From DARIAH AAI 2.0 to 3.0

why and how

15th FIM4R Workshop, Vienna Feb. 17, 2020

Peter Gietz, Martin Haase, DAASI International

What is DARIAH

● DARIAH: Digital Research Infrastructure for the Arts and Humanities● DARIAH is a pan-european infrastructure for arts and humanities

scholars working with computational methods. It supports digital research as well as the teaching of digital research methods.

● One of the few ESFRI research infrastructures for the humanities (ERIC is in working since 2014)

● DARIAH’s mission is to develop, maintain and operate an infrastructure in support of ICT-based research practices Infrastructure is administration, software and storage services but also Curricula and Methodology

● Working with communities of practice: humanities scholars supporting their VREs

Virtual Research Environments in the humanities

DARIAH AAI V 1.0

DARIAH AAI V 2.0

Proxy SP

Resource SP

Proxy IdP

Resource SP

Resource SP

de.dariah.eu

DARIAH AAI 2.0 and 3.0have this same architecture

de.dariah.eu

DARIAH AAI 2.0● Current DARIAH AAI 2.0 technology

– AAI Proxy: based on Shibboleth IdP+SP+small glue code for handing over attributes

– Dariah "homeless" IdP: Shibboleth IdP

● Proxy has been in production since 2018

● IdP has run much longer (~2012, then as DARIAH AAI v1, which used Attribute Queries from every Mesh SP)

● All DARIAH-DE and a number of DARIAH-EU services are "behind" the Proxy

de.dariah.eu

DARIAH AAI 3.0 with simpleSAMLphp● Switch from Shibboleth had following advantages:

– re-using SSO infrastructure of GWDG (Max Planck/Goö ttingen University Computing Centre) which will be in charge for operating the AAI long-term

– sustainable and fault-tolerant deployment using Puppet directly from Gitlab

– in AAI 2.0, proxy's SP part used SAML Aggregation with Attribute Queries against the "homeless" IdP. Now simpleSAMLphp allows direct LDAP queries (faster) with inbuilt means

de.dariah.eude.dariah.eu

● We still think that simpleSAMLphp has a number of disadvantages compared to Shibboleth:– PHP Versioning unclear, they make API changes that are not well-defined (people

seem to push to github central repo without strict QA)

– ...which can be a time bomb: it took us quite some (different) glue code as well:● Generation of SubjectID / pairwiseID● sending users off to registration● re-modeled Shibboleth IdP attribute filtering logic● ...

– GUI templates: major shift to TWIG, which also breaks old GUIs

– seems much more suited to rapid development and not to sustainable operation

– badly missing Shibboleth's Attribute Authority Command Line Interface (AACLI) to simulate issuance of SAML Assertion

de.dariah.eu

DARIAH AAI 3.0 with simpleSAMLphp

de.dariah.eude.dariah.eu

● Other goodies: Jagger!

– The same Puppet installation spawns a dockerized Jagger instance

– actually three: dev, stage, prod

– People love the new Web-based tool to manage their metadata

– The maintainers love to not need editing XML files that only live on the Proxy / IdP

● Dev / Stage / Prod is also new with IdP and Proxy now – which is a good thing, together with a strict GIT deployment

DARIAH AAI 3.0

de.dariah.eude.dariah.eu

● PoC done (without Puppet)

● Development with Puppet done

● Integration tests succeeded (Dev/Stage)

● In the coming weeks (planned for 2020-03) actual switch

– Need a hard shift for some SPs since both IP Address and Endpoints in SAML Metadata change

– Need to switch IdP and Proxy at the same time (SAML Attribute Queries vs. LDAP Queries)

● If there will ever be a DARIAH AAI 4.0 my proposal would be to base it on Satosa ;-)

DARIAH AAI 3.0 Roadmap

de.dariah.eude.dariah.eu

Thanks a lot!

Questions ?Contact and Infos:

● https://wiki.de.dariah.eu/display/publicde/DARIAH+AAI+Documentation

● https://www.dariah.eu

● https://www.daasi.de

● Peter.gietz@daasi.de