Towards a Federation as a Service From IdP in the Cloud project to FaaS

• What is an Identity Federation • What needs to be done to operate a Federation

Introduction: the theoretical standpoints

• What have we done? IdP in the cloud project • Project implementation • Benefits and project results

What we learnt and did to grow a Federation

• Extending this approach to Federation managers •  Identifying the key processes •  Implementing a Federation «appliance» • ELCIRA: activities and expected benefits

The ongoing project activities

What is an Identity Federation

§  An Identity Federation is a collection of organizations that agree to interoperate under a certain rule to manage user identities.

§  Within a Federation different organizations cooperate in managing identities by taking care of their users and services.

§  The Federation builds a global trust within the different organizations.

What needs to be done to operate a Fed.

§  Participants have to: §  Define procedures to create and manage an IdP; §  Define procedures to create and manage an SP.

§  Federation managers have to: §  Registering an entity (IdP or SP) in the Federation

§  Validating metadata information toward Federation policies; §  Performing all security controls and signing metadata; §  Guiding the participants in the implementation of an Identity

Management policy. §  Signing and distributing the Metadata. §  Providing accessory services (like information pages or

Discovery Service).

What we learnt from our communities

§  From a participant’s point of view, the more complex task is that of creating and managing an IdP.

§  In this activity, in fact, the participant has to: §  Manage a lot of different technologies (Shibboleth,

Tomcat, LDAP, security on the server, …); §  Monitor and update constantly the technical infrastructure

(for security and quality of service); §  Manage privacy and identity management policies; §  Manage users and passwords.

§  Many entities do not have enough skills or resources to manage them all!

The answer to this problem!

§  To tackle this problem, GARR started the “IdP in the cloud” service §  Goal: offering IdPs as a service on a cloud infrastructure!

§  This service permitted to take away greater part of the job from Federation participants. §  All technological aspects are managed by GARR on behalf of

the participating entity (including monitoring and updates); §  Compliance to regulation and Federation policy is delegated to

GARR; §  The participating entity “only” has to manage users and


How we did this: the infrastructure


2 sites, 12 servers

Instances, images & Data GlusterFS

Openstack VM unique flavor Public IPs

Service VMs §  Nagios, Splunk, Collectd §  DNS §  Puppet Master IdP VMs go here

§  Use a Puppet recipe to describe the features of the “IdP in the cloud” VM

How we did this: automatization


=> IDP in the Cloud •  Shibboleth IdP •  uApprove •  Custom login


•  Apache2 •  OpenLDAP •  phpLDAPadmin •  MySQL

•  iptables •  rsyslog •  Nagios, Collectd


Web interfaces openLDAP

Base VM – 2 vCPU, 4 GB RAM, 20 GB disk Ubuntu 12.04 + Puppet Agent

Key benefits of IdP in the cloud



Focus on your users’ identity

Focus on the services they



Tutored pre & post


Marginal OpEx, no CapEx

Compliance with federation policies


Quick provisioning

Continuous delivery

Resiliency, openness, …

Project results

§  With this approach the Identity Federation is diffusing into new communities: §  Institutions in the biomedical research with small IT teams; §  Cultural heritage institutions.

§  From request to Federated IdP in a few days (including administrative tasks) with no technical effort from requestor!

§  Possibility to manage all these systems with limited human resources (~10 IdP, < 0.5 FTE)

Extending this approach


§  We are extending this approach (used for IdP in the Cloud) from participants to Federation managers!

§  W e p l a n t o p r o v i d e a F e d e r a t i o n

«appliance» (provisioned on a Cloud) with all the required technological components to implement a fully functional Federation.

Indentifying the key processes


§  As said, the main processes a Federation manager has to implement are: §  Registering an entity (IdP or SP) in the Federation §  Signing and distributing the Metadata. §  Providing accessory services (like information pages or

Discovery Service).

§  Among them, we have found that the more complex to be implemented is the first. In fact: §  it requires human and technical validation; §  it is the process that permits to create the trust; §  entities are what the users see of the Federation!

Registering an entity in the Federation


Registration  of  an  entity  (IdP  or  SP)  in  the  FederationRe







n  managers

IDEM  –  the  Italian  Identity  Federation

Completes  and  sends  all  required  documents  to  GARR  (as  by  the  process)

Verify  the  «Member  Accession  Form»  


Verify  the  «Registration  Request»  document.

Verify  the  Metadata  and  validate  the  quality  of  the  information

Signing  and  distribution  of  the  Metadata  to  the  


Verify  the  entity  is  working  correctly  and  releasing  the  right  attributes


Security  checks  on  certificates  and  keys

Supporting the process


§  To support and standardize the process, we implemented a workflow for entity registration

§  This flow spans two integrated tools: §  Resource Registry: to validate metadata

information (and diffuse awareness); §  Metadata Aggregator: to verify all the security

aspects bound to certificates and to sign the metadata for the distribution to the Federation (and inter-federations).

The scenario


Fed  MD


Interfed.  MD


Fed  MD  +  

Interfed.  MDOR

Interfed.  test  MD

Administrative Technical



·∙   Dealing  with  customers    requesting  the  service  (approving,  registering,  provision  of  services)

·∙   Managing  instances  of  service

·∙   Management  of  federation  policy·∙   Dealing  with  new  IdPs  and  SPs  joining  the  federation  (auditing,  approving,  registering,  etc.  )

·∙   Support  and  communications  with  IdP  and  SPs

·∙   Managing  RR

MDS MDS  test

Interfed.  test    MD

Fed  MD  opt-­‐ed

Technology to be developed


§  To provision the Federation «appliance» new Puppet recipes are being developed to automatize installation of the software components.

§  With these developments, the IdP in the cloud schema will be extended to permit the provisioning of a complete Federation as a service on a Cloud infrastructure.

Expected goals


§  With this «appliance» we plan to standardize and support Federation operations.

§  By consuming this FaaS service, it will be possible to: §  Start rapidly the operation of a new Federation, by almost

eliminating the technological step in; §  Leverage experiences and best practices to operate

effectively a Federation even starting with little or no prior experience.

ELCIRA: adopting Federations

§  ELCIRA will support the adoption of Identity Fedarations in Latin America.

§  But, as we have seen, deploy Federations is hard! 1.  Technology needs to be installed and managed 2.  Processes, steps, attribution of responsibility have

to be implemented

§  ELCIRA will borrow GARR experience in automatizing components installation in a cloud and in operating a Federation.

ELCIRA: supporting IdP installation

§  We will leverage GARR experience and solutions, developed during IdP in the Cloud project, to grow IdP diffusion within new or existing Federations.

§  This will permit NRENs to: §  Guarantee compliance to qualitative standards

for new IdPs in the Federation; §  Give the opportunity to enter rapidly in

production with a Federation entity!

ELCIRA: how to sustain new Federations?

§  GARR also provides support in sustaining the birth of new Federations by: §  Sharing best practices for the key processes; §  Sharing lesson learnt, dos and don’ts; §  Providing technical solutions, as the “federation

appliance” described earlier.




IdP in the Cloud Showcase


What IdP in the Cloud is

The service goal: make the deployment and the management of the identity providers easy, by minimizing the activities and the complexity for home organizations.

•  IdP as a Service (PaaS) •  IdM as a Service (SaaS) => IdP in the Cloud

Benefits §  Dedicated virtual appliance §  Updates and customization §  Federation policy compliancy §  Cloud advantages

First cloud service from GARR

Getting an IdP in the cloud

Request for an “IdP in the Cloud”

IdP instantiation and configuration

IdP delivery and user management

Tutor the user in preparing the documents requested by GARR and the IDEM Federation

The service creates a new IdP taking care of §  Tools installation and configuration §  Pre-production assessment §  Federation policies

Ready-to-use dedicated IdP VM to access federated services. Requestor tutored in managing users identities.

The request document

§  Is a very easy document to be produced by the requesting organization, with the following information (used to customize IdP and its Metadata):

§  Organization name §  Organization internet domain §  IdP name (or EntityID) §  Description of the service §  Organization public web site URL §  Organization privacy policy page URL §  IdP Informative web page URL (shown to users) §  Organization logo images §  Technical contact mailing list


Provisioning the VM

§  Live demo!

§  A new configuration for the IdP will be installed on the Puppet agent (with the support of two scripts created ad-hoc).

§  Puppet will take care of all the rest!



§  Open source framework able to automate repetitive system administration tasks.

§  Automatize the provisioning and configuration of IT servers.


Basic principles of Puppet

Everything is described as a


Puppet executes transitions among

resource states

(without a definite precedence)

The final state

represents the desired result

IdP in the cloud: user perspective


User interfaces: •  Custom IdP login page •  IdM interface •  Access log analysis tools

We are evaluating Perun a tool that could replace phpldapadmin. More information here:

That’s all folks!



