200 likes | 266 Views
AAF Middleware update. February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager. Overview. The AAF Federation Registry N ational Entitlements Service Other initiatives. Federation Registry.
E N D
AAF Middleware update February16 2012 Presented by Terry Smith Technical Manager and Heath Marks Manager
Overview The AAF Federation Registry National Entitlements Service Other initiatives
Federation Registry an extensible, open source web application that provides a central point of registration, management and reporting for identity and service providers participating in a standards compliant SAML 2 identity federation. Requirement • Manages the federations metadata • Support the AAF business model Introduces the Organisation • 0..n IdPs and 0..n SPs • Admins and Contacts • Involved in workflow Builds on concepts from SWITCHaai Resource Registry
Federation Registry Features • Federated application • Registration wizards • Data validation • Help bubbles • Integrated with the AAF Support tool • SAML 2 • Dashboard • Access control • Reporting / Compliance • Workflow • Integration
Federation Registry Behind the scenes • 1 man year development effort • 2 major code releases to date • Groovy / Grails (Java) platform • Extensible design • Agile development • Continuous integration testing and quality control • Next release in Q2 2012
Federation Registry Utilization Reporting ARCS Data Fabric – January 2012 • Utilisation Data recorded by AAF WAYFs and reported by the Federation Registry
Federation Registry Federation Integration engine The Federation Registry is the integration engine for AAF components, Identity providers and Service providers. It is central to the successful on-going operation of the Australian Access Federation.
Federation Registry More Information • AAF Wiki http://wiki.aaf.edu.au/federationregistry/ • Try it, AAF Test Federation Registry https://manager.test.aaf.edu.au/federationregistry • Source code, Issues tracking https://github.com/ausaccessfed/federationregistrymaster
National Entitlements Service Provides attributes that are beyond the scope of individual organisations to manage and maintain as part of Authn. • A central source for entitlements • Delegation and assignment of entitlements; • Self assignment of entitlements • A web portal • A technical interface. The Solution must • be cost effective • have delivery aligned to Super Science initiatives
National Entitlements Service Why NES • In support of Australian Super Science initiatives such as • Research Data Storage Infrastructure (RDSI) • National eResearch Collaboration Tools and Resources (NeCTAR) • Improved Authz • User’s home institution can not easily provide information • Not authoritative • Do not want the additional overhead
National Entitlements Service The Feasibility Study – in peer review • Define the problem • Analyse existing open source and commercial offerings • Review international federation (SAML) practices • Identify options to move forward, What interest is there in making the study public?
National Entitlements Service The options • Do nothing • Purchase and integration of vendor or open source solution • Development of a custom solution by a software development partner • Development of a custom solution by the AAF
National Entitlements Service What it will look like... A nationally operated attribute authority with a group management component and user interface providing • delegated access • approvals work flows • user registration Extension to the Federation Registry
National Entitlements Service Timeframes • Deliver in 2012 aligning with Super Science initiatives • Rolled out progressively, 3 or 4 releases • Agile development, collaborating with users
Other initiatives A number of other initiatives are on the AAF drawing board • Cloud IdP, a fully managed service for our subscribers • Automated monitoring service • Improved data collection and reporting of utilisation • New discovery service
Other initiatives Cloud IdP A fully managed Identity provider service for our subscribers • New AAF VHO • Partially hosted, for organisations with an Identity store • Fully hosted Not currently resourced
Other initiatives Automated monitoring service ICINGA open source monitoring (NAGIOS variant) • Federated authentication • Simple dashboard showing the overall health of the federation • Reporting and alerting to subscribers Basic Monitors (March 2012) • Ping • Time Synchronisation • SSL Certificate expiry • Shibboleth Status Basic and Advanced • Basic port security check Advanced Monitor (June 2012) • End-to-end (RedIRIS monitoring tool) • Integrated with the Federation Registry • Hosts and Services to monitor • Hosts and services groups • Contacts, people involved in the notification process
Other initiatives Improved data collection and reporting of utilization Currently usage data collected from WAYFs • Leads to some data loss • Does not distinguish between successful and failed access Investigate improvements thru capturing sanitized logs from IdPs • See all the traffic that by-passes the WAYF • Identify hidden services – bi lateral agreements become obvious • Can count successfully authentications • Can assist in identifying brut force attacks
Other initiatives New discovery service Currently utilizing the SWITCHaai WAYF Federation Registry • Extend to populate MDUI elements into the metadata Investigate • what options are available for the Discovery Service • Multi-tiered Discovery Service • General access • Higher LOA
Michel De La Villefromoy - Manager, University of Technology, Sydney “We see the AAF as an enabler for sharing all manner of fragile, dangerous, rare and geographically remote equipment between research organisations.”