surffederatie - edugain opt-in metadata management for a hub & spoke federation
TRANSCRIPT
![Page 1: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/1.jpg)
SURFfederatie - eduGAINOpt-in Metadata Management for a Hub & Spoke Federation
![Page 2: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/2.jpg)
SURFnet - We make innovation work2
Content
- History of SURFfederatie- Federation models- Functional view- Consequences of hub & spoke- eduGAIN- Future changes
![Page 3: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/3.jpg)
SURFnet - We make innovation work3
Once upon a time…
Studen
t Chip
card
: auth
entic
ation
A-Sele
ct: i
ntra-o
rgan
isatio
nal web
-SSO
1996 2001 2004 2006 2007 2008
DigiD
: gov
ernm
ent e
ID b
ased
on A
-Sele
ct
Feder
ative
AAI,
A-Sele
ct (o
pen so
urce)
FIdM se
rvice
(gat
eway
) in p
roduct
ion
Elsevie
r, EBSCO, G
oogle
Apps
![Page 4: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/4.jpg)
SURFnet - We make innovation work4
Federation models (communication/login, not metadata)
- 1-1- Business VS: SAML 1.x- de-facto
- NxN- Shared trust, pt2pt- Education VS/Europa
- 2xN- Central gateway (CFC)- protocol translation- SURFfederatie
= CFC, IDP, SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
![Page 5: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/5.jpg)
SURFnet - We make innovation work5
Functional view(Since August 2008)
CentralFederation
Components
A-Select Cross
A-Select Cross
Shibboleth
SAML 2.0
WS-Fed / ADFS
SAML 2.0
WS-Fed / ADFS
Identity Providers
Service ProvidersSURFfederatie CORE
ApplicationsCredentials
![Page 6: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/6.jpg)
6
Metadata & proxying
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
A-1
A-2
A-3
B-1
B-2
B-3
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
![Page 7: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/7.jpg)
7
WAYF/WAYF-less operation
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
![Page 8: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/8.jpg)
SURFnet - We make innovation work8
hub & spoke pros/cons
Pros
- 1 connection for IDP/SP- Minimal overhead for IDPs- Centralized (technical)
management- Specialist knowledge @ SN
- Less needed for IDP/SP- Scales well at national level- Extra features easier to do
- Web services- Group support
Cons
- Procedures- release consent per SP- Key/cert/metadata
changes- Lack of knowledge @ IDP
- Double-edged sword…- Scalability European level- Can only support common
denominator
![Page 9: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/9.jpg)
9
Importing eduGAIN SPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=ddd
SPy=eee
SPz=fff
eduGAIN
SPz
A-1A-2A-3
A-z
B-1
B-2
B-3
![Page 10: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/10.jpg)
10
Exporting IDPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=ddd
SPy=eee
SPz=fff
IDP3=B-3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
![Page 11: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/11.jpg)
11
Exporting SPs to eduGAIN
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=ddd
SPy=eee
SPz=fff
SP3=SP3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
![Page 12: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/12.jpg)
12
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
![Page 13: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/13.jpg)
13
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
![Page 14: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/14.jpg)
SURFnet - We make innovation work14
Future plans
- Integrate with SURFconext- Procedural/organisational- Technical (level of integration TBD)
- Change of consent model- Opt-in Opt-out- Addition of User Consent
- Web Service support- Needed for (scientific) workflows
- Rich client/beyond web SSO/mobile support- Rethink procedures/management
![Page 15: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/15.jpg)
SURFnet - We make innovation work15
Remco Poortinga – van [email protected]@surfnet.nl
www.surfnet.nl
Presentation released under Creative Commonshttp://creativecommons.org/licenses/by/3.0/
![Page 16: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/16.jpg)
SURFnet - We make innovation work16
![Page 17: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/17.jpg)
SURFnet - We make innovation work17
Backup slides
![Page 18: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/18.jpg)
(C) 2011 SURFnet B.V.18
URLs
SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal)
https://wayf.surfnet.nl/federate/surfnet/edugain2 IDPS: SN & TERENA1 SP: TERENA
(MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo.
Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs
![Page 19: SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation](https://reader036.vdocument.in/reader036/viewer/2022062404/551a6de5550346b52d8b4e0b/html5/thumbnails/19.jpg)
(C) 2011 SURFnet B.V.19
Metadata
https://aai-viewer.switch.ch/interfederation-test/test/Wij nu niet saml2int compliant.(behandelen attribs als ‘format unspecified’, moet ‘uri’
zijn volgens spec)