Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Cancún - Mexico, 28.05.2014

Andrea Biancini

Towards a Federation as a ServiceFrom IdP in the Cloud project to FaaS

Andrea Biancini

2


Agenda

• What is an Identity Federation• What needs to be done to operate a Federation

Introduction: the theoretical standpoints

• What have we done? IdP in the cloud project• Project implementation• Benefits and project results

What we learnt and did to grow a Federation

• Extending this approach to Federation managers• Identifying the key processes• Implementing a Federation «appliance»• ELCIRA: activities and expected benefits

The ongoingproject activities

Andrea Biancini

3


What is an Identity Federation

An Identity Federation is a collection of organizations that agree to interoperate under a certain rule to manage user identities.

Within a Federation different organizations cooperate in managing identities by taking care of their users and services.

The Federation builds a global trust within the different organizations.

Andrea Biancini

4


What needs to be done to operate a Fed. Participants have to:

Define procedures to create and manage an IdP; Define procedures to create and manage an SP.

Federation managers have to: Registering an entity (IdP or SP) in the Federation

Validating metadata information toward Federation policies;

Performing all security controls and signing metadata; Guiding the participants in the implementation of an

Identity Management policy. Signing and distributing the Metadata. Providing accessory services (like information pages

or Discovery Service).

Andrea Biancini

5


What we learnt from our communities From a participant’s point of view, the more

complex task is that of creating and managing an IdP.

In this activity, in fact, the participant has to: Manage a lot of different technologies (Shibboleth,

Tomcat, LDAP, security on the server, …); Monitor and update constantly the technical

infrastructure (for security and quality of service); Manage privacy and identity management

policies; Manage users and passwords.

Many entities do not have enough skills or resources to manage them all!

Andrea Biancini

6


The answer to this problem!

To tackle this problem, GARR started the “IdP in the cloud” service Goal: offering IdPs as a service on a cloud

infrastructure!

This service permitted to take away greater part of the job from Federation participants. All technological aspects are managed by GARR on

behalf of the participating entity (including monitoring and updates);

Compliance to regulation and Federation policy is delegated to GARR;

The participating entity “only” has to manage users and passwords.

7

How we did this: the infrastructure

2 sites, 12 servers

Instances, images & Data

GlusterFS

OpenstackVM unique flavorPublic IPs

Service VMs Nagios, Splunk,

Collectd DNS Puppet Master

IdP VMs go here

Andrea BianciniCancún - Mexico, 28.05.2014

8

Use a Puppet recipe to describe the features of the “IdP in the cloud” VM

How we did this: automatization

=> IDP in the Cloud

• Shibboleth IdP• uApprove• Custom login

page

• Apache2• OpenLDAP• phpLDAPadmin• MySQL

• iptables• rsyslog• Nagios,

Collectd probes

Web interfaces openLDAP

Base VM – 2 vCPU, 4 GB RAM, 20 GB diskUbuntu 12.04 + Puppet Agent


9

Key benefits of IdP in the cloud

Operation

Focus on your users’ identity

Focus on the services they

want

Organization

Tutored pre & post

provisioning

Marginal OpEx, no CapEx

Compliance with federation

policies

Technology

Quick provisioning

Continuous delivery

Resiliency, openness, …


Andrea Biancini

10


Project results

With this approach the Identity Federation is diffusing into new communities: Institutions in the biomedical research with small IT

teams; Cultural heritage institutions.

From request to Federated IdP in a few days (including administrative tasks) with no technical effort from requestor!

Possibility to manage all these systems with limited human resources (~10 IdP, < 0.5 FTE)

11

Extending this approach


We are extending this approach (used for IdP in the Cloud) from participants to Federation managers!

We plan to provide a Federation «appliance» (provisioned on a Cloud) with all the required technological components to implement a fully functional Federation.

12

Indentifying the key processes


As said, the main processes a Federation manager has to implement are: Registering an entity (IdP or SP) in the Federation Signing and distributing the Metadata. Providing accessory services (like information pages

or Discovery Service).

Among them, we have found that the more complex to be implemented is the first. In fact: it requires human and technical validation; it is the process that permits to create the trust; entities are what the users see of the Federation!

13

Registering an entity in the Federation


Registration of an entity (IdP or SP) in the FederationRe

ques

tor

entit

yG

ARR

adm

inis

trati

onFe

dera

tion

man

ager

sIDEM – the Italian Identity Federation

Completes and sends all required

documents to GARR (as by the process)

Verify the «Member Accession Form»

document.

Verify the «Registration

Request» document.

Verify the Metadata and validate the

quality of the information

Signing and distribution of the Metadata to the

Federation

Verify the entity is working correctly and releasing the right attributes

End

Security checks on certificates and keys

14

Supporting the process


To support and standardize the process, we implemented a workflow for entity registration

This flow spans two integrated tools: Resource Registry: to validate metadata

information (and diffuse awareness); Metadata Aggregator: to verify all the

security aspects bound to certificates and to sign the metadata for the distribution to the Federation (and inter-federations).

15

The scenario


RR

DS

Fed MD

Interfederation

Interfed. MD

MDA

Fed MD +

Interfed. MDOR

Interfed. test MD

Administrative Technical

FaaS

Federationoperator

· Dealing with customers requesting the service (approving, registering, provision of services)

· Managing instances of service

· Management of federation policy· Dealing with new IdPs and SPs joining

the federation (auditing, approving, registering, etc. )

· Support and communications with IdP and SPs

· Managing RR

MDS MDS test

Interfed. test MD

Fed MD opt-ed

16

Technology to be developed


To provision the Federation «appliance» new Puppet recipes are being developed to automatize installation of the software components.

With these developments, the IdP in the cloud schema will be extended to permit the provisioning of a complete Federation as a service on a Cloud infrastructure.

17

Expected goals


With this «appliance» we plan to standardize and support Federation operations.

By consuming this FaaS service, it will be possible to: Start rapidly the operation of a new Federation, by

almost eliminating the technological step in; Leverage experiences and best practices to operate

effectively a Federation even starting with little or no prior experience.

Andrea Biancini

18


ELCIRA: adopting Federations ELCIRA will support the adoption of Identity

Fedarations in Latin America.

But, as we have seen, deploy Federations is hard!1. Technology needs to be installed and

managed2. Processes, steps, attribution of

responsibility have to be implemented

ELCIRA will borrow GARR experience in automatizing components installation in a cloud and in operating a Federation.

Andrea Biancini

19


ELCIRA: supporting IdP installation

We will leverage GARR experience and solutions, developed during IdP in the Cloud project, to grow IdP diffusion within new or existing Federations.

This will permit NRENs to: Guarantee compliance to qualitative

standards for new IdPs in the Federation; Give the opportunity to enter rapidly in

production with a Federation entity!

Andrea Biancini

20


ELCIRA: how to sustain new Federations?

GARR also provides support in sustaining the birth of new Federations by: Sharing best practices for the key

processes; Sharing lesson learnt, dos and don’ts; Providing technical solutions, as the

“federation appliance” described earlier.

21

Thanks!

Q&A


Andrea Biancini


IdP in the CloudShowcase

23

What IdP in the Cloud is

The service goal: make the deployment and the management of the identity providers easy, by minimizing the activities and the complexity for home organizations.

• IdP as a Service (PaaS)

• IdM as a Service (SaaS)

=> IdP in the CloudBenefits Dedicated virtual appliance Updates and customization Federation policy compliancy Cloud advantages

First cloud service from GARR


24

Getting an IdP in the cloud

Request for an “IdP in the Cloud”

IdP instantiation and configuration

IdP delivery and user management

Tutor the user in preparing the documents requested by GARR and the IDEM Federation

The service creates a new IdP taking care of Tools installation and configuration Pre-production assessment Federation policies

Ready-to-use dedicated IdP VM to access federated services.

Requestor tutored in managing users identities.


25

The request document


Is a very easy document to be produced by the requesting organization, with the following information (used to customize IdP and its Metadata):

Organization name Organization internet domain IdP name (or EntityID) Description of the service Organization public web site URL Organization privacy policy page URL IdP Informative web page URL (shown to users) Organization logo images Technical contact mailing list

26

Provisioning the VM


Live demo!

A new configuration for the IdP will be installed on the Puppet agent (with the support of two scripts created ad-hoc).

Puppet will take care of all the rest!

27

Puppet


Open source framework able to automate repetitive system administration tasks.

Automatize the provisioning and configuration of IT servers.

28

Basic principles of Puppet


Everything is described as a

resource

Puppet executes transitions among resource states

(without a definite precedence)

The final state

represents the desired

result

29

IdP in the cloud: user perspective

User interfaces:• Custom IdP login

page• IdM interface• Access log analysis

toolsAndrea Biancini


We are evaluating Perun a tool that could replace phpldapadmin.More information here: http://perun.cesnet.cz.

30

That’s all folks!

Q&A


Documents

Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS