1 / 25

The MetaData Service Distributing trust in AAI confederations

The MetaData Service Distributing trust in AAI confederations. Manuela Stanica, DFN. Outline. What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations

adia
Download Presentation

The MetaData Service Distributing trust in AAI confederations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The MetaData ServiceDistributing trust in AAI confederations Manuela Stanica, DFN

  2. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  3. What is the MetaData Service (MDS)? • eduGAIN component developed in GN2-JRA5 • eduGAIN: the GÉANT2 AAI • Support dynamic establishment of trust relations between members of AAI confederation • Information model conform to SAML v 2.0 Metadata Specification • SAML: Security Assertions Markup Language (OASIS)

  4. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  5. AAI confederation hierarchy • AAI confederation  interconnecting AAI federations • AAI federation  participant institutions  users • access to external resources & services • unaware of participants in other federations • require procedure of trust establishment between them

  6. AAI confederation hierarchy (2)

  7. Role of metadata • Connecting to entities in other federated AAIs – required information: • where (in which federation)? • how to reach ? • what is supported (protocols and functionalities)?  metadata • distribution to all confederation members • static (pre-configured upon software installation) • dynamic (on request)

  8. Role of a MetaData Servicein AAI confederations • AAI confederations • non-static environments! • frequent updates  means for dynamic collection & distribution of metadata: MetaData Service (MDS)

  9. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  10. Basic principles • Centralised storage of metadata for eduGAIN components • Dynamic retrieval & update • metadata exchange interface: eduGAINMeta • based on REST architecture model • Distributed publishing & querying • among local federations – no central admin • multiple metadata publishers and consumers

  11. eduGAIN components

  12. Bridging Elements • MDS used by Bridging Elements (BEs): • gateways eduGAIN –local federations • communication with peers (BEs) in other federations • query MDS for metadata about Home BE • MDS response: SAML 2.0 Metadata doc • consumers/publishersof metadata

  13. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  14. URL structure • Syntax of REST URL mapping: MDS base URL[/federation ID][/entity ID][?query string] • Combinations of: • MDS base URL: https://mds.geant2.net/ • federation ID: dfn, feide,... • entity ID: be1 • query string –Home Locator(s): homeDomain=uio.no

  15. Home Locators • eduGAIN specific atribute-value pairs • For: locating a remote BE (Home BE) • From: • hints provided by user • contents of certificate extensions • Types: • Home domain (homeDomain=switch.ch) • URN (urn=urn:geant:edugain:component:be:switch:be1)

  16. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  17. Publishing/ updating • Who: metadata publishers • Federation Peering Point (FPP) • authorized Bridging Elements (BEs) • What: SAML 2.0 Metadata documents • EntityDescriptor root ( one BE) • EntitiesDescriptor root ( several BEs) • How: HTTP POST/PUT

  18. Publishing/ updating (2) • For whole federation: • only by FPP • EntitiesDescriptor • URL syntax: <MDS base URL/federation ID> http://mds.ladok.umu.se/feide • For single entities: • by FPP / authorized BEs • EntityDescriptor • URL syntax: <MDS base URL/federation ID/entity ID> http://mds.ladok.umu.se/switch/be1

  19. Retrieving metadata • BE queries MDS via HTTP GET • Metadata lookup • entity/federation name is known • <MDS base URL[/federation ID][/entity ID]> http://mds.ladok.umu.se http://mds.ladok.umu.se/switch http://mds.ladok.umu.se/switch/entity1 • Metadata search • entity name unknown, home locators • <MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch

  20. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  21. Trust establishment • Elements of trust establishment in eduGAIN: • MDS • eduGAIN PKI • Component identifiers (CIDs) • MDS trust tightly bound with eduGAIN PKI  minimal trust in the service itself • Transitive trust

  22. Security checks • MDS validations: • publisher‘s X.509 certificate • publishing rights • Publishers‘ signatures fwd with metadata  validation by consumers

  23. Outline • What is the MetaData Service (MDS)? • Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions

  24. Conclusions • MDS: dynamic metadata distribution in AAI confederations • Centralised storage, distributed trust • Employes standard SAML 2.0 Metadata • Possible use in any SAML-based infrastructure • Deployment together with eduGAIN-like PKI

  25. Thank you for your attention!Questions?

More Related