AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser [email protected] .
-
date post
19-Dec-2015 -
Category
Documents
-
view
224 -
download
0
Transcript of AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser [email protected] .
![Page 1: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/1.jpg)
AAI @ TERENA
TF-EMC2 15 feb 2011
Dyonisius Visser
www.terena.org
![Page 2: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/2.jpg)
Slide 2
Where it all started
› REFEDS Wiki› Dog food› MediaWiki + SimpleSAMLphpAuth› One SP› Accumulated ~ 20 bilateral IdPs
![Page 3: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/3.jpg)
Next SP comes along
› TACAR › Will need to contact several IdPs again to
exchange metadata › 3rd SP› 4th SP etc etc
Slide 4
![Page 4: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/4.jpg)
Too many IdP-SP combinations
› Difficult to manage:
Slide 5
![Page 5: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/5.jpg)
New approach: proxy
› Create one SP to connect as many IdPs as …› “Hide” all our other SPs behind that
› SPs can all have one statically configured IdP› So no need to have a disco on each SP
› External IdPs only do business with a single TERENA SP
Slide 6
![Page 6: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/6.jpg)
WordPressetc
FileSender
CORE
TACAR
Sympa
Event reg
My.terena.org
Yahoo
Slide 8
OpenID
MySpace †
WindowsLive
SimpleSAMLphpSecretariat
IdP
LDAP
Refeds wiki
Confluence
SimpleSAMLphpSP Proxy
SimpleSAMLphpBridge
Guest IdPs…
eduGAIN
3 morefederations
15 morebilaterals…
SURFfed
AAI@EduHR
???????IdPSP
![Page 7: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/7.jpg)
?????? = Globally unique ID
› Generate globally unique identifier for ALL users that could possibly come in
› Pick first available attr name+value from:› eduPersonTargetedID› eduPersonPRincipalName› Openid/Twitter/FB/Myspace/windowslive/linkedin
› Append !IdP› Result + demo: https://tnc2011.core.terena.org
› (PG table)
Slide 9
![Page 8: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/8.jpg)
Pre-login user provisioning
› Invitation system (demo)
Slide 10
![Page 9: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/9.jpg)
TO Do
› Central user repository (LDAP/SQL)› Central group repository (DIY/Grouper/SURF/?)› Profile page to manage your data (SWICTH’s
javascript side bar/?)› Account linking (Login4life,David? )› Consent dialog upon first login
› -> Cherry pickin’ from community
Slide 11
![Page 10: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/10.jpg)
Automated IdP checks?
Slide 12
All configured IdPs
IdPS that have our metadata
IdPs that have our metadata and that send usable attrs
![Page 11: AAI @ TERENA TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg .](https://reader036.fdocuments.in/reader036/viewer/2022082411/56649d3b5503460f94a163e1/html5/thumbnails/11.jpg)
Issues encountered
› Changing your SP metadata at remote parties takes a long time› So don’t start with 1K keys
› Non-federated users – guest accounts?› Too many guest options now
Slide 13