www.canarie.ca

REFEDS Update on Canadian Access Federation

Chris Phillips | Nov11,2013 | Internet2 idweek2013 | San Francisco

www.canarie.ca www.canarie.ca

About CANARIE

Map date: 29 May 2012

Operates Canada’s ultra-high-bandwidth research network •  Connects one million users at

1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia

•  19,000km of fibre with a 40 Gbps backbone

•  Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector

Operator of the Canadian Access Federation •  SAML federation based on

Shibboleth •  Canadian Eduroam 802.1x

wireless roaming operator •  eduGAIN participant Primary investment from Government of Canada - $480 M since 1993

2

www.canarie.ca www.canarie.ca

About CANARIE

Map date: 29 May 2012

Operates Canada’s ultra-high-bandwidth research network •  Connects one million users at

1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia

•  19,000km of fibre with a 40 Gbps backbone

•  Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector

Operator of the Canadian Access Federation •  SAML federation based on

Shibboleth •  Canadian Eduroam 802.1x

wireless roaming operator •  eduGAIN participant Primary investment from Government of Canada - $480 M since 1993

3

DAIR - Digital Accelerator for Innovation and Research An on-demand, advanced R&D cloud environment that supports Canada’s tech innovators. Openstack based, with 2 regions (Alberta, Quebec). RPI - Research Platform Infrastructure An investment in middleware by CANARIE that leverages existing platforms & is the evolution of the NEP program. Reduces duplication, increases re-use and collaboration between programs. http://science.canarie.ca/ NEP - Network Enabled Platforms Similar in nature to GEANT opencall. Research initiatives showing innovative uses of the network. Has evolved to be even more collaborative and generates new interfaces/ RPI services to be reused between projects.

Additional Programs

www.canarie.ca

This is what it feels like trying to collaborate…. 4

Image: Phil Roeder - Flickr

www.canarie.ca This is how we want it to feel.

5

www.canarie.ca www.canarie.ca

How?

Facilitate collaboration at the largest scale possible.

www.canarie.ca www.canarie.ca

How?

Facilitate collaboration at the largest scale possible.

Easiest but

trusted!v

Seamlessly!v

www.canarie.ca

Roaming wireless

•  International wireless roaming •  Ability to automatically sign on

using your home credential •  Reduces barriers to mobile

users •  Worldwide and expanding

coverage: •  Canada: 64 sites •  65 countries worldwide

•  Federated Single Sign On for services

•  Web and non web sign on •  Authentication •  Authorization •  Attribute release •  Across different security domains

Federated identity

•  International wireless roaming •  Ability to automatically sign on

using your home credential •  Reduces barriers to mobile

users •  Worldwide and expanding

coverage: •  Canada: 48 sites •  60 countries worldwide

•  eduGAIN as primary, exploring other direct relationships

•  Bridge to international community •  Enables CAF participants to:

•  Accept identities inbound from outside Canada to Canadian services

•  Use Canadian identities in services outside Canada

Interfederation

•  ~3M logins Sept 2013 •  2.5x traffic growth in 1yr •  48 sites ~50% universities in

Canada •  40% growth in sites in 1yr

- 500,000

1,000,000 1,500,000 2,000,000

Successful Logins

International

Canada

•  24 Service Providers – 160% increase in 1yr

•  21 Identity Providers

937,000

986,765

1,011,793 1,020,387

880,000 900,000 920,000 940,000 960,000 980,000

1,000,000 1,020,000 1,040,000

Total CAF enabled users – SAML & eduroam

•  Int’l NREN CEO Forum placed eduGAIN as a key effort

•  CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries

www.canarie.ca

A Glimpse at eduroam traffic

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

-

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

4,000,000

% N

o R

eply

from

Ser

ver

Succ

essf

ul L

og in

s

eduroam Successful Logins - up to Oct 30,2013

International

Canada

www.canarie.ca

Closing the gap •  Eduroam evidence of success àWhy not same for FSSO? •  Talked to new & old participants, other federations •  Analyzed over a years worth of data

http://www.flickr.com/photos/asparagus_hunter/483841638/ asparagus hunter

www.canarie.ca

Why? •  Evolved approach to better match campus IT reality •  Reduced cost/effort to be CAF participant •  Simplifies CAF installation experience •  Easier day to day operations

http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy

Choose RADIUS server

Install & Configure Test & Connect

Supported Server installed

Pre-configured Tested & Connected

Regular Approach Identity Appliance

Supported platform installed Pre-Configured Tested & Connected

Choose platform Install & Configure Test & Connect

www.canarie.ca

Why? •  Evolved approach to better match campus IT reality •  Reduced cost/effort to be CAF participant •  Simplifies CAF installation experience •  Easier day to day operations

http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy

Choose RADIUS server

Install & Configure Test & Connect

Supported Server installed

Pre-configured Tested & Connected

Regular Approach Identity Appliance

Supported platform installed Pre-Configured Tested & Connected

Choose platform Install & Configure Test & Connect

A Bit Deeper

•  Reviewed many styles, but no one really doing both eduroam AND Federated SSO w/SAML

•  Inspired by many DevOps style approaches, adopted installer based model (SWAMID approach, others influencial too)

•  eduroam in alpha now, FedSSO going through test cycles •  Sites will be connected to both eduroam & eduGAIN

www.canarie.ca

Inter-federation •  In use and business as usual •  Eduroam Configuration Assistant Tool(CAT) driving current IdPs •  Appliance approach will see sites joining eduGAIN when they join

CAF.

www.canarie.ca www.canarie.ca

Eduroam CAT service (accessed via eduGAIN)

•  Builds & hosts profile installers for all platforms and devices(MSFT,Apple, Linux)

•  Profile = specific configuration on your device to connect to the network

www.canarie.ca www.canarie.ca

Signing on to Manage Your eduroam Site

•  Access is only for site admins

•  Requires Federated Single Sign On + invitation one time link

•  Can create multiple admins

•  Can create multiple ‘profiles’ for testing prior to release.

•  Production Profiles can be downloaded via CAT

www.canarie.ca www.canarie.ca

Once Signed in

Snapshot of eduroam CAT •  # of federations with at least 1 production Idp: 30 •  Total idps registered: 391 •  IdPs which enabled public download interface: 264 •  End User Downloads of installersso far : 162,289

www.canarie.ca

Sub-national Topic •  Different groups across Canada expressed interest in ‘CAF+ . . .’ •  Needs were diverse yet common: additional schema, workflow for

special sets of entities only, allow entities to be members of multiple sets, notify about joining set.

•  View is that it can be done centrally through CAF, but tools & processes need improvements

www.canarie.ca

Unified Collaboration & Interconnection

CAF

Local Fed Idp SP

SP

Local Fed Idp SP

SP Idp

SP

Special Interest Trust Groups

Idp Idp

Idp

•  Efficient, least effort for SP/IdP •  Local fed incubates federation

aware apps •  SITG can leverage common

infrastructure, and overlay special attribute sets & specific policies

SP SP

SP

SP Idp

Higher Assurance

www.canarie.ca

Improving Tools •  Federation Operations needed to rise to the challenge •  Federation Registry tools space has very rich offerings (AAF: Fed’n

Mgr, HEANET: Resource Registry, REEP to name a few) •  Tough to choose because of the great work out there •  Gravitated to HEANET RR

http://www.flickr.com/photos/chazferret/2075442918/

www.canarie.ca

Skating to where the puck will be •  Our usual ‘customers’ are changing, we need to as well. •  Centralized services with delegation functionality avoid

duplication of effort in the community and saves time and effort for sites

http://www.flickr.com/photos/mag3737/1997114236/ mag3737

www.canarie.ca

Seed Topics for the ACAMP •  Effective Attribute release from IdPs •  Centralized authorization and user preferences being sought – should we

run an instance of grouper or CoManage? •  Non web SAML for restful webservices, looking for some interesting

approaches •  Interested in any mobile plays for Fed. SSO on smartphones.

http://www.flickr.com/photos/the_yes_man/4648999621/sizes/l/in/photostream/

www.canarie.ca

www.canarie.ca

Additional Material

www.canarie.ca

Digital Accelerator for Innovation and Research (DAIR)

An on-demand, advanced R&D environment that supports Canada’s tech innovators and entrepreneurs in designing, prototyping, validating and demonstrating their new technology apps, products and services.

www.canarie.ca/en/dair

+ Optical Regional Advanced Networks

(ORANs) Réseaux optiques régionaux évolués

(ROREs)

Cloud Computing and Storage Infonuagique et stockage

INTERNET