1 / 13

Flexible ESMO GW for eIDAS-enabled Student Mobility Support Infrastructure

ESMO GW is a flexible gateway that supports the secure connectivity of Higher Education Institutions (HEIs) for eIDAS-enabled student mobility. It enables the authentication of users, retrieval of academic attributes, and connection to trusted sources. The ESMO GW can be deployed as a Member State hub or in various HEI scenarios.

lovee
Download Presentation

Flexible ESMO GW for eIDAS-enabled Student Mobility Support Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eIDAS-enabled Student Mobility ESMO Support Infrastructure www.ESMO-project.eu GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR AGREEMENT No INEA/CEF/ICT/A2017/1451951

  2. Contents Flexible ESMO GW deployment ESMO GW as a Member State HUB Domain Specific Attributes Support EWP Network to connect remote HEI APs served by ESMO GWs ESMO GW Deployments

  3. Flexible ESMO GW Deployment • ESMO GW deployment with its common and generic microservices(ms) and protocol specific ms for connectivity to SPs, IdPs, & APs • Flexible microservicemulti-protocolarchitectureenablesitto be employedforvariousscenarios

  4. ESMO GW as a MemberStatehub • Acts as a Member State (MS) hub for cross-border & national authentication • Lowers SP integrationcostswith interfaces readyavailable in OIDC, SAML, JWT • Used for managing trusted SP connections towards eIDAS and national IdPs – possibly sector specific

  5. DomainSpecificAttributes • ESMO GW deploymentsenableSPstonotonlyauthenticatetheuserbuttoquerystudentsacademic atributes from trustedsources, toaidstudent Erasmus, mobilityservices as well as others • Connectstotrusted HEI sources, witheIDASauthenticatedidentityattributessenttoAPstofacilitaterecordretrieval • Broad rangeofacademicattributesableto be retrievedand supportsattributesused in eduGAIN • Thewiderangeofacademicattributes can be betterserved, standardised and developedbythe HEI communityand notneededtoburdeneIDAS • Note: Academicattributesalsoabletoprovidebiographicinformation (name, D.O.B etc) so toprovide SP servicesgreaterassurancethattheacademicinformationisindeedlinked/associatedwiththeauthenticateduser Example SP Request * StudyProgramwasproposedbutfinallynotimplemented as thereis no existing standard forthisattribute.

  6. EWP Network toconnectremote HEI APsservedby ESMO GWs • ESMO GW Publishes ESMO Metadata API in EWP manifest • Alltrusted EWP hosts / ESMO GWs consume the EWP registry and can thusimplementthe ESMO Metadata API endpoint • Insteadof ESMO publishingallits API endpointsonthe EWP itpublishesjustthe ESMO Metadata API whichinturnpublishesallthe API servicesforthe API endpointsitsupportstowardsthe HEI APs • ESMO Metadata API publishesAttributeRequest/Response APIs so thatAPsservedbyone GW are areknown and are ableto be queried from allother ESMO GWs and Hosts connectedto EWP • Automaticupdatesofnetworktopology as new APsaddedor no longerreachableover ESMO GWs EWP Trusted Remote AP DomainSpecificAttributeretrieval

  7. ESMO GW –Affiliated HEI Group Deployment • In thisscenariothe ESMO GW servesanaffilitionofmultipleHEIsovervariousprotocolstoprovide: • trusted HEI SP connectivitytoeIDASnodeor proxy • trusted HEI AP connectivity • remotetrusted HEI AP connectivity (through EWP Network) • multi-protocol SSO • multi federatedauthentication

  8. ESMO GW – Single HEI Deployment • TwoScenarios: 1) the ESMO GW isdeployedtoservejustone HEI A and provides: • trusted HEI SP connectivitytoeIDASnodeor proxy • trusted HEI AP connectivity • remotetrusted HEI AP connectivity (through EWP Network) • multi-protocol SSO • multi federatedauthentication 2) HEI B implementsthe ESMO Metadata API on EWP • and implementsthe ESMO DSA Query/Response APIstoquery EWP Hosts and ESMO GWs

  9. ESMO GW – AP Deployment • Attribute Providers connected over ESMO GW can automatically serve attributes to HEI SPs connected by the EWP Network • Quick integrationtoAPsbyconfigalonefor SAML2, OAUTH 2.0, OIDC

  10. ESMO GW - MemberStateDeployment • Thisscenariosupposesthe ESMO GW isoperatedby a nationalministryoracademicauthority (e.g NREN) • Providestrusted GW connectivitythrough EWP Network and directgovernanceover: • trusted HEI SP connectivitytoeIDAS • trusted HEI AP connectivity • trustedconnectivitytonationalIdPs • Maintainsthe ESMO GW • operationse.g. managekeysforitsown GW, SP & AP metadata, EWP Manifest etc. • Sustainability: • add new microserviceprotocolsupport as needed • promote and expand standard set ofAcademicAttributes • integratewitheduGAINFederations at MS level (witheIDASPersonidentifiertoavoid 2nd login) GW GW GW

  11. ESMO GW - Central EU Deployment • Thisscenariosupposesthe ESMO GW isoperatedby a central EU organisation • Provides pan Europeangovernanceof: • trusted HEI SP connectivitytoeIDAS in own MS • trusted HEI AP connectivity • No needfor EWP Network intgeration • HEIs are alldirectlyconnectedtothe central ESMO GW HUB • Issues • Notclose relationship / trust with MS HEIs • Extra administrativeoverhead • Tromboningeffect • DistributedAlternativetoavoidtheaboveissues: • distributespecificmicroservicestotheMemberStatesthattheyinterworkwith and deployed at HEIsorbynationalinstitution • genericcommonmicroservices can be deployed in a central virtual environment ESMO

  12. ESMO GW – ESMO Project Deployment USN UIA • Theprojectscenariodeploys a mixture ofcentralised and distributed ESMO GWs • ESMO GW in Spaindeploys: • eIDAS SAML IdP ms towardscl@ve proxy towardseIDASNode (ES) • SAML2 ms with interfaces towards UJI SP & 2 APs (UJI & eduGAINFederation) • ESMO GW in Greecedeploys: • eIDAS SAML IdP ms towardseIDASNode (GR) • OIDC IdP ms towards FEIDE proxy towardseIDASNode (NO) • OIDC SP ms towardsUAegean SP and UIA and USN SPs • OAUth 2.0 AP ms towardsUAegean AP, and Norway AP • SAML 2 AP ms towardsUaegean AP (eduGAINFederation) GW GW UJI UAegean

  13. Thank you for your attention Ross Little ross.little@atos.net GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR AGREEMENT No INEA/CEF/ICT/A2017/1451951 www.ESMO-project.eu

More Related