Update SURFnet

Bart KerverBart.kerver@surfnet.nlTF-EMC2-meeting, Utrecht, 17 Oktober 2006

2 High-quality Internet for higher education and research

SURFnet Federation project

Main components:

– describe use-cases for Federated IdM;

– what services;

– policies;

– technology;

3 High-quality Internet for higher education and research

SURFnet’s role for IdM

• Awareness for Identity Management (IdM)– Reports on IdM

• studies on current state of IdM in HE in .NL;• Scenarios to realize (upgrade) IdM;• Federated IdM (business drivers, solutions…).

– Workshops on IdM– Workgroup for Library Access Management (‘BAM’)

• Development and support of open source product A-Select(development, organize OS, pilots, architecture, deployments)

• Stimulate deployment of A-Select (200k+ users high-ed)

4 High-quality Internet for higher education and research

Federation initiatives - .NL

Kennisnet Public libraries eduPoort SURFnet

Register users Yes, centrally No, federated Both local and federated Federated only

Authenticate users yes yes Both local and federated Federated only

Centralized attributes Yes No Both local and federated Federated only

WAYF no yes no Yes

SSO yes no yes Yes, federated

Multi federation protocol No No No Yes: A-Select and SAML

Con-federation Possibly Possibly Possibly Short term

Product A-Select A-Select ‘Proxy’ A-Select ‘Cross’ A-Select ‘Cross/SAML’

User type everyone everyone everyone Research/HE only

service provider

central components for federation

Identity provider

5 High-quality Internet for higher education and research

SURFnet Federation (2006)

Build a service “SURFnet Federatie” (SNF)

– technical implementation (based on A-Select);– define(d): policies, contracts, legal organization?…;– organize service providers (SP);– support identity providers (IdP);– Manuals and website (end-user, IdP,SP, helpdesk etc.)

6 High-quality Internet for higher education and research

SURFnet Federation (2007)

– stimulate deployment and join-in • workshops;• install fests for both IdP and SP.

– con-federate (‘confederate’: both NL and EU)– support standards (SAML, WS*,eduGAIN) – translate assertions enabling federared SSO

(SAML <> A-Select <> WSF <> eduGAIN)

– pilots/work on federated (de-)provisioning– monitoring/tracking/tracing within federation– home organization for SURFnet specific services?– Technology scouting on MW for SOA/grid-services

7 High-quality Internet for higher education and research

SURFnet Federation Policies

Start simple: low level entry• Contract for IdP part of SURFnet contract?• Contract for all SP’s standardized;• If an IdP is also SP, just one contract.

• IdPs make best efforts:– to issue credentials to members only– to ensure accuracy of assertions

• SPs agree to respect the privacy of users– don't aggregate attributes or disclose to others– report on use of federation

9 High-quality Internet for higher education and research

SURFnet Federation

10 High-quality Internet for higher education and research

users identities central federation components resources

(SAML)

SAML

11 High-quality Internet for higher education and research

Pilots with SURFnet Federation

• Pilots with 3 publishers and Elsevier SD• Booking system for VC-equipment (appl. by Switch)• Ellips project (language studies)• SURFgroepen (www.surfgroepen.nl) – MS Sharepoint

On the horizon (short term)- SURFnetdiensten (webshop);- 3TU – 3 technical universities collaborating;- VideoPortal;- Institution specific usage stats (on services);- SURFstat (network stats);

12 High-quality Internet for higher education and research

A-Select developments

• Support for SAML1.1 (OpenSAML based) used for WAYF and IdP• IdP:

– Browser/Post WebSSO profile – Browser/Artifact WebSSO profile (type 0001 & 0002)– SAML Subject Queries (Attribute, Authentication, Authorization)

• Enhanced WAYF

• IdP discovery for SP

• Anonymity of users based on WS*

• Soon start with:– WS* (ADFS) implementation– pilot with MS CardSpace– interoperability with Oracle and Novell (IdP, SP)– Looking into Liberty support

http://www.aselect.org/version/1.5/aselectchangelog.txt

13 High-quality Internet for higher education and research

SURFnet Statistics on SCS

2006 Jan Feb Mar Apr May Jun Jul Aug Sep TotalCerts accepted 0 0 4 43 75 76 67 91 68 424Certs refused 0 0 3 7 20 10 15 11 23

SCS institutes 0 0 5 22 39 45 52 58 64 64 (unique)

0

10

20

30

40

50

60

70

80

90

100

1 2 3 4 5 6 7 8 9

14 High-quality Internet for higher education and research

SURFnet Detective

Meanwhile…

SURFnet Detective has reached status/level of production-service as of May ‘06.

http://detective.surfnet.nl/