Post on 13-Dec-2015
Federation as a Service
Marina Vermezović, AMRES
Federated Identity Technology Workshop
Sofia, Bulgaria, 20. Jun 2014.
2Connect | Communicate | Collaborate
Federation as a Service
Lower the technology barrier for NRENs and other interested groups in order to build their Identity federation and use eduGAIN.
Number facts, when we started:
43 partners in GN3plus
almost all GN3plus partners in eduroam, 18 federations in eduGAIN
21 GN3plus partners don’t have WebSSO Identity federation
source: www.edugain.org source: www.eduroam.org
3Connect | Communicate | Collaborate
Federation as a service
Half of the GN3plus partners do not operate and WebSSO Federation
As the consequence, they are not able to use othe GN3plus services such as:
eduGAIN
Cloud services supported by SA7 activity:– Collaboration suites– File storage and synchronization services– Realtime communication, webconferencing services– Infrastructure as a Service
4Connect | Communicate | Collaborate
FaaS Market Analysis
First, we needed to understand what are the issues hindering development of Identity federations in NRENs
April - September 2013 FaaS was conducting Market Analysis talking to NRENs
6 NRENs responded and were interviewed
Based on the results, we wrote Market Analysis and Pilot Service Definition document
5Connect | Communicate | Collaborate
interestmanpowerknowledgeserver infrastructure
priorityfundingserver infrastructureknowledgemanpower policyno SPs
FaaS Survey – Identifying Issues
interestmanpowerknowledgeserver infrastructuremanagement of user identites
NREN
Institution Authentication Infrastructure
Institution Identity Management
6Connect | Communicate | Collaborate
interestmanpowerknowledgeserver infrastructure
priorityfundingserver infrastructureknowledgemanpower policyno SPs
FaaS Survey – Identifying Issues
interestmanpowerknowledgeserver infrastructuremanagement of user identites
NREN
Institution Authentication Infrastructure
Institution Identity Management
7Connect | Communicate | Collaborate
interestmanpowerknowledgeserver infrastructure
priorityfundingserver infrastructureknowledgemanpower policyno SPs
FaaS Survey – Identifying Issues
interestmanpowerknowledgeserver infrastructuremanagement of user identites
NREN
Institution Authentication Infrastructure
Institution Identity Management
8Connect | Communicate | Collaborate
Federation and Interfederation trustmodel
SPmetadata
IdPmetadata
Federationmetadatalocal federation
Interfederationmetadatalocal federation opt-ed+ eduGAIN
Identity Federation
Options for exposing the entities to eduGAIN: opt-IN or opt-OUT
9Connect | Communicate | Collaborate
Federation metadata management
Task list:
Registration of IdP and SP entites metadata
Validate metadata
Enrich entites metadata – e.g. geolocation, logo
Aggregate metadata
Sign metadata
Republishing interfederation metadata in local federation
Publish local federation entites that want to interfederate
Important
Gets too cumbersome to do this manually, use tools for automatization!
Important to perform securely and trustworthy
10Connect | Communicate | Collaborate
FaaS in GN3plus
Goal: Lower the technology barrier for deployment of Identity federation for NRENs and other groups
Provide the tools to efficently manage Identity federation and connect to eduGAIN
Each FaaS customer gets its own FaaS instance with hosted tools:
Resource Registry – register IdPs and SPs and their metadata
Metadata Aggregation
Metadata signing using HSM
Central Backup Discovery service
11Connect | Communicate | Collaborate
FaaS workflow
IdP/SP administerively register in federation outband from the RR
In this procedure IdP/SP administrators are appointed
IdP/SP admin can register the entity in RR via simple registration form
Federation operator needs to approve registration
IdP/SP admin can enrich entity metadata through rich and user friendly form
IdP/SP admin can request for entity to be published in the local federation and interfederation
Federation operator needs to approve such request
12Connect | Communicate | Collaborate
FaaS timeline
Entered the pilot in May 2014
Currently piloting with 2 NRENs - ACOnet and AMRES
Preparing for FaaS workshop in October 2014 for all interested NREN
Workshop will focus on Federation operator practices and hands-on for FaaS tools !
If you are interested to participate in the workshop please contact us!
marina@amres.ac.rs, valter@sunet.se
13Connect | Communicate | Collaborate
www.geant.net
www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv
Connect | Communicate | Collaborate
Thank you!