GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider...
Transcript of GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider...
![Page 1: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/1.jpg)
Networks · Services · People www.geant.org
Mario Reale (GARR) - Michael Schmidt (DFN/LRZ)
GEANT
Strategy on Campus Identity ProviderCampus IdP session with Internet2 at TechEx 2018
On behalf of the GEANT Campus IdP task team
TechEx 2018 - Orlando - October 17, 2018
![Page 2: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/2.jpg)
Networks · Services · People www.geant.org
2
Agenda
• Goals• Adopted Strategy• Current offer to Home Organizations and ID Federation
• Campus IdP Platform architecture• Demo video
![Page 3: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/3.jpg)
Networks · Services · People www.geant.org
3
The GEANT TEAM of Campus IdP
3
GEANT Gn4.2 Jra3 Task 1
Valentin Pocotilenco, Marco Malavolti, Jan Oppolzer, Janusz Ulanowski, Dick Visser, Anass Chabli, Michael Schmidt, Jule Ziegler, Miroslav Milinovic, Dubravko Penezic, Brook Schofield, Marko Eremija, Boro Jakimovski, Valeria Ardizzone, Davide Vaghetti, Mario Reale, Pal Axelsson
![Page 4: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/4.jpg)
Networks · Services · People www.geant.org
4
Goals for Campus IdP task
Home Organizations:
- Support local administrators in spawning their HO Identity Provider
Federations:
- Support Federation Operators in their role of Cloud IdP providers
=> Community survey:
There is high desire but little or no internal ability for institutions to deliver identity provider services to their users ( ~ 40 % of answers)
![Page 5: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/5.jpg)
Networks · Services · People www.geant.org
5
Requirements Analysis - Community Survey I [ skept (hidden) slide ]
Q2: What is the desire and ability of institutions to deliver IdP services
Q3: What are the main barriers to adoption of federated Identity services?
October 2016 survey
- 17 answers from various European Identity Federations+ Internet2 and GEANT
High Desire but little o no in-house ability or resources
No skills or resources in-house
• Survey Still online on http://tinyurl.com/z33jond• Detailed answers report available at https://goo.gl/XA4eqy
Relevant outcome: there is high desire but little or no internal ability for institutions to deliver identity provider services to their users ( ~ 40 % of answers)
![Page 6: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/6.jpg)
Networks · Services · People www.geant.org
6
Requirements Analysis - Community Survey II [ skept (hidden) slide ]
Q11:Principle advantages of a GEANT provided and managed Cloud based solution for the IDP?
Q8: How interested would your individual institutions be in outsourcing the provisioning of a local IdP to a managed service provider?
• Survey Still online on http://tinyurl.com/z33jond• Detailed answers report available at https://goo.gl/XA4eqy
Relevant outcome: there is high desire but little or no internal ability for institutions to deliver identity provider services to their users ( ~ 40 % of answers)
Interested, provided is the National ID Federation providing a solution within a compatible data protection environment
Long term sustainability of provided solution
![Page 7: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/7.jpg)
Networks · Services · People www.geant.org
GEANT hosted Campus IDP Cloud Service integrated with GÉANT FaaS
7
Approach adopted [ skept (hidden) slide ]
Toolkit deploying Cloud IdP for Campus
Cloud Campus IdP service catalogue
Cloud Service
Hosted Cloud Campus IdP platform integrated with FaaS components
TODAYToolkit
![Page 8: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/8.jpg)
Networks · Services · People www.geant.org
8
Adopted strategy: what do we offer to...
...Home Organizations:- To support local administrators in spawning their HO Identity Provider:
- Campus IDP Ansible toolkit - Localhost deploy + Config support scripts
- Including basic local IdP statistics- Docker deployment of Shibboleth Identity Provider
...Federations:
- To support Federation Operators in their role of Cloud IdP providers:
- Campus IDP Ansible Toolkit- Campus IDP Platform ( In development - see demo )- F-ticks: Measurement and Statistics gathering- SIRTFI email contacts verification tool
![Page 9: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/9.jpg)
Networks · Services · People www.geant.org
9
Gathering authentication statistics: F-ticks pilot architecture
F-TICKS format:
F-TICKS/<federation-id>/1.0#VISCOUNTRY=<tld-country-of-F-tick-origin># AP=<SAML-IdP-entityID>#RP=<SAML-SP-entityID>#RESULT=<authentication-result-code>#CSI=<SAML-session-id-hash>#PN=<depersonalised-ePTID>#TS=<timestamp>#
![Page 10: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/10.jpg)
Networks · Services · People www.geant.org
10
Gathering authentication statistics: F-ticks pilot results
http://f-ticks.edugain.org/
Currently piloting with 7 federations
Gathered so far 18 Million records in 6 months
![Page 11: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/11.jpg)
Networks · Services · People www.geant.org
- Prototype for ELK-based infrastructure to gather FTicks from national federations, provide a national aggregation layer and a global GEANT collector
- Complete deployment suite based on Docker swarm
- https://github.com/GEANT/FTicks-ELK
11
ELK stack to gather FTicks prototypeNational Identity aggregation layer + GEANT collector
![Page 12: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/12.jpg)
Networks · Services · People www.geant.org
12
- Docker based deployment of Shibboleth IdP- Docker-compose based install and config of IdP- Shared volumes to keep persistent information
- Idp configuration files- Certificates- Log file
- Provides targeted user identifier ePTID
- https://github.com/GEANT/CampusIdP/tree/master/DOCKER
Shibboleth IdP + Jetty
LDAP + phpLDAPadmin
MySQL
Docker Engine
Docker deployment of Shibboleth IDP
![Page 13: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/13.jpg)
Networks · Services · People www.geant.org
GEANT Ansible toolkit
The GEANT Ansible Toolkit allows to:
1. Create/Delete Virtual Machines on an OpenStack Cloud (ansible-openstack)2. Deploy the monitoring system to check the IdPs (ansible-monitoring)3. Deploy an entire Shibboleth Identity Provider(IdP) (ansible-shibboleth)
![Page 14: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/14.jpg)
Networks · Services · People www.geant.org
GARR IdP-in-the-Cloud Example [ skept (hidden) slide ]
![Page 15: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/15.jpg)
Networks · Services · People www.geant.org
15
Campus IdP Platform Architecture Overview
![Page 16: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/16.jpg)
Networks · Services · People www.geant.org
16
Demo Introduction
Web App(React)
API(Node.js)
IdP Factory(Ansible)
Create IdPRequest IdP
Trigger IdP creation
Deploy IdP
User
Target VM
Present results
Access IdP
Demo workflow:
1. Log in on the Campus IdP platform
2. Fill configuration form
3. Request and approve creation of new IdP
4. Spawn (Install & Config) the Shib IdP
5. Check the newly deployed IdP
1 2
3
4
5
![Page 17: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/17.jpg)
Networks · Services · People www.geant.org
Demo Video on GEANT Campus IDP Platform is available at
https://gbox.garr.it/garrbox/index.php/s/dDZPPsbyN5SZG2h
17
DEMO VIDEO
![Page 18: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/18.jpg)
Networks · Services · People www.geant.org
Thank you
Networks · Services · People www.geant.org
18
References:
1. Task wiki on https://wiki.geant.org/display/gn42jra3/Task+1%3A+Campus+and+Federation2. GEANT Campus IdP Ansible toolkit https://goo.gl/rjuN2u 3. FTicks ELK pilot - Implementation https://github.com/GEANT/FTicks-ELK4. Campus IdP Platform Ref.Architecture https://goo.gl/yunnAh5. SIRTFI email contacts verification tool: https://campus-idp-test.geant.org/6. Docker deployment of IdP https://github.com/GEANT/CampusIdP/tree/master/DOCKER
Contact: [email protected]
![Page 19: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/19.jpg)
Networks · Services · People www.geant.org
1. Docker based deployment of IdP:a. Add functionality and complete the Docker-based deployment module
2. Campus IdP platform:a. Complete the development and consolidate the Campus IdP Platform Architecture
3. SIRTFI email contacts verification toola. Define 2 time zones ( EU, US) to send check email at 10 AM in Europe and America
4. Measurement and Statisticsa. Implement landing page at https://f-ticks.edugain.orgb. Provide scripts for upgrading individual componentsc. Pilot with some GEANT federationsd. HA swarm based infrastructure
19
Input 1 for discussion: GEANT Plans ahead
![Page 20: GEANT Strategy on Campus Identity Provider · - Docker deployment of Shibboleth Identity Provider ... -Prototype for ELK-based infrastructure to gather FTicks from national federations,](https://reader034.fdocuments.in/reader034/viewer/2022042223/5ec98fa5f931947a177dd20f/html5/thumbnails/20.jpg)
Networks · Services · People www.geant.org
1. Testing new Shibboleth versions - IdP 3.4 - Share results and feedback2. Docker developments for deployment of IdP
a. Share code b. Beta testing of provided solutionsc. Envisage a common Docker deployment module / packaging ?d. Moving towards Kubernetes
3. Gathering of F-ticks/Statisticsa. Share code and experience / feedback on current implementations b. User profiling / Access to data / Authorization model
4. Functional Monitoring of IdP instancesa. Check_MK / Nagios / Zabbix ...
5. IdP configuration management APIs - Implementation and resultsa. Campus IdP platform resultsb. GUIc. Architectured. Scalability of solutions / user feedback
20
Input 2 to discussion: Possible Items for collaboration