Miroslav Milinović
University of Zagreb, University Computing Centre (SRCE)
CESSDA SAW Workshop
Zagreb, March 1-2, 2017
AAI@EduHr
Croatian Research and EducationIdentity Federation
2/25
Contents
• Identity federations
• AAI@EduHr
• eduGAIN
• AAI@EduHr for SPs / developers
3/25
e-infrastucture
Network services
Data centers
Computing resources(servers, storage, HPC, grid, …)
Middleware(identity federations, AAA, …)
Data services(digital archives, repositories, …)
Information systems and applications
4/25
Identity federation model
IdP SPtrust
1
2
3
consumes attributes;
allows access
authenticates user;
provides attributes
user accesses service
5/25
Mash federation model
SP 1
WAYF
(MDS)
IdP B
login
IdP A
login
SP 2
6/25
Hub-and-spoke federation model
SP 1
IdP B
IdP A
SP 2
Hub(WAYF)
login
7/25
Virtual Organisations (VOs) / Attribute Authorities (AAs)
SP
Entry point
AAI
component
User
IdP
AAI
component
(LDAP)
directory
AA
AAI
component
data
8/25
AAI@EduHr: Croatian R&E Identity Federation
• Autentikacijska i autorizacijska infrastruktura znanosti i (visokog) obrazovanja u RH
• in production since March 1, 2006
• hub-and-spoke architecture
• Policy document: Pravilnik o ustroju, ver.1.3.1(http://www.aaiedu.hr/docs/[email protected])
• March 1, 2017:
• 229 IdPs
• 603 SPs
• 878.173 e-identites
• connected to:
• global services: eduroam and eduGAIN
• National e-gov service: NIAS (e-Građani)
• Web: http://www.aaiedu.hr(notice: most of the documentation is in Croatian language only)
9/25
AAI@EduHr in numbers
Successful Web SSO authN:
last 30 days: 2.964.140
last 24 hours: 104.587
Successful RADIUS authN:
last 30 days: 14.013.800
last 24 hours: 603.678
(March 1, 2017)0
500000
1000000
1500000
2000000
2500000
3000000
01/15 03/15 05/15 07/15 09/15 11/15 01/16 03/16 05/16 07/16 09/16 11/16
successful SSO authN
11/25
Connections with other services
www.eduroam.org
www.edugain.org
NIAS
(e-Građani)
12/25
AAI@EduHr: Hub-and-spoke federation
SP 1
IdP B
IdP A
SP 2
Hub(WAYF)
login
Central services
provided by Srce
13/25
AAI@EduHr architecture
SP
entry point
AAI@EduHr
component
Central
AAI@EduHr services
(RADIUS proxy, FWS,
MDS, login/SSO, VO/AA)
user [email protected]
IdP
AOSI-WS
&
RADIUS server
LDAP directory
HTTPS / SAML
RADIUS
HTTPS / SAML
eduGAINsocial networks eduroam
RADIUS
RADIUS
HTTPS / SOAP
OpenID, …
NIAS
HTTPS / SAML
14/25
AAI@EduHr: IdM
RADIUS
AOSI - WS
LDAP
AOSI - Web
AAI@EduHr
IdP
15/25
What is eduGAIN?
• educational Global Authentication Infrastructure
• basic components:• eduGAIN Policy Framework (https://technical.edugain.org/documents)
• MDS (Metadata Distribution Service; mds.edugain.org)
16/25
eduGAIN
• in production since 2011
• 41 member federations
• www.edugain.org
• technical.edugain.org
17/25
AAI@EduHr in eduGAIN
• AAI@EduHr is eduGAIN member
• Srce represents AAI@EduHr in eduGAIN bodies
• AAI@EduHr entites in eduGAIN:• all IdPs are automatically „in” eduGAIN
• attribute release based on eduGAIN Attribute Profile
• an IdP can opt-out
• all SPs are „out”
• an SP has to opt-in (ask Srce to be included)
• an SP has to fulfill organisational and technical requirements
18/25
AAI@EduHr for SPs (Web SSO scenario)
SP
entry point
AA component
Central AAI@EduHr
services
user [email protected]
IdP
AOSI-WS
LDAP directory
HTTPS / SAML 2.0
login
19/25
AAI@EduHr for SPs (Developers)
• supported protocols:
• SAML 2.0
• RADIUS (network access, special cases of non-web-based services)
• supported platforms:
• PHP (simpleSAMLphp)
• Java (Spring Security SAML, …)
• .NET (OIOSAML.NET):
• Python / Django
• Shibboleth compatible tools/platforms
• any platform compatible with SAML 2.0
• testing environment: AAI@EduHr Lab
20/25
SP set-up in AAI@EduHr
• study:
• AAI@EduHr Policy(http://www.aaiedu.hr/docs/[email protected])
• documentation for SPs
• (http://www.aaiedu.hr/za-davatelje-usluga)
• register your application via resource registry:
• www.aaiedu.hr/aairr
• indicate special cases: eduGAIN and/or additional login via social networks
• make necessary ajustments in your application:
• install missing components (e.g. SSP, SAML modules, …)
• use AAI@EduHr LAB for testing
• AAI@EduHr team provides support via e-mail address [email protected]
21/25
AAI@EduHr and social networks
http://www.unizg.hr/authdemo/
22/25
How to opt-in eduGAIN with your SP?
• let Srce know:• we provide support / know-how
• we publish your metadata / register your app. in eduGAIN
• ajust your service policy:• privacy policy / CoCo (see eduGAIN documentation)
• ajust technical components of your service:• attribute handling
• discovery service (login screen / WAYF)
• metadata handling
• verify before production
23/25
Discovery service examples
https://foodl.org/
http://monitor.eduroam.org/db_web
24/25
Learning opportunity
• we organize a workshop for SPs / application developers on April 4
• check http://www.srce.unizg.hr/dei/radionice
Srce politikom otvorenog pristupa široj javnosti
osigurava dostupnost i korištenje svih rezultata rada
Srca, a prvenstveno obrazovnih i stručnih informacija
i sadržaja nastalih djelovanjem i radom Srca.
Ovo djelo je dano na korištenje pod licencom
Creative Commons Imenovanje-Nekomercijalno
4.0 međunarodna.
www.srce.unizg.hr creativecommons.org/licenses/by-nc/4.0/deed.hr www.srce.unizg.hr/otvoreni-pristup
AAI@EduHr
http://www.aaiedu.hr