SURFfederatie - eduGAIN

1. SURFfederatie - eduGAIN Opt-in Metadata Management for a Hub & Spoke Federation

2. Content • History of SURFfederatie • Federation models • Functional view • Consequences of hub & spoke • eduGAIN • Future changes SURFnet - We make innovation work

3. Once upon a time… DigiD: government eID based on A-Select Federative AAI, A-Select (open source) A-Select: intra-organisational web-SSO FIdM service (gateway) in production Student Chipcard: authentication Elsevier, EBSCO, Google Apps SURFnet - We make innovation work

4. Federation models (communication/login, not metadata) • 1-1 • Business VS: SAML 1.x • de-facto • NxN • Shared trust, pt2pt • EducationVS/Europa • 2xN • Central gateway (CFC) • protocol translation • SURFfederatie= CFC, IDP, SP IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP CFC IDP SP SURFnet - We make innovation work

5. Functional view(Since August 2008) Identity Providers SURFfederatie CORE Service Providers Central Federation Components A-Select Cross A-Select Cross Credentials Applications Shibboleth SAML 2.0 SAML 2.0 WS-Fed / ADFS WS-Fed / ADFS SURFnet - We make innovation work

6. Metadata & proxying IDP1 SP1 WAYF IDP2 A-1 A-2 A-3 B-1 B-2 B-3 SP2 WAYF IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3{all} IDP1=B-1 IDP2=B-2 IDP3=B-3 SURFnet - We make innovation work

7. WAYF/WAYF-less operation IDP1 SP1 WAYF IDP2 SP2 WAYF IDP3 SP3 SURFnet - We make innovation work

8. hub & spoke pros/cons Pros • 1 connection for IDP/SP • Minimal overhead for IDPs • Centralized (technical) management • Specialist knowledge @ SN • Less needed for IDP/SP • Scales well at national level • Extra features easier to do • Web services • Group support • Cons • Procedures • release consent per SP • Key/cert/metadata changes • Lack of knowledge @ IDP • Double-edged sword… • Scalability European level • Can only support common denominator SURFnet - We make innovation work

9. Importing eduGAIN SPs SPz eduGAIN IDP1 SP1 WAYF SPx=ddd SPy=eee SPz=fff IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 WAYF IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3{all}SPz=A-z{IDP2, IDP3} IDP1=B-1 IDP2=B-2 IDP3=B-3 SURFnet - We make innovation work

10. Exporting IDPs eduGAIN IDP1 SP1 WAYF SPx=ddd SPy=eee SPz=fff IDP3=B-3 IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 WAYF IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3{all}SPz=A-z{IDP2, IDP3} IDP1=B-1 IDP2=B-2 IDP3=B-3 SURFnet - We make innovation work

11. Exporting SPs to eduGAIN eduGAIN IDP1 SP1 WAYF SPx=ddd SPy=eee SPz=fff SP3=SP3 IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 WAYF IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3{all}SPz=A-z{IDP2, IDP3} IDP1=B-1 IDP2=B-2 IDP3=B-3 IDPz SURFnet - We make innovation work

12. SP auth list (optional) eduGAIN IDP1 SP1 WAYF SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 WAYF IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3{all}SPz=A-z{IDP2, IDP3} IDP1=B-1 IDP2=B-2 IDP3=B-3 Per SP auth list SP3: - IDP1 - IDP2 - IDPz IDPz SURFnet - We make innovation work

13. SP auth list (optional) eduGAIN IDP1 SP1 WAYF SPx=ddd SPy=eee SPz=fff SP3=SP3 IDPx IDPy IDPz IDP2 A-1 A-2 A-3 A-z B-1 B-2 B-3 SP2 WAYF IDP3 SP3 SP1=A-1 {IDP1, IDP2} SP2=A-2 {IDP2, IDP3} SP3=A-3{all}SPz=A-z{IDP2, IDP3} IDP1=B-1 IDP2=B-2 IDP3=B-3 Per SP auth list SP3: - IDP1 - IDP2 - IDPz IDPz SURFnet - We make innovation work

14. Future plans • Integrate with SURFconext • Procedural/organisational • Technical (level of integration TBD) • Change of consent model • Opt-in  Opt-out • Addition of User Consent • Web Service support • Needed for (scientific) workflows • Rich client/beyond web SSO/mobile support • Rethink procedures/management SURFnet - We make innovation work

15. Remco Poortinga – van Wijnen remco.poortinga@surfnet.nl federatie-beheer@surfnet.nl www.surfnet.nl Presentation released under Creative Commons http://creativecommons.org/licenses/by/3.0/ SURFnet - We make innovation work

16. SURFnet - We make innovation work

17. Backup slides SURFnet - We make innovation work

18. URLs SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal) https://wayf.surfnet.nl/federate/surfnet/edugain 2 IDPS: SN & TERENA 1 SP: TERENA (MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo. Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs (C) 2011 SURFnet B.V.

19. Metadata https://aai-viewer.switch.ch/interfederation-test/test/ Wij nu niet saml2int compliant. (behandelen attribs als ‘format unspecified’, moet ‘uri’ zijn volgens spec) (C) 2011 SURFnet B.V.