Federation peering

advertisement
Connect. Communicate. Collaborate
Federation peering à la European
The eduGAIN way
Diego R. Lopez - RedIRIS
As Federations Grow
Connect. Communicate. Collaborate
• The risk of dying of success
– Do we really need to go on selling the federated idea?
• Different communities, different needs
– Not even talking about international collaboration
– Different (but mostly alike) solutions
– Grids and libraries as current examples
– And many to come: Governments, professional
associations, commercial operators,…
• Don’t hold your breath waiting for the Real And Only Global
Federation
Confederations Federate
Federations
Connect. Communicate. Collaborate
• Same federating principles applied to federations themselves
– Own policies and technologies are locally applied
• Independent management
– Identity and authentication-authorization must be properly
handled by the participating federations
• Commonly agreed policy
– Linking individual federation policies
– Coarser than them
• Trust fabric entangling participants
– Whitout affecting each federation’s fabric
– E2E trust must be dynamically built
First Steps
Connect. Communicate. Collaborate
• Simplifying user collaboration across whatever border is an excellent
selling argument
– Making the whole promise of the VO idea
– eduroam fast worldwide success is a clear example
• Lingua franca
– Syntax: SAML profiles
• Converging to 2.0
– Semantics: eduPerson, SCHAC
• Trust fabric
– Public key technologies (if not infrastructures)
– Component identifiers and registries
– Metadata repositories
Policy and Legal Matters
Connect. Communicate. Collaborate
• The PMA model has proven extremely useful
– Consensual set of guidelines
– Peer-reviewed accreditation
• Legal matters: Hic sunt leones
– For techies like us
– Privacy
– Liability
– More or less manageable in the case of (national)
federations
The AAI Goal in GÉANT2
Connect. Communicate. Collaborate
• To build an interoperable authentication and
authorisation infrastructure that will be used all
over Europe enabling seamless sharing of escience resources
• We started from
– Scattered AAI implementations in the EU and abroad
• And growing
– The basic idea of federating them, preserving hardwon achievements
Applying Confederation
Concepts
Connect. Communicate. Collaborate
• An eduGAIN confederation is a loosely-coupled set of
cooperating identity federations
– That handle identity management, authentication and
authorization using their own policies
• Trust between any two participants in different federations
is dynamically established
– Members of a participant federation do not know in
advance about members in the other federations
• Syntax and semantics are adapted to a common language
– Through an abstract service definition
The eduGAIN Components
Connect. Communicate. Collaborate
• Bridging Elements (BE)
– Interconnection points
– Federation-wide (LFA) or distributed (LA)
• Federation Peering Point (FPP)
– Able to announce BE metadata
• The Metadata Service (MDS)
– Publishing interface (to FPPs)
– Querying interface (to BEs)
The eduGAIN Model
Metadata
Query
Metadata
Publish
Connect. Communicate. Collaborate
MDS
R-FPP
R-BE
AA
Interaction
Resource(s)
Metadata
Publish
H-FPP
AA Interaction
H-BE
AA
Interaction
Id Repository(ies)
An Adaptable Model
Connect. Communicate. Collaborate
From centralized structures...
MDS
FPP
FPP
BE
BE
IdP
SP
SP
IdP
SP
IdP
IdP
IdP
SP
SP
IdP
IdP
SP
SP
SP
SP
An Adaptable Model
Connect. Communicate. Collaborate
...to fully E2E ones...
MDS
SP
SP
BE
IdP
SP
BE
BE
BE
SP
BE
SP
IdP
BE
IdP
BE
BE
IdP
BE
IdP
IdP
BE
SP
SP
BE
BE
BE
IdP
BE
SP
BE
SP
BE
An Adaptable Model
Connect. Communicate. Collaborate
...including any mix of them
MDS
FPP
IdP
BE
IdP
IdP
SP
FPP
BE
IdP
BE
BE
BE
SP
SP
IdP
SP
SP
IdP
SP
SP
IdP
BE
BE
SP
BE
SP
BE
The (X.509) Trust Fabric
Connect. Communicate. Collaborate
• Validation procedures include
– Normal certificate validation
• Trust path evaluation, signatures, revocation,…
– Peer identification
• Certificates hold the component identifier
• It must match the appropriate metadata
• Applicable to
– TLS connections between components
• Two-way validation is mandatory
– Verification of signed XML assertions
Component Identifiers
Connect. Communicate. Collaborate
• eduGAIN operations strongly depend on having
unique, structured and well-defined component
identifiers
• Based on URNs delegated by the eduGAIN
registry to the participating federation
• Identifiers establish the kind of component they
apply to by means of normalized prefixes
• Identifiers follow the hierarchy of the trust
establishing process
A General Model for
eduGAIN Interactions
Connect. Communicate. Collaborate
https://mds.geant.net/
MDS
<EntityDescriptor . . .
?cid=someURN
<samlp:Request ......
<samlp:Response
entityID=
ResponseID=”092e50a08…”
RequestID=”e70c3e9e6…”
”urn:geant2:..:responder">
IssueInstant=“2006-06…”>
InResponseTo=“e70c3e9e…”>
. . .
. . .
<SingleSignOnService . . .
</samlp:Request>
</samlp:Response>
Location=
“https://responder.dom/” />
. . .
urn:geant2:...:requester
Requester
TLS Channel(s)
Responder
urn:geant2:...:responder
Resource
Id Repository
Operation Mapping
Connect. Communicate. Collaborate
• Maps the abstract service definition into actual protocols
• Current version is based on SAML 1.1
– Profiling the standard to fit abstract parameters
• A SAML 2.0 implementation will be available along the
lifetime of the project
– The abstract service specification protects components
and applications from these changes
• Authentication assertions and attribute exchange
mechanisms are designed to be Shibboleth 1.3 compatible
– And Shibboleth 2 in the future
Metadata Service
Connect. Communicate. Collaborate
• Based on REST interfaces transporting SAML 2.0 metadata
– Usable by non-eduGAIN components
• Metadata are published through POST operations
• Metadata are retrieved through GET operations
• URLs are built as
MDSBaseURL/FederationID/entityID?queryString
– Using component names
– The query string transports data intended to locate the appropriate
home BE (Home Locators)
• Hints provided by the user
• Contents of certificate extensions
(SubjectInformationAccess)
A Layered Model for
Implementation
Component logic
eduGAINBase Profile Access
eduGAINBase + eduGAINVal + eduGAINMeta
SAML toolkit (OpenSAML)
SOAP/TLS/XMLSig libraries
Connect. Communicate. Collaborate
eduGAIN Profiles
Connect. Communicate. Collaborate
• Oriented to
– Enable direct federation interaction
– Enable services in a confederated environment
• Four profiles discussed so far
– WebSSO (Shibboleth browser/POST)
– AC (automated cilent: no human interaction)
– UbC (user behind non-Web client: use of SASL-CA)
– WE (WebSSO enhanced client: delegation)
• Others envisaged
– Extended Web SSO (allowing the send of POST data)
– eduGAIN usage from roaming clients (DAMe)
• Based on SAML 1.1
– Mapping to SAML 2.0 profiles along the transition period
The AC Profile
Connect. Communicate. Collaborate
The UbC Profile
Connect. Communicate. Collaborate
The WE Profile
Connect. Communicate. Collaborate
The WebSSO Profile
Connect. Communicate. Collaborate
The European Way
Connect. Communicate. Collaborate
• (Too) many governments, languages, national
priorities/laws/prides/…
– A little of weakness, a little of strength
• The will for convergence
– Without imposing dramatic inner changes
• Adopt whatever is worth from overseas
– With a scent of style and history
• (Humble) model for the rest of the world
– We are a little world in itself
Download