1 / 20

AAF Middleware update

AAF Middleware update. February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager. Overview. The AAF Federation Registry N ational Entitlements Service Other initiatives. Federation Registry.

elinor
Download Presentation

AAF Middleware update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager

  2. Overview The AAF Federation Registry National Entitlements Service Other initiatives

  3. Federation Registry an extensible, open source web application that provides a central point of registration, management and reporting for identity and service providers participating in a standards compliant SAML 2 identity federation. Requirement • Manages the federations metadata • Support the AAF business model Introduces the Organisation • 0..n IdPs and 0..n SPs • Admins and Contacts • Involved in workflow Builds on concepts from SWITCHaai Resource Registry

  4. Federation Registry Features • Federated application • Registration wizards • Data validation • Help bubbles • Integrated with the AAF Support tool • SAML 2 • Dashboard • Access control • Reporting / Compliance • Workflow • Integration

  5. Federation Registry Behind the scenes • 1 man year development effort • 2 major code releases to date • Groovy / Grails (Java) platform • Extensible design • Agile development • Continuous integration testing and quality control • Next release in Q2 2012

  6. Federation Registry Utilization Reporting ARCS Data Fabric – January 2012 • Utilisation Data recorded by AAF WAYFs and reported by the Federation Registry

  7. Federation Registry Federation Integration engine The Federation Registry is the integration engine for AAF components, Identity providers and Service providers. It is central to the successful on-going operation of the Australian Access Federation.

  8. Federation Registry More Information • AAF Wiki http://wiki.aaf.edu.au/federationregistry/ • Try it, AAF Test Federation Registry https://manager.test.aaf.edu.au/federationregistry • Source code, Issues tracking https://github.com/ausaccessfed/federationregistrymaster

  9. National Entitlements Service Provides attributes that are beyond the scope of individual organisations to manage and maintain as part of Authn. • A central source for entitlements • Delegation and assignment of entitlements; • Self assignment of entitlements • A web portal • A technical interface. The Solution must • be cost effective • have delivery aligned to Super Science initiatives

  10. National Entitlements Service Why NES • In support of Australian Super Science initiatives such as • Research Data Storage Infrastructure (RDSI) • National eResearch Collaboration Tools and Resources (NeCTAR) • Improved Authz • User’s home institution can not easily provide information • Not authoritative • Do not want the additional overhead

  11. National Entitlements Service The Feasibility Study – in peer review • Define the problem • Analyse existing open source and commercial offerings • Review international federation (SAML) practices • Identify options to move forward, What interest is there in making the study public?

  12. National Entitlements Service The options • Do nothing • Purchase and integration of vendor or open source solution • Development of a custom solution by a software development partner • Development of a custom solution by the AAF

  13. National Entitlements Service What it will look like... A nationally operated attribute authority with a group management component and user interface providing • delegated access • approvals work flows • user registration Extension to the Federation Registry

  14. National Entitlements Service Timeframes • Deliver in 2012 aligning with Super Science initiatives • Rolled out progressively, 3 or 4 releases • Agile development, collaborating with users

  15. Other initiatives A number of other initiatives are on the AAF drawing board • Cloud IdP, a fully managed service for our subscribers • Automated monitoring service • Improved data collection and reporting of utilisation • New discovery service

  16. Other initiatives Cloud IdP A fully managed Identity provider service for our subscribers • New AAF VHO • Partially hosted, for organisations with an Identity store • Fully hosted Not currently resourced

  17. Other initiatives Automated monitoring service ICINGA open source monitoring (NAGIOS variant) • Federated authentication • Simple dashboard showing the overall health of the federation • Reporting and alerting to subscribers Basic Monitors (March 2012) • Ping • Time Synchronisation • SSL Certificate expiry • Shibboleth Status Basic and Advanced • Basic port security check Advanced Monitor (June 2012) • End-to-end (RedIRIS monitoring tool) • Integrated with the Federation Registry • Hosts and Services to monitor • Hosts and services groups • Contacts, people involved in the notification process

  18. Other initiatives Improved data collection and reporting of utilization Currently usage data collected from WAYFs • Leads to some data loss • Does not distinguish between successful and failed access Investigate improvements thru capturing sanitized logs from IdPs • See all the traffic that by-passes the WAYF • Identify hidden services – bi lateral agreements become obvious • Can count successfully authentications • Can assist in identifying brut force attacks

  19. Other initiatives New discovery service Currently utilizing the SWITCHaai WAYF Federation Registry • Extend to populate MDUI elements into the metadata Investigate • what options are available for the Discovery Service • Multi-tiered Discovery Service • General access • Higher LOA

  20. Michel De La Villefromoy - Manager, University of Technology, Sydney “We see the AAF as an enabler for sharing all manner of fragile, dangerous, rare and geographically remote equipment between research organisations.”

More Related