participants • Whitout affecting each federation’s fabric • E2E trust must be dynamically built

  4. Applying Confederation Concepts in eduGAIN • An eduGAIN confederation is a loosely-coupled set of cooperating federations • That handle identity management, authentication and authorization using their own policies • Trust between any two participants in different federations is dynamically established • Members of a participant federation do not know in advance about members in the other federations • Syntax and semantics are adapted to a common language • Through an abstract service definition

  5. Connect. Communicate. Collaborate The eduGAIN Model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies)

  6. Connect. Communicate. Collaborate IdP IdP IdP IdP IdP IdP IdP SP SP SP SP SP SP SP SP SP An Adaptable ModelFrom centralized structures... MDS FPP FPP BE BE

  7. Connect. Communicate. Collaborate BE BE BE BE BE BE BE BE IdP IdP IdP BE BE BE BE IdP IdP IdP IdP SP SP SP SP SP SP SP SP SP BE BE BE BE An Adaptable Model...to fully E2E ones... MDS

  8. Connect. Communicate. Collaborate BE BE BE IdP IdP IdP BE IdP IdP IdP IdP SP SP SP SP SP SP SP SP SP BE BE BE BE An Adaptable Model...including any mix of them MDS FPP FPP BE

  9. Connect. Communicate. Collaborate urn:geant2:...:requester urn:geant2:...:responder A General Model for eduGAIN Interactions https://mds.geant.net/ ?cid=someURN <samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . . </samlp:Request> <samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . . </samlp:Response> MDS TLS Channel <EntityDescriptor . . . entityID= ”urn:geant2:..:responder"> . . . <SingleSignOnService . . . Location= “https://responder.dom/” /> . . . TLS Channel(s) Requester Responder Resource Id Repository

  10. Connect. Communicate. Collaborate A Layered Model for Implementation Component logic eduGAINBase Profile Access eduGAINBase + eduGAINVal + eduGAINMeta SAML toolkit (OpenSAML) SOAP/TLS/XMLSig libraries

  11. Connect. Communicate. Collaborate Is this trust material (cert/signature) valid? Does it correspond to component X*? Valid/not valid Corresponds to component X Sign this piece of XML Signature Trust material Which trust material to use for connecting The eduGAIN APIs:Trust Evaluation eduGAINVal Configuration Key Store Trust Store

  12. Connect. Communicate. Collaborate Publish these metadata through MDS server Which component(s) can be queried to retrieve data about someone with these Home Locators? Component metadata Metadata Publishing result The eduGAIN APIs:Metadata Access eduGAINMeta Configuration eduGAINVal Give me metadata about this part of eduGAIN

  13. Connect. Communicate. Collaborate Create/manipulate an abstract service object Transform these abstract service object to/from wire protocol Abstract service object orProtocol element eduGAINMeta eduGAINVal Corresponding ASO response Abstract service object The eduGAIN APIs:Abstract Service eduGAINBase Configuration Send ASO: (AuthN/Attr/AuthR) request(Vanilla profile)

  14. Connect. Communicate. Collaborate Is this AuthN/Attr material valid? Valid/not valid eduGAINBase eduGAINMeta eduGAINVal Provide data from the requester Data Token Authorization response Create/modify a security token Is this request authorized? The eduGAIN APIs:Profile Access eduGAINProfile API Configuration

  15. eduGAIN Profiles • Oriented to • Enable direct federation interaction • Enable services in a confederated environment • Four profiles discussed so far • WebSSO (Shibboleth browser/POST) • AC (automated cilent: no human interaction) • UbC (user behind non-Web client: use of SASL-CA) • WE (WebSSO enhanced client: delegation) • Others envisaged • Extended Web SSO (allowing the send of POST data) • eduGAIN usage from roaming clients (DAMe) • Based on SAML 1.1 • Mapping to SAML 2.0 profiles along the transition period

  16. Connect. Communicate. Collaborate The WebSSO Profile

  17. Connect. Communicate. Collaborate The AC Profile

  18. Connect. Communicate. Collaborate The UbC Profile

  19. Connect. Communicate. Collaborate The WE Profile

  20. The Paved Way • The first eduGAIN enabled resource is already available • http://www.rediris.es/jra5wiki/ • As a result of the implementation of the WebSSO profile • Prototypes for • The MDS • The component ID registry • The PKI components • eduGAIN base APIs available at the GN2 SVN server • Cookbook and reference material

  21. The Road Ahead • Implementing the rest of initial profiles • Direct collaboration with initial user activities • And initial liaisons with some others • Migration to SAML2 • Plans to align as much as possible with Shibboleth 2 • Building stable support services • Many component IDs foreseen • Web-based and extensible PKI services • Keeping coolness • CardSpace • OpenID • And policy!

More Related