aai @ terena tf-emc2 15 feb 2011 dyonisius visser [email protected]
Post on 19-Dec-2015
224 views
TRANSCRIPT
AAI @ TERENA
TF-EMC2 15 feb 2011
Dyonisius Visser
www.terena.org
Slide 2
Where it all started
› REFEDS Wiki› Dog food› MediaWiki + SimpleSAMLphpAuth› One SP› Accumulated ~ 20 bilateral IdPs
Next SP comes along
› TACAR › Will need to contact several IdPs again to
exchange metadata › 3rd SP› 4th SP etc etc
Slide 4
Too many IdP-SP combinations
› Difficult to manage:
Slide 5
New approach: proxy
› Create one SP to connect as many IdPs as …› “Hide” all our other SPs behind that
› SPs can all have one statically configured IdP› So no need to have a disco on each SP
› External IdPs only do business with a single TERENA SP
Slide 6
WordPressetc
FileSender
CORE
TACAR
Sympa
Event reg
My.terena.org
Yahoo
Slide 8
OpenID
MySpace †
WindowsLive
SimpleSAMLphpSecretariat
IdP
LDAP
Refeds wiki
Confluence
SimpleSAMLphpSP Proxy
SimpleSAMLphpBridge
Guest IdPs…
eduGAIN
3 morefederations
15 morebilaterals…
SURFfed
AAI@EduHR
???????IdPSP
?????? = Globally unique ID
› Generate globally unique identifier for ALL users that could possibly come in
› Pick first available attr name+value from:› eduPersonTargetedID› eduPersonPRincipalName› Openid/Twitter/FB/Myspace/windowslive/linkedin
› Append !IdP› Result + demo: https://tnc2011.core.terena.org
› (PG table)
Slide 9
Pre-login user provisioning
› Invitation system (demo)
Slide 10
TO Do
› Central user repository (LDAP/SQL)› Central group repository (DIY/Grouper/SURF/?)› Profile page to manage your data (SWICTH’s
javascript side bar/?)› Account linking (Login4life,David? )› Consent dialog upon first login
› -> Cherry pickin’ from community
Slide 11
Automated IdP checks?
Slide 12
All configured IdPs
IdPS that have our metadata
IdPs that have our metadata and that send usable attrs
Issues encountered
› Changing your SP metadata at remote parties takes a long time› So don’t start with 1K keys
› Non-federated users – guest accounts?› Too many guest options now
Slide 13