Trust Router Workshop15th October 2014

Introduction to the DayMoonshot Workshop

Agenda

10:00 – 10:10 Intro to the morning10:00 – 12:30 Trust Router & Peering (11:00 Break)12:30 – 13:30 Lunch

13:30 – 13:40 Summary13:40 – 15:45 Set up a Trust Router! (15:00 break)

15:45 – 16:00 Summary

Moonshot & Communities

• A quick reminder… What are communities?

Communities and Policy

Authentication Policy Community /(Community of Registration)

Community A

Community B

Community C

Organisation validationto APC’s defined standards

Policy coming from communityrequirements. Could include:• Registration LoA• AuthN LoA• Operational Practices• User behaviour• Attribute release (RADIUS

& SAML)• Etc.

Moonshot & Communities

• Communities will consist of a subset of the entities connected to a particular APC.

Whole Trust Network

Community A

Community B

Community C

Trust Router

Trust Router

Hey TR, do you know bob.com?

Yeah, he’s over there!

P.S. I’ve done some DH magic.

kthxbye

Hi IdP, I’ve got someone

claiming to be one of your users.

Trust Router

Hey TR1, do you know bob.com?

Yeah, he’s over there!

P.S. I’ve done some DH magic.Hmm, I don’t.

TR2 is my default peer, I’ll

ask it…

Hey TR2, do you know bob.com?

Hmm, I don’t. TR3 is my

default peer, I’ll ask it…

Hey TR3, do you know bob.com?

He’s over there. P.S. DH magic.

He’s over there. P.S. DH magic.

He’s over there. P.S. DH magic.

Hi IdP, I’ve got someone

claiming to be one of your users.

Routing between Trust Routers

• Eventually will have routing tables across the whole network

• For now, default peers can be configured.

Trust Router Peering

• Peering Policy• APCs

Current Trust Network

@dev.ja.net

tr1.moonshot.ja.net

ms-tr.cf.ac.uk

ms-rp-ssh.cf.ac.uk

By End of Today

@dev.ja.net

tr1.moonshot.ja.net

ms-tr.cf.ac.uk

ms-rp-ssh.cf.ac.uk

Your TRYour Test RP

By End of Today

@dev.ja.net

tr1.moonshot.ja.net

ms-tr.cf.ac.uk

ms-rp-ssh.cf.ac.uk

Your TRYour Test RP

By End of Today

@dev.ja.net

tr1.moonshot.ja.net

ms-tr.cf.ac.uk

ms-rp-ssh.cf.ac.uk

Your TRYour Test RP

Your TRYour Test RP

Your TRYour Test RP

Your TRYour Test RP

Setting up a Trust Router is easy!

In the world of Moonshot, a Trust Router is just a resource provider.

The resource it’s providing is trust.

Like any RP, the TR needs to query an Identity Provider to authenticate users…

TR’s own IdP

The IdP used by a TR is just an ordinary moonshot IdP, with the identity realm ‘apc.moonshot.ja.net’ - this is the IdP representing the Authentication Policy Community.

It keeps a list of credentials used by IdPs and RPs - the XML files that you’ve used to add your own IdPs and RPs to Janet’s TR.

For this workshop this step will be skipped, as you’ve probably set up at least one IdP by now.

Process

1. Register your RP and TR in the portal as a new RPs– If you don’t have access to the portal, ask for assistance

2. Configure and deploy your TR– See next slide and readme files

3. Test!4. Configure and deploy your RP5. Test!6. Bonus: Reconfigure your IdP to talk to your TR

Deploying a Trust Router• RHEL/CentOS:

– TR: https://wiki.moonshot.ja.net/x/hIQy– RP: https://wiki.moonshot.ja.net/x/vAEp

• Debian:– TR: https://wiki.moonshot.ja.net/x/goQy– RP: https://wiki.moonshot.ja.net/x/ugEp

• Sample configurations and key material is available at:– https://portal.moonshot.ja.net/keys/– U: octoberws– P: homemade-push-whistle

peering.cfg

{ "default_servers":[ "tr1.moonshot.ja.net" ]}

Trusts.cfg

• communities:– APC, Followed by all CoIs

• Each has list of idp_realms and rp_realms

• idp_realms:– Details of each idp_realm (hostname, apc, shared

config)

• rp_realms:– Details of each rp_realm (domain & realm

constraints, filters, gss names)

• gss_names:– gss name for your trust router

• Domain constraints:– What acceptor hostnames are legal.– (these hosts can claim to be in that realm)– Constrain gss acceptor hostname

• Realm Constraints:– Constrain gss acceptor realm names

• Filters:– RP Permitted filters– Future - more– Constraints

THANK YOUJanet, Lumen House

Library Avenue, Harwell Oxford

Didcot, Oxfordshire

t: +44 (0) 1235 822200

f: +44 (0) 1235 822399

e: service@ja.net