connect. communicate. collaborate the metadata service distributing trust in aai confederations...

Connect. Communicate. Collaborate

The MetaData ServiceDistributing trust in AAI confederations

Manuela Stanica, DFN


DF

Outline

• What is the MetaData Service (MDS)?

• Role of a MetaData Service in AAI confederations

• Use of the MDS in eduGAIN

• The MDS URLs

• Publishing and retrieving metadata

• Trust and security considerations

• Conclusions


DF

What is the MetaData Service (MDS)?

• eduGAIN component developed in GN2-JRA5

• eduGAIN: the GÉANT2 AAI

• Support dynamic establishment of trust relations between members of AAI confederation

• Information model conform to SAML v 2.0 Metadata Specification

• SAML: Security Assertions Markup Language (OASIS)


DF

Outline




• The MDS URLs



• Conclusions


DF

AAI confederation hierarchy

• AAI confederation interconnecting AAI federations

• AAI federation participant institutions users

– access to external resources & services

– unaware of participants in other federations

– require procedure of trust establishment between them


DF

AAI confederation hierarchy (2)


DF

Role of metadata

• Connecting to entities in other federated AAIs – required information:– where (in which federation)?– how to reach ?– what is supported (protocols and functionalities)?

metadata– distribution to all confederation members

• static (pre-configured upon software installation)• dynamic (on request)


DF

Role of a MetaData Servicein AAI confederations

• AAI confederations

– non-static environments!

– frequent updates

means for dynamic collection & distribution of metadata:

MetaData Service (MDS)


DF

Outline




• The MDS URLs



• Conclusions


DF

Basic principles

• Centralised storage of metadata for eduGAIN components

• Dynamic retrieval & update– metadata exchange interface: eduGAINMeta– based on REST architecture model

• Distributed publishing & querying– among local federations – no central admin– multiple metadata publishers and consumers


DF

eduGAIN components


DF

Bridging Elements

• MDS used by Bridging Elements (BEs):

– gateways eduGAIN – local federations

– communication with peers (BEs) in other federations

– query MDS for metadata about Home BE

– MDS response: SAML 2.0 Metadata doc

– consumers/publishers of metadata


DF

Outline




• The MDS URLs



• Conclusions


DF

URL structure

• Syntax of REST URL mapping:

MDS base URL[/federation ID][/entity ID][?query string]

• Combinations of:

– MDS base URL: https://mds.geant2.net/ – federation ID: dfn, feide,...– entity ID: be1 – query string – Home Locator(s): homeDomain=uio.no


DF

Home Locators

• eduGAIN specific atribute-value pairs

• For: locating a remote BE (Home BE)

• From: – hints provided by user

– contents of certificate extensions

• Types: – Home domain (homeDomain=switch.ch)– URN (urn=urn:geant:edugain:component:be:switch:be1)


DF

Outline




• The MDS URLs



• Conclusions


DF

Publishing/ updating

• Who: metadata publishers– Federation Peering Point (FPP)– authorized Bridging Elements (BEs)

• What: SAML 2.0 Metadata documents– EntityDescriptor root ( one BE)– EntitiesDescriptor root ( several BEs)

• How: HTTP POST/PUT


DF

Publishing/ updating (2)

• For whole federation:– only by FPP– EntitiesDescriptor– URL syntax: <MDS base URL/federation ID>

http://mds.ladok.umu.se/feide

• For single entities:– by FPP / authorized BEs– EntityDescriptor– URL syntax: <MDS base URL/federation ID/entity ID>

http://mds.ladok.umu.se/switch/be1


DF

Retrieving metadata

• BE queries MDS via HTTP GET

• Metadata lookup– entity/federation name is known– <MDS base URL[/federation ID][/entity ID]>

http://mds.ladok.umu.se

http://mds.ladok.umu.se/switch

http://mds.ladok.umu.se/switch/entity1

• Metadata search

– entity name unknown, home locators

– <MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch


DF

Outline




• The MDS URLs



• Conclusions


DF

Trust establishment

• Elements of trust establishment in eduGAIN:– MDS– eduGAIN PKI– Component identifiers (CIDs)

• MDS trust tightly bound with eduGAIN PKI

minimal trust in the service itself

• Transitive trust


DF

Security checks

• MDS validations:– publisher‘s X.509 certificate– publishing rights

• Publishers‘ signatures fwd with metadata

validation by consumers


DF

Outline




• The MDS URLs



• Conclusions


DF

Conclusions

• MDS: dynamic metadata distribution in AAI confederations

• Centralised storage, distributed trust

• Employes standard SAML 2.0 Metadata

• Possible use in any SAML-based infrastructure

• Deployment together with eduGAIN-like PKI


DF

Thank you for your attention!

Questions?

connect. communicate. collaborate the metadata service distributing trust in aai confederations...

Documents

metadata service mds

metadata trust

df role of metadata

metadata distribution

metadata specification

elements mds

mds response

mds urls publishing