surffederatie - edugain
DESCRIPTION
SURFfederatie - eduGAIN. Opt-in Metadata Management for a Hub & Spoke Federation. Content. History of SURFfederatie Federation models Functional view Consequences of hub & spoke eduGAIN Future changes. Once upon a time…. DigiD: government eID based on A-Select. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/1.jpg)
SURFfederatie - eduGAINOpt-in Metadata Management for a Hub & Spoke Federation
![Page 2: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/2.jpg)
SURFnet - We make innovation work2
Content- History of SURFfederatie- Federation models- Functional view- Consequences of hub & spoke- eduGAIN- Future changes
![Page 3: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/3.jpg)
SURFnet - We make innovation work3
Once upon a time…
Studen
t Chipc
ard: au
thentication
A-Select:
intra-or
ganisation
al web-SSO
1996 2001 2004 2006 2007 2008DigiD: gove
rnment eID base
d on A-Sele
ct
Federa
tive AAI, A
-Select (
open sourc
e)
FIdM se
rvice (
gatew
ay) in prod
uction
Elsevie
r, EBSCO, G
oogle A
pps
![Page 4: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/4.jpg)
SURFnet - We make innovation work4
Federation models (communication/login, not metadata)
- 1-1- Business VS: SAML 1.x- de-facto
- NxN- Shared trust, pt2pt- Education VS/Europa
- 2xN- Central gateway (CFC)- protocol translation- SURFfederatie
= CFC, IDP, SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
![Page 5: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/5.jpg)
SURFnet - We make innovation work5
Functional view(Since August 2008)
CentralFederation
Components
A-Select Cross
A-Select Cross
Shibboleth
SAML 2.0
WS-Fed / ADFS
SAML 2.0
WS-Fed / ADFS
Identity Providers
Service ProvidersSURFfederatie CORE
ApplicationsCredentials
![Page 6: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/6.jpg)
6
Metadata & proxying
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
A-1
A-2
A-3
B-1
B-2
B-3
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
![Page 7: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/7.jpg)
7
WAYF/WAYF-less operation
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
![Page 8: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/8.jpg)
SURFnet - We make innovation work8
hub & spoke pros/consPros
- 1 connection for IDP/SP- Minimal overhead for IDPs- Centralized (technical)
management- Specialist knowledge @ SN
- Less needed for IDP/SP- Scales well at national level- Extra features easier to do
- Web services- Group support
Cons
- Procedures- release consent per SP- Key/cert/metadata
changes- Lack of knowledge @ IDP
- Double-edged sword…- Scalability European level- Can only support common
denominator
![Page 9: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/9.jpg)
9
Importing eduGAIN SPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fff
eduGAIN
SPz
A-1A-2A-3
A-z
B-1
B-2
B-3
![Page 10: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/10.jpg)
10
Exporting IDPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fff
IDP3=B-3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
![Page 11: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/11.jpg)
11
Exporting SPs to eduGAIN
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fff
SP3=SP3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
![Page 12: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/12.jpg)
12
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
![Page 13: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/13.jpg)
13
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
![Page 14: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/14.jpg)
SURFnet - We make innovation work14
Future plans- Integrate with SURFconext
- Procedural/organisational- Technical (level of integration TBD)
- Change of consent model- Opt-in Opt-out- Addition of User Consent
- Web Service support- Needed for (scientific) workflows
- Rich client/beyond web SSO/mobile support- Rethink procedures/management
![Page 15: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/15.jpg)
SURFnet - We make innovation work15
Remco Poortinga – van [email protected]@surfnet.nl
www.surfnet.nl
Presentation released under Creative Commonshttp://creativecommons.org/licenses/by/3.0/
![Page 16: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/16.jpg)
SURFnet - We make innovation work16
![Page 17: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/17.jpg)
SURFnet - We make innovation work17
Backup slides
![Page 18: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/18.jpg)
(C) 2011 SURFnet B.V.18
URLsSP die wil meedoen moet SAML doen (want daarvoor
zijn we geen proxy zoals normaal)https://wayf.surfnet.nl/federate/surfnet/edugain2 IDPS: SN & TERENA1 SP: TERENA
(MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo.
Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs
![Page 19: SURFfederatie - eduGAIN](https://reader035.vdocuments.mx/reader035/viewer/2022062814/568167cf550346895ddd20d5/html5/thumbnails/19.jpg)
(C) 2011 SURFnet B.V.19
Metadatahttps://aai-viewer.switch.ch/interfederation-test/test/Wij nu niet saml2int compliant.(behandelen attribs als ‘format unspecified’, moet ‘uri’
zijn volgens spec)