aaf middleware update
DESCRIPTION
AAF Middleware update. February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager. Overview. The AAF Federation Registry N ational Entitlements Service Other initiatives. Federation Registry. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/1.jpg)
AAF Middleware update
February16 2012Presented by Terry Smith Technical Manager and Heath Marks Manager
![Page 2: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/2.jpg)
Overview
The AAF Federation Registry
National Entitlements Service
Other initiatives
![Page 3: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/3.jpg)
Federation Registry
Requirement • Manages the federations
metadata• Support the AAF business
model
Introduces the Organisation
• 0..n IdPs and 0..n SPs• Admins and Contacts• Involved in workflow
Builds on concepts from SWITCHaai Resource Registry
an extensible, open source web application that provides a central point of registration, management and reporting for identity and service providers participating in a standards compliant SAML 2 identity federation.
![Page 4: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/4.jpg)
Federation RegistryFeatures
• Dashboard• Access control• Reporting / Compliance• Workflow• Integration
•Federated application•Registration wizards•Data validation•Help bubbles•Integrated with the AAF Support tool•SAML 2
![Page 5: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/5.jpg)
Federation RegistryBehind the scenes
• 1 man year development effort• 2 major code releases to date• Groovy / Grails (Java) platform• Extensible design• Agile development• Continuous integration testing and
quality control• Next release in Q2 2012
![Page 6: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/6.jpg)
Federation RegistryUtilization Reporting
ARCS Data Fabric – January 2012 • Utilisation Data recorded by AAF WAYFs and reported by the Federation Registry
![Page 7: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/7.jpg)
Federation RegistryFederation Integration engine
The Federation Registry is the integration engine for AAF components, Identity providers and Service providers.
It is central to the successful on-going operation of the Australian Access Federation.
![Page 8: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/8.jpg)
Federation Registry
• AAF Wiki http://wiki.aaf.edu.au/federationregistry/
• Try it, AAF Test Federation Registry https://manager.test.aaf.edu.au/federationregistry
• Source code, Issues tracking
https://github.com/ausaccessfed/federationregistrymaster
More Information
![Page 9: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/9.jpg)
National Entitlements Service
Provides attributes that are beyond the scope of individual organisations to manage and maintain as part of Authn.– A central source for entitlements– Delegation and assignment of entitlements;– Self assignment of entitlements– A web portal – A technical interface.
The Solution must• be cost effective• have delivery aligned to Super Science initiatives
![Page 10: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/10.jpg)
National Entitlements Service
Why NES• In support of Australian Super Science
initiatives such as – Research Data Storage Infrastructure (RDSI)– National eResearch Collaboration Tools and
Resources (NeCTAR)• Improved Authz • User’s home institution can not easily provide
information– Not authoritative– Do not want the additional overhead
![Page 11: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/11.jpg)
National Entitlements Service
The Feasibility Study – in peer review• Define the problem• Analyse existing open source and commercial
offerings • Review international federation (SAML) practices • Identify options to move forward,
What interest is there in making the study public?
![Page 12: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/12.jpg)
National Entitlements Service
The options• Do nothing
• Purchase and integration of vendor or open source solution
• Development of a custom solution by a software development partner
• Development of a custom solution by the AAF
![Page 13: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/13.jpg)
National Entitlements Service
What it will look like...
A nationally operated attribute authority with a group management component and user interface providing• delegated access• approvals work flows• user registration
Extension to the Federation Registry
![Page 14: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/14.jpg)
National Entitlements Service
Timeframes• Deliver in 2012 aligning with Super Science
initiatives• Rolled out progressively, 3 or 4 releases• Agile development, collaborating with users
![Page 15: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/15.jpg)
Other initiatives
A number of other initiatives are on the AAF drawing board
• Cloud IdP, a fully managed service for our subscribers
• Automated monitoring service• Improved data collection and reporting of
utilisation• New discovery service
![Page 16: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/16.jpg)
Other initiatives
A fully managed Identity provider service for our subscribers1. New AAF VHO2. Partially hosted, for
organisations with an Identity store
3. Fully hosted
Not currently resourced
Cloud IdP
![Page 17: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/17.jpg)
Other initiatives
ICINGA open source monitoring (NAGIOS variant)• Federated authentication• Simple dashboard showing the overall health of the
federation • Reporting and alerting to subscribers
Basic Monitors (March 2012)•Ping•Time Synchronisation •SSL Certificate expiry•Shibboleth Status Basic and Advanced•Basic port security checkAdvanced Monitor (June 2012)•End-to-end (RedIRIS monitoring tool)
Automated monitoring service
Integrated with the Federation Registry•Hosts and Services to monitor•Hosts and services groups•Contacts, people involved in the notification process
![Page 18: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/18.jpg)
Other initiatives
Currently usage data collected from WAYFs• Leads to some data loss• Does not distinguish between successful and failed access
Investigate improvements thru capturing sanitized logs from IdPs
• See all the traffic that by-passes the WAYF• Identify hidden services – bi lateral agreements become
obvious• Can count successfully authentications• Can assist in identifying brut force attacks
Improved data collection and reporting of utilization
![Page 19: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/19.jpg)
Other initiatives
Currently utilizing the SWITCHaai WAYF
Federation Registry• Extend to populate MDUI elements into the metadata
Investigate • what options are available for the Discovery Service• Multi-tiered Discovery Service
– General access– Higher LOA
New discovery service
![Page 20: AAF Middleware update](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167f1550346895ddd6445/html5/thumbnails/20.jpg)
Michel De La Villefromoy - Manager,University of Technology, Sydney
“We see the AAF as an enabler for sharing all
manner of fragile, dangerous, rare and
geographically remote equipment between
research organisations.”