Upload
ashlee-henderson
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Cancún - Mexico, 28.05.2014
Andrea Biancini
Towards a Federation as a ServiceFrom IdP in the Cloud project to FaaS
Andrea Biancini
2
Cancún - Mexico, 28.05.2014
Agenda
• What is an Identity Federation• What needs to be done to operate a Federation
Introduction: the theoretical standpoints
• What have we done? IdP in the cloud project• Project implementation• Benefits and project results
What we learnt and did to grow a Federation
• Extending this approach to Federation managers• Identifying the key processes• Implementing a Federation «appliance»• ELCIRA: activities and expected benefits
The ongoingproject activities
Andrea Biancini
3
Cancún - Mexico, 28.05.2014
What is an Identity Federation
An Identity Federation is a collection of organizations that agree to interoperate under a certain rule to manage user identities.
Within a Federation different organizations cooperate in managing identities by taking care of their users and services.
The Federation builds a global trust within the different organizations.
Andrea Biancini
4
Cancún - Mexico, 28.05.2014
What needs to be done to operate a Fed. Participants have to:
Define procedures to create and manage an IdP; Define procedures to create and manage an SP.
Federation managers have to: Registering an entity (IdP or SP) in the Federation
Validating metadata information toward Federation policies;
Performing all security controls and signing metadata; Guiding the participants in the implementation of an
Identity Management policy. Signing and distributing the Metadata. Providing accessory services (like information pages
or Discovery Service).
Andrea Biancini
5
Cancún - Mexico, 28.05.2014
What we learnt from our communities From a participant’s point of view, the more
complex task is that of creating and managing an IdP.
In this activity, in fact, the participant has to: Manage a lot of different technologies (Shibboleth,
Tomcat, LDAP, security on the server, …); Monitor and update constantly the technical
infrastructure (for security and quality of service); Manage privacy and identity management
policies; Manage users and passwords.
Many entities do not have enough skills or resources to manage them all!
Andrea Biancini
6
Cancún - Mexico, 28.05.2014
The answer to this problem!
To tackle this problem, GARR started the “IdP in the cloud” service Goal: offering IdPs as a service on a cloud
infrastructure!
This service permitted to take away greater part of the job from Federation participants. All technological aspects are managed by GARR on
behalf of the participating entity (including monitoring and updates);
Compliance to regulation and Federation policy is delegated to GARR;
The participating entity “only” has to manage users and passwords.
7
How we did this: the infrastructure
2 sites, 12 servers
Instances, images & Data
GlusterFS
OpenstackVM unique flavorPublic IPs
Service VMs Nagios, Splunk,
Collectd DNS Puppet Master
IdP VMs go here
Andrea BianciniCancún - Mexico, 28.05.2014
8
Use a Puppet recipe to describe the features of the “IdP in the cloud” VM
How we did this: automatization
=> IDP in the Cloud
• Shibboleth IdP• uApprove• Custom login
page
• Apache2• OpenLDAP• phpLDAPadmin• MySQL
• iptables• rsyslog• Nagios,
Collectd probes
Web interfaces openLDAP
Base VM – 2 vCPU, 4 GB RAM, 20 GB diskUbuntu 12.04 + Puppet Agent
Andrea BianciniCancún - Mexico, 28.05.2014
9
Key benefits of IdP in the cloud
Operation
Focus on your users’ identity
Focus on the services they
want
Organization
Tutored pre & post
provisioning
Marginal OpEx, no CapEx
Compliance with federation
policies
Technology
Quick provisioning
Continuous delivery
Resiliency, openness, …
Andrea BianciniCancún - Mexico, 28.05.2014
Andrea Biancini
10
Cancún - Mexico, 28.05.2014
Project results
With this approach the Identity Federation is diffusing into new communities: Institutions in the biomedical research with small IT
teams; Cultural heritage institutions.
From request to Federated IdP in a few days (including administrative tasks) with no technical effort from requestor!
Possibility to manage all these systems with limited human resources (~10 IdP, < 0.5 FTE)
11
Extending this approach
Andrea BianciniCancún - Mexico, 28.05.2014
We are extending this approach (used for IdP in the Cloud) from participants to Federation managers!
We plan to provide a Federation «appliance» (provisioned on a Cloud) with all the required technological components to implement a fully functional Federation.
12
Indentifying the key processes
Andrea BianciniCancún - Mexico, 28.05.2014
As said, the main processes a Federation manager has to implement are: Registering an entity (IdP or SP) in the Federation Signing and distributing the Metadata. Providing accessory services (like information pages
or Discovery Service).
Among them, we have found that the more complex to be implemented is the first. In fact: it requires human and technical validation; it is the process that permits to create the trust; entities are what the users see of the Federation!
13
Registering an entity in the Federation
Andrea BianciniCancún - Mexico, 28.05.2014
Registration of an entity (IdP or SP) in the FederationRe
ques
tor
entit
yG
ARR
adm
inis
trati
onFe
dera
tion
man
ager
sIDEM – the Italian Identity Federation
Completes and sends all required
documents to GARR (as by the process)
Verify the «Member Accession Form»
document.
Verify the «Registration
Request» document.
Verify the Metadata and validate the
quality of the information
Signing and distribution of the Metadata to the
Federation
Verify the entity is working correctly and releasing the right attributes
End
Security checks on certificates and keys
14
Supporting the process
Andrea BianciniCancún - Mexico, 28.05.2014
To support and standardize the process, we implemented a workflow for entity registration
This flow spans two integrated tools: Resource Registry: to validate metadata
information (and diffuse awareness); Metadata Aggregator: to verify all the
security aspects bound to certificates and to sign the metadata for the distribution to the Federation (and inter-federations).
15
The scenario
Andrea BianciniCancún - Mexico, 28.05.2014
RR
DS
Fed MD
Interfederation
Interfed. MD
MDA
Fed MD +
Interfed. MDOR
Interfed. test MD
Administrative Technical
FaaS
Federationoperator
· Dealing with customers requesting the service (approving, registering, provision of services)
· Managing instances of service
· Management of federation policy· Dealing with new IdPs and SPs joining
the federation (auditing, approving, registering, etc. )
· Support and communications with IdP and SPs
· Managing RR
MDS MDS test
Interfed. test MD
Fed MD opt-ed
16
Technology to be developed
Andrea BianciniCancún - Mexico, 28.05.2014
To provision the Federation «appliance» new Puppet recipes are being developed to automatize installation of the software components.
With these developments, the IdP in the cloud schema will be extended to permit the provisioning of a complete Federation as a service on a Cloud infrastructure.
17
Expected goals
Andrea BianciniCancún - Mexico, 28.05.2014
With this «appliance» we plan to standardize and support Federation operations.
By consuming this FaaS service, it will be possible to: Start rapidly the operation of a new Federation, by
almost eliminating the technological step in; Leverage experiences and best practices to operate
effectively a Federation even starting with little or no prior experience.
Andrea Biancini
18
Cancún - Mexico, 28.05.2014
ELCIRA: adopting Federations ELCIRA will support the adoption of Identity
Fedarations in Latin America.
But, as we have seen, deploy Federations is hard!1. Technology needs to be installed and
managed2. Processes, steps, attribution of
responsibility have to be implemented
ELCIRA will borrow GARR experience in automatizing components installation in a cloud and in operating a Federation.
Andrea Biancini
19
Cancún - Mexico, 28.05.2014
ELCIRA: supporting IdP installation
We will leverage GARR experience and solutions, developed during IdP in the Cloud project, to grow IdP diffusion within new or existing Federations.
This will permit NRENs to: Guarantee compliance to qualitative
standards for new IdPs in the Federation; Give the opportunity to enter rapidly in
production with a Federation entity!
Andrea Biancini
20
Cancún - Mexico, 28.05.2014
ELCIRA: how to sustain new Federations?
GARR also provides support in sustaining the birth of new Federations by: Sharing best practices for the key
processes; Sharing lesson learnt, dos and don’ts; Providing technical solutions, as the
“federation appliance” described earlier.
21
Thanks!
Q&A
Andrea BianciniCancún - Mexico, 28.05.2014
Andrea Biancini
Cancún - Mexico, 28.05.2014
IdP in the CloudShowcase
23
What IdP in the Cloud is
The service goal: make the deployment and the management of the identity providers easy, by minimizing the activities and the complexity for home organizations.
• IdP as a Service (PaaS)
• IdM as a Service (SaaS)
=> IdP in the CloudBenefits Dedicated virtual appliance Updates and customization Federation policy compliancy Cloud advantages
First cloud service from GARR
Andrea BianciniCancún - Mexico, 28.05.2014
24
Getting an IdP in the cloud
Request for an “IdP in the Cloud”
IdP instantiation and configuration
IdP delivery and user management
Tutor the user in preparing the documents requested by GARR and the IDEM Federation
The service creates a new IdP taking care of Tools installation and configuration Pre-production assessment Federation policies
Ready-to-use dedicated IdP VM to access federated services.
Requestor tutored in managing users identities.
Andrea BianciniCancún - Mexico, 28.05.2014
25
The request document
Andrea BianciniCancún - Mexico, 28.05.2014
Is a very easy document to be produced by the requesting organization, with the following information (used to customize IdP and its Metadata):
Organization name Organization internet domain IdP name (or EntityID) Description of the service Organization public web site URL Organization privacy policy page URL IdP Informative web page URL (shown to users) Organization logo images Technical contact mailing list
26
Provisioning the VM
Andrea BianciniCancún - Mexico, 28.05.2014
Live demo!
A new configuration for the IdP will be installed on the Puppet agent (with the support of two scripts created ad-hoc).
Puppet will take care of all the rest!
27
Puppet
Andrea BianciniCancún - Mexico, 28.05.2014
Open source framework able to automate repetitive system administration tasks.
Automatize the provisioning and configuration of IT servers.
28
Basic principles of Puppet
Andrea BianciniCancún - Mexico, 28.05.2014
Everything is described as a
resource
Puppet executes transitions among resource states
(without a definite precedence)
The final state
represents the desired
result
29
IdP in the cloud: user perspective
User interfaces:• Custom IdP login
page• IdM interface• Access log analysis
toolsAndrea Biancini
Cancún - Mexico, 28.05.2014
We are evaluating Perun a tool that could replace phpldapadmin.More information here: http://perun.cesnet.cz.
30
That’s all folks!
Q&A
Andrea BianciniCancún - Mexico, 28.05.2014