1 / 19

OpenConext Workshop Diagrams

OpenConext Workshop Diagrams. Neil Witheridge AARNet Pty Ltd.

nona
Download Presentation

OpenConext Workshop Diagrams

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OpenConext Workshop Diagrams Neil Witheridge AARNet Pty Ltd Non-third-party-sourced content is under the Creative Commons “Attribution 3.0 Unported” license. This means that you are permitted to freely copy, distribute, display, present, or perform material on the wiki, and create derivative works from it, for either commercial or non-commercial purposes.

  2. Switch (10/100) Switch (10/100) Switch (10/100) Switch (10/100) Switch (Gb) But if you could provide a 2nd projector & screen That would be fantastic . My understanding is I need to provide 2nd projector & screen and of course network switches and cables. front Workshop Rm main screen whiteboard 2nd screen 2nd projector lecturn Hands-on participants (& pm) at front Benches (4 people each) Non hands-on participants at back main projector rear

  3. National Federation (mesh) SP A IdP A SP B IdP B SP 1 Engine (SAML Proxy) SP 2 IdP C SP C IdP 0 SP 3 (hub & spoke) IdP 1 Trusted i.e. exchange metadata IdP 2

  4. Trusted IdPs metadata Trusted IdPs metadata Trusted IdPs metadata Trusted IdPs metadata Trusted SPs metadata Trusted SPs metadata Trusted SPs metadata Trusted SPs metadata National Federation (e.g. AAF) WAYF SP IdP attributes SP IdP SP IdP SP IdP ARP ARP ARP ARP

  5. National Federation (e.g. AAF) Trusted IdPs metadata Trusted IdPs metadata Trusted IdPs metadata Trusted IdPs metadata Trusted SPs metadata Trusted SPs metadata Trusted SPs metadata Trusted SPs metadata WAYF SP SP IdP SP SP IdP OpenConext SP OpenConext IdP Engine SP SP IdP SP Hub & Spoke architecture ARP ARP ARP ARP ARP ARP ARP ARP ARP

  6. OpenConext Deployment IdP 1 SP 1 Engine (SAML Proxy) IdP 2 SP 2 SP IdP IdP 3 SP 3 Service Registry Mujina IdP Manage API SAML entity trusti.e. Metadata provisioned Teams Grouper

  7. Group Proxy Clients (OpenConext SPs) Type: Grouper username + password Consumer Key + Secret Group Provider OS-A Group Provider G1 Group Provider OS-B Group Provider OS-C OpenConext API Service Provider X Service Provider Y Service Provider Z Type: OpenSocial Consumer Key + Secret Grouper Client Consumer Key + Secret Open Social Server Open Social Client Consumer Key + Secret Type: OpenSocial Consumer Key + Secret Consumer Key + Secret Service Registry Type: OpenSocial Manage Configuration Configuration

  8. General case of deployment in national federation. Some IdP’s (B,C) ‘conexted’, others (A) not. No Federation SPs conexted National Federation SP A Trusted i.e. exchange metadata SP B IdP A Policy Federation Registry IdP B SP 1 Engine (SAML Proxy) WAYF SP C SP 2 IdP 0 IdP C VHO SP 3 IdPs and SPs trusted by OpenConext instance

  9. In this deployment scenario, all national federation IdPs are conexted, and there are two non-federation IdPs that are conexted (e.g. ‘private’ IdPs of the institution deploying openconext) National Federation SP A Trusted i.e. exchange metadata SP B IdP A SP 1 IdP B Engine (SAML Proxy) SP 2 SP C IdP 0 IdP C SP 3 IdP 1 IdPs and SPs trusted by OpenConext instance IdP 2

  10. “IdP A” a member of NatFed but not trusting/trusted by OpenConext (i.e. users can’t access “SP 1”, “SP-2”, “SP 3”) National Federation Trusted i.e. exchange metadata SP A IdP A SP B SP 1 IdP B Engine (SAML Proxy) SP 2 SP C IdP 0 IdP C SP 3 IdP 1 IdPs and SPs trusted by OpenConext instance IdP 2 “IdP 1”& “IdP 2” not members of NatFedbuttrusted by OpenConext (i.e. users can’t access “SP A” or “SP B”)

  11. National Federation Trusted i.e. exchange metadata SP A “IdP A” a member of Nat SAML Fed but not trusting/trusted by OpenConext (i.e. users can’t access “SP 1”, “SP-2”, “SP 3”) IdP A SP B SP 1 IdP B Engine (SAML Proxy) SP 2 SP C IdP 0 IdP C SP 3 IdP 1 “IdP 1”& “IdP 2” not members of Nat Fed buttrusted by OpenConext (i.e. users can’t access “SP A” or “SP B”) IdPs and SPs trusted by OpenConext instance IdP 2

  12. Big Picture (all nat fed IdPs conexted) National Federation Trusted SAML entitiesi.e. exchange metadata Trusted OpenSocial/Grouper entitiesi.e. exchange credentials SP A SP B IdP A Group Provider (Int) Grouper IdP B Engine (SAML Proxy) Group Provider (Ext) Grouper API (Group Proxy) SP 1 SP C IdP 0 IdP C Grouper Client SP 2 OpenSocial Server Group Provider (Ext)OpenSocial OpenSocial Client IdP 1 SP 3 Group Provider (Ext) OpenSocial IdPs, SPs, Group Providers trusted by OpenConext instance IdP 2

  13. Big Picture (not all natfed IdPs conexted) National Federation Trusted SAML entitiesi.e. exchange metadata Trusted OpenSocial/Grouper entitiesi.e. exchange credentials SP A IdP A SP B Group Provider (Int) Grouper IdP B Engine (SAML Proxy) Group Provider (Ext) Grouper API (Group Proxy) SP 1 IdP C SP C IdP 0 Grouper Client SP 2 OpenSocial Server Group Provider (Ext)OpenSocial OpenSocial Client IdP 1 SP 3 Group Provider (Ext) OpenSocial IdPs, SPs, Group Providers trusted by OpenConext instance IdP 2

  14. Big Picture OpenConext components National Federation Trusted SAML entitiesi.e. exchange metadata SP A Trusted OpenSocial/Grouper entitiesi.e. exchange credentials IdP A SP B Group Provider (Int) Grouper IdP B Engine (SAML Proxy) Group Provider (Ext) Grouper API (Group Proxy) SP 1 IdP C SP C IdP 0 Grouper Client SP 2 OpenSocial Server Group Provider (Ext)OpenSocial OpenSocial Client IdP 1 SP 3 Group Provider (Ext) OpenSocial IdPs, SPs, Group Providers trusted by OpenConext instance IdP 2

  15. OpenConext Big Picture OpenConext components Australian Access Federation Trusted SAML entitiesi.e. exchange metadata IdPs Without access to your services SPs Not accessible by Contexted IdPs SAML2 Trusted OpenSocial/Grouper entitiesi.e. exchange credentials AAF SP Group Provider SAML2 Internal Group Provider (Grouper) VOOT SPs Accessible by Conexted IdPs GrouperAPI SAML2 API (Group Proxy) External Group Providers (Grouper API) IdPs With access to your services SP 1 Engine (SAML Proxy) Grouper Client OpenSocial Server SP 2 SP VOOT IdP OpenSocial Client External Group Providers (OpenSocial) SAML2 SP 3 SAML2 VOOT Your services behind your Institutional ‘Shopfront’ Your ‘private’ IdPs With access to your services, not in the AAF IdPs, SPs, Group Providers trusted by OpenConext instance

  16. developed by OpenConext Big Picture OpenConext components Australian Access Federation Trusted SAML entitiesi.e. exchange metadata IdPs Without access to your services SPs Not accessible by Contexted IdPs SAML2 Trusted OpenSocial/Grouper entitiesi.e. exchange credentials AAF SP AAF Groups SAML2 Internal Group Provider (Grouper) VOOT SPs Accessible by Conexted IdPs GrouperAPI SAML2 API (Group Proxy) External Group Providers (Grouper API) IdPs With access to your services SP 1 Engine (SAML Proxy) Grouper Client SP 2 OpenSocial Server SP VOOT IdP External Group Providers (OpenSocial) OpenSocial Client SAML2 SP 3 SAML2 VOOT Your services behind your Institutional ‘Shopfront’ Non-AAF trusted IdPs extended access to your services IdPs, SPs, Group Providers trusted by OpenConext instance * OpenConext Workshop Down-Under Friday 25th October *

  17. Big Picture National Federation Trusted SAML entitiesi.e. exchange metadata Trusted OpenSocial/Grouper entitiesi.e. exchange credentials SP A IdP A SP B Group Provider (Int) Grouper IdP B Engine (SAML Proxy) Group Provider (Ext) Grouper API (Group Proxy) IdP C SP 1 SP C IdP 0 Grouper Client SP 2 OpenSocial Server Group Provider (Ext)OpenSocial OpenSocial Client IdP 1 SP 3 Group Provider (Ext) OpenSocial IdP 2 IdPs, SPs, Group Providers trusted by OpenConext instance

  18. VO-based Authorisation 2 1 <idp_endpoint>/vo:<vo_name> Error page SP only accessible by members of VO <vo_name> 3 No Engine IdP Yes 5 authenticate 4 B User in VO? Generate Engine IdP metadata for <Idp_entityID>/vo:<vo_name> (includes endpoint/vo:<vo_name>) & provision at SP A • Create and config • VO <vo_name> • Group(s) • IdP(s) • Group(s)+IdP(s) • Grouper stems API Manage Group Providers (Grouper + Ext) VOData VO=>Groups,IdP,stem

More Related