surffederatie & surfconext federated identity system for scientific collaborations 9-10 june...
TRANSCRIPT
![Page 1: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/1.jpg)
SURFfederatie & SURFconext Federated identity system for scientific collaborations9-10 June 2011 CERNRemco Poortinga – van Wijnen*, [email protected]
*with input from a lot of others
![Page 2: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/2.jpg)
SURFnet. We make innovation work2
Overview
- SURFfederatie- In 3 slides
- SURFconext- Background- Features- Architecture- Services- TBD/Future development
![Page 3: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/3.jpg)
SURFnet. We make innovation work3
Federation Models
- 1-1
- Business: SAML 1.x
- de-facto
- NxN (‘distributed’)
- Shared trust, pt2pt
- Education VS/Europe
- Shibboleth
- 2xN (‘hub-and-spoke’)
- Central gateway (CFC)
- Protocol translation
- Attribute filtering &
enrichment
- Easier configuration for IdPs
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
![Page 4: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/4.jpg)
SURFnet. We make innovation work4
SURFfederatieFunctional View
CentralFederation
Components
CentralFederation
Components
A-Select CrossA-Select Cross
A-Select CrossA-Select Cross
ShibbolethShibboleth
SAML 2.0SAML 2.0
WS-Fed / ADFSWS-Fed / ADFS
SAML 2.0SAML 2.0
WS-Fed / ADFSWS-Fed / ADFS
Identity Providers Service ProvidersSURFfederatie CORE
ApplicationsCredentials
![Page 5: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/5.jpg)
Some numbers
- IdPs (79)- 36 SAML 2.0- 22 (30*) WS-Federation (ADFS)
- (* 8 proxied)- 13 A-Select
- SPs (55+)- Google apps, foodle, live@edu, CLARIN (7),
several publishers, libraries, webshops, SURFconext, …
- ≈ 700k users
- (Technically) connected to eduGAIN
SURFnet. We make innovation work5
![Page 6: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/6.jpg)
SURFconextsome background
- Goal of SURFnet is to enable collaboration- Across (institutional) borders
- Used to be done by SURFgroepen service- Sharepoint- User defined groups/spaces
- But:- Monolithic- No domestication (then)- Single (specific) service no choice- No way to extend groups to other services
- (exception: AdobeConnect)
SURFnet. We make innovation work6
![Page 7: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/7.jpg)
SURFconext
- Allow users from different institutions to work together using their own preferred combination of tools- Using groups across services- Using SURFfederatie (trust, identities, attributes)
SURFnet. We make innovation work7
![Page 8: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/8.jpg)
SURFconextplatform features
- IdP and SP (SAML 2.0) proxy- Group Relation Provider(s)- IdP and SP and oAuth registry- OpenSocial ‘Gadgets’ for GUI handling- OpenSocial ‘Social Data’ API- VO Registry VO IdP
- Uses OSS components where possible- Apache Shindig – OpenSocial Container- Apache Rave (incubator) – OpenSocial Portal- Corto – Idp/SP proxy- Janus – (SP/IdP Metadata) registry
- Is Open Source itself – http://www.openconext.org
SURFnet. We make innovation work8
![Page 9: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/9.jpg)
SURFconext architecture
SURFnet. We make innovation work9
![Page 10: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/10.jpg)
SURFconextservices
- Confluence- Alfresco- Liferay- WebEx- BigBlueButton- Sympa- Lobber- …
https://wiki.surfnetlabs.nl/display/domestication/Overview
SURFnet. We make innovation work10
![Page 11: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/11.jpg)
What’s missing/TBD?
- Group Management across boundaries- NREN and/or VO-platform boundary
- On the agenda of GN3-JRA3-T2
- Production ready VO support- Group Management in context of a VO- virtualIDP for services supporting only single IdP
endpoint (Google apps etc)
- Roles and Rights- Roles group management ≠ roles services
- Service usage (licenses for guest users)
SURFnet - We make innovation work11
![Page 12: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/12.jpg)
Questions?
- http://www.surffederatie.nl- http://www.surfconext.nl- http://www.openconext.org
SURFnet. We make innovation work12
![Page 13: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/13.jpg)
Backup slides
SURFnet. We make innovation work13
![Page 14: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/14.jpg)
OpenSocial - overviewOpenSocial - overview
App’s Virtual Organization ConsumersApp’s Virtual Organization Consumers ‘ ‘Social Network’Social Network’
![Page 15: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/15.jpg)
![Page 16: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/16.jpg)
https://portal.surfconext.nl → http://wiki.apache.org/incubator/RaveProposalhttps://os.surfconext.nl → http://shindig.apache.org/https://engine.surfconext.nl → http://code.google.com/p/corto/https://serviceregistry.surfconext.nl → http://code.google.com/p/janus-ssp/(SURFteams) https://www.surfteams.nl → http://www.internet2.edu/grouper/
![Page 17: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/17.jpg)
SURFconext & eduGAIN
SURFnet - We make innovation work17
SURFconext/Corto
SURFconext/Corto
VOsVOs
GroupsGroups
ServiceService
IDP
SP
GuestIDP
GuestIDP
eduGAINeduGAIN
SURF-federatie
SURF-federatie
IDP
IDP
SP
SP
IDPIDPIDPIDP
IDPIDP
IDP
SP
IDP
SP
ServiceServiceServiceService
![Page 18: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/18.jpg)
18
![Page 19: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/19.jpg)
19
![Page 20: SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet remco.poortinga@surfnet.nl](https://reader035.vdocument.in/reader035/viewer/2022081519/56649f0d5503460f94c20958/html5/thumbnails/20.jpg)
20