The MetaData Service Distributing trust in AAI confederations
description
Transcript of The MetaData Service Distributing trust in AAI confederations
![Page 1: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
The MetaData ServiceDistributing trust in AAI confederations
Manuela Stanica, DFN
![Page 2: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/2.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 3: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/3.jpg)
Connect. Communicate. Collaborate
DF
What is the MetaData Service (MDS)?
• eduGAIN component developed in GN2-JRA5
• eduGAIN: the GÉANT2 AAI
• Support dynamic establishment of trust relations between members of AAI confederation
• Information model conform to SAML v 2.0 Metadata Specification
• SAML: Security Assertions Markup Language (OASIS)
![Page 4: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/4.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 5: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/5.jpg)
Connect. Communicate. Collaborate
DF
AAI confederation hierarchy
• AAI confederation interconnecting AAI federations
• AAI federation participant institutions users
– access to external resources & services
– unaware of participants in other federations
– require procedure of trust establishment between them
![Page 6: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/6.jpg)
Connect. Communicate. Collaborate
DF
AAI confederation hierarchy (2)
![Page 7: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/7.jpg)
Connect. Communicate. Collaborate
DF
Role of metadata
• Connecting to entities in other federated AAIs – required information:– where (in which federation)?– how to reach ?– what is supported (protocols and functionalities)?
metadata– distribution to all confederation members
• static (pre-configured upon software installation)• dynamic (on request)
![Page 8: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/8.jpg)
Connect. Communicate. Collaborate
DF
Role of a MetaData Servicein AAI confederations
• AAI confederations
– non-static environments!
– frequent updates
means for dynamic collection & distribution of metadata:
MetaData Service (MDS)
![Page 9: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/9.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 10: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/10.jpg)
Connect. Communicate. Collaborate
DF
Basic principles
• Centralised storage of metadata for eduGAIN components
• Dynamic retrieval & update– metadata exchange interface: eduGAINMeta– based on REST architecture model
• Distributed publishing & querying– among local federations – no central admin– multiple metadata publishers and consumers
![Page 11: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/11.jpg)
Connect. Communicate. Collaborate
DF
eduGAIN components
![Page 12: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/12.jpg)
Connect. Communicate. Collaborate
DF
Bridging Elements
• MDS used by Bridging Elements (BEs):
– gateways eduGAIN – local federations
– communication with peers (BEs) in other federations
– query MDS for metadata about Home BE
– MDS response: SAML 2.0 Metadata doc
– consumers/publishers of metadata
![Page 13: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/13.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 14: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/14.jpg)
Connect. Communicate. Collaborate
DF
URL structure
• Syntax of REST URL mapping:
MDS base URL[/federation ID][/entity ID][?query string]
• Combinations of:
– MDS base URL: https://mds.geant2.net/ – federation ID: dfn, feide,...– entity ID: be1 – query string – Home Locator(s): homeDomain=uio.no
![Page 15: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/15.jpg)
Connect. Communicate. Collaborate
DF
Home Locators
• eduGAIN specific atribute-value pairs
• For: locating a remote BE (Home BE)
• From: – hints provided by user
– contents of certificate extensions
• Types: – Home domain (homeDomain=switch.ch)– URN (urn=urn:geant:edugain:component:be:switch:be1)
![Page 16: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/16.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 17: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/17.jpg)
Connect. Communicate. Collaborate
DF
Publishing/ updating
• Who: metadata publishers– Federation Peering Point (FPP)– authorized Bridging Elements (BEs)
• What: SAML 2.0 Metadata documents– EntityDescriptor root ( one BE)– EntitiesDescriptor root ( several BEs)
• How: HTTP POST/PUT
![Page 18: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/18.jpg)
Connect. Communicate. Collaborate
DF
Publishing/ updating (2)
• For whole federation:– only by FPP– EntitiesDescriptor– URL syntax: <MDS base URL/federation ID>
http://mds.ladok.umu.se/feide
• For single entities:– by FPP / authorized BEs– EntityDescriptor– URL syntax: <MDS base URL/federation ID/entity ID>
http://mds.ladok.umu.se/switch/be1
![Page 19: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/19.jpg)
Connect. Communicate. Collaborate
DF
Retrieving metadata
• BE queries MDS via HTTP GET
• Metadata lookup– entity/federation name is known– <MDS base URL[/federation ID][/entity ID]>
http://mds.ladok.umu.se
http://mds.ladok.umu.se/switch
http://mds.ladok.umu.se/switch/entity1
• Metadata search
– entity name unknown, home locators
– <MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch
![Page 20: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/20.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 21: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/21.jpg)
Connect. Communicate. Collaborate
DF
Trust establishment
• Elements of trust establishment in eduGAIN:– MDS– eduGAIN PKI– Component identifiers (CIDs)
• MDS trust tightly bound with eduGAIN PKI
minimal trust in the service itself
• Transitive trust
![Page 22: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/22.jpg)
Connect. Communicate. Collaborate
DF
Security checks
• MDS validations:– publisher‘s X.509 certificate– publishing rights
• Publishers‘ signatures fwd with metadata
validation by consumers
![Page 23: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/23.jpg)
Connect. Communicate. Collaborate
DF
Outline
• What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN
• The MDS URLs
• Publishing and retrieving metadata
• Trust and security considerations
• Conclusions
![Page 24: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/24.jpg)
Connect. Communicate. Collaborate
DF
Conclusions
• MDS: dynamic metadata distribution in AAI confederations
• Centralised storage, distributed trust
• Employes standard SAML 2.0 Metadata
• Possible use in any SAML-based infrastructure
• Deployment together with eduGAIN-like PKI
![Page 25: The MetaData Service Distributing trust in AAI confederations](https://reader036.fdocuments.in/reader036/viewer/2022062315/56815adc550346895dc8a99d/html5/thumbnails/25.jpg)
Connect. Communicate. Collaborate
DF
Thank you for your attention!
Questions?