30
Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Embed Size (px)

Citation preview

Page 1: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Cancún - Mexico, 28.05.2014

Andrea Biancini

Towards a Federation as a ServiceFrom IdP in the Cloud project to FaaS

Page 2: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

2

Cancún - Mexico, 28.05.2014

Agenda

• What is an Identity Federation• What needs to be done to operate a Federation

Introduction: the theoretical standpoints

• What have we done? IdP in the cloud project• Project implementation• Benefits and project results

What we learnt and did to grow a Federation

• Extending this approach to Federation managers• Identifying the key processes• Implementing a Federation «appliance»• ELCIRA: activities and expected benefits

The ongoingproject activities

Page 3: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

3

Cancún - Mexico, 28.05.2014

What is an Identity Federation

An Identity Federation is a collection of organizations that agree to interoperate under a certain rule to manage user identities.

Within a Federation different organizations cooperate in managing identities by taking care of their users and services.

The Federation builds a global trust within the different organizations.

Page 4: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

4

Cancún - Mexico, 28.05.2014

What needs to be done to operate a Fed. Participants have to:

Define procedures to create and manage an IdP; Define procedures to create and manage an SP.

Federation managers have to: Registering an entity (IdP or SP) in the Federation

Validating metadata information toward Federation policies;

Performing all security controls and signing metadata; Guiding the participants in the implementation of an

Identity Management policy. Signing and distributing the Metadata. Providing accessory services (like information pages

or Discovery Service).

Page 5: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

5

Cancún - Mexico, 28.05.2014

What we learnt from our communities From a participant’s point of view, the more

complex task is that of creating and managing an IdP.

In this activity, in fact, the participant has to: Manage a lot of different technologies (Shibboleth,

Tomcat, LDAP, security on the server, …); Monitor and update constantly the technical

infrastructure (for security and quality of service); Manage privacy and identity management

policies; Manage users and passwords.

Many entities do not have enough skills or resources to manage them all!

Page 6: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

6

Cancún - Mexico, 28.05.2014

The answer to this problem!

To tackle this problem, GARR started the “IdP in the cloud” service Goal: offering IdPs as a service on a cloud

infrastructure!

This service permitted to take away greater part of the job from Federation participants. All technological aspects are managed by GARR on

behalf of the participating entity (including monitoring and updates);

Compliance to regulation and Federation policy is delegated to GARR;

The participating entity “only” has to manage users and passwords.

Page 7: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

7

How we did this: the infrastructure

2 sites, 12 servers

Instances, images & Data

GlusterFS

OpenstackVM unique flavorPublic IPs

Service VMs Nagios, Splunk,

Collectd DNS Puppet Master

IdP VMs go here

Andrea BianciniCancún - Mexico, 28.05.2014

Page 8: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

8

Use a Puppet recipe to describe the features of the “IdP in the cloud” VM

How we did this: automatization

=> IDP in the Cloud

• Shibboleth IdP• uApprove• Custom login

page

• Apache2• OpenLDAP• phpLDAPadmin• MySQL

• iptables• rsyslog• Nagios,

Collectd probes

Web interfaces openLDAP

Base VM – 2 vCPU, 4 GB RAM, 20 GB diskUbuntu 12.04 + Puppet Agent

Andrea BianciniCancún - Mexico, 28.05.2014

Page 9: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

9

Key benefits of IdP in the cloud

Operation

Focus on your users’ identity

Focus on the services they

want

Organization

Tutored pre & post

provisioning

Marginal OpEx, no CapEx

Compliance with federation

policies

Technology

Quick provisioning

Continuous delivery

Resiliency, openness, …

Andrea BianciniCancún - Mexico, 28.05.2014

Page 10: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

10

Cancún - Mexico, 28.05.2014

Project results

With this approach the Identity Federation is diffusing into new communities: Institutions in the biomedical research with small IT

teams; Cultural heritage institutions.

From request to Federated IdP in a few days (including administrative tasks) with no technical effort from requestor!

Possibility to manage all these systems with limited human resources (~10 IdP, < 0.5 FTE)

Page 11: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

11

Extending this approach

Andrea BianciniCancún - Mexico, 28.05.2014

We are extending this approach (used for IdP in the Cloud) from participants to Federation managers!

We plan to provide a Federation «appliance» (provisioned on a Cloud) with all the required technological components to implement a fully functional Federation.

Page 12: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

12

Indentifying the key processes

Andrea BianciniCancún - Mexico, 28.05.2014

As said, the main processes a Federation manager has to implement are: Registering an entity (IdP or SP) in the Federation Signing and distributing the Metadata. Providing accessory services (like information pages

or Discovery Service).

Among them, we have found that the more complex to be implemented is the first. In fact: it requires human and technical validation; it is the process that permits to create the trust; entities are what the users see of the Federation!

Page 13: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

13

Registering an entity in the Federation

Andrea BianciniCancún - Mexico, 28.05.2014

Registration of an entity (IdP or SP) in the FederationRe

ques

tor

entit

yG

ARR

adm

inis

trati

onFe

dera

tion

man

ager

sIDEM – the Italian Identity Federation

Completes and sends all required

documents to GARR (as by the process)

Verify the «Member Accession Form»

document.

Verify the «Registration

Request» document.

Verify the Metadata and validate the

quality of the information

Signing and distribution of the Metadata to the

Federation

Verify the entity is working correctly and releasing the right attributes

End

Security checks on certificates and keys

Page 14: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

14

Supporting the process

Andrea BianciniCancún - Mexico, 28.05.2014

To support and standardize the process, we implemented a workflow for entity registration

This flow spans two integrated tools: Resource Registry: to validate metadata

information (and diffuse awareness); Metadata Aggregator: to verify all the

security aspects bound to certificates and to sign the metadata for the distribution to the Federation (and inter-federations).

Page 15: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

15

The scenario

Andrea BianciniCancún - Mexico, 28.05.2014

RR

DS

Fed MD

Interfederation

Interfed. MD

MDA

Fed MD +

Interfed. MDOR

Interfed. test MD

Administrative Technical

FaaS

Federationoperator

· Dealing with customers requesting the service (approving, registering, provision of services)

· Managing instances of service

· Management of federation policy· Dealing with new IdPs and SPs joining

the federation (auditing, approving, registering, etc. )

· Support and communications with IdP and SPs

· Managing RR

MDS MDS test

Interfed. test MD

Fed MD opt-ed

Page 16: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

16

Technology to be developed

Andrea BianciniCancún - Mexico, 28.05.2014

To provision the Federation «appliance» new Puppet recipes are being developed to automatize installation of the software components.

With these developments, the IdP in the cloud schema will be extended to permit the provisioning of a complete Federation as a service on a Cloud infrastructure.

Page 17: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

17

Expected goals

Andrea BianciniCancún - Mexico, 28.05.2014

With this «appliance» we plan to standardize and support Federation operations.

By consuming this FaaS service, it will be possible to: Start rapidly the operation of a new Federation, by

almost eliminating the technological step in; Leverage experiences and best practices to operate

effectively a Federation even starting with little or no prior experience.

Page 18: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

18

Cancún - Mexico, 28.05.2014

ELCIRA: adopting Federations ELCIRA will support the adoption of Identity

Fedarations in Latin America.

But, as we have seen, deploy Federations is hard!1. Technology needs to be installed and

managed2. Processes, steps, attribution of

responsibility have to be implemented

ELCIRA will borrow GARR experience in automatizing components installation in a cloud and in operating a Federation.

Page 19: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

19

Cancún - Mexico, 28.05.2014

ELCIRA: supporting IdP installation

We will leverage GARR experience and solutions, developed during IdP in the Cloud project, to grow IdP diffusion within new or existing Federations.

This will permit NRENs to: Guarantee compliance to qualitative

standards for new IdPs in the Federation; Give the opportunity to enter rapidly in

production with a Federation entity!

Page 20: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

20

Cancún - Mexico, 28.05.2014

ELCIRA: how to sustain new Federations?

GARR also provides support in sustaining the birth of new Federations by: Sharing best practices for the key

processes; Sharing lesson learnt, dos and don’ts; Providing technical solutions, as the

“federation appliance” described earlier.

Page 21: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

21

Thanks!

Q&A

Andrea BianciniCancún - Mexico, 28.05.2014

Page 22: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

Andrea Biancini

Cancún - Mexico, 28.05.2014

IdP in the CloudShowcase

Page 23: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

23

What IdP in the Cloud is

The service goal: make the deployment and the management of the identity providers easy, by minimizing the activities and the complexity for home organizations.

• IdP as a Service (PaaS)

• IdM as a Service (SaaS)

=> IdP in the CloudBenefits Dedicated virtual appliance Updates and customization Federation policy compliancy Cloud advantages

First cloud service from GARR

Andrea BianciniCancún - Mexico, 28.05.2014

Page 24: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

24

Getting an IdP in the cloud

Request for an “IdP in the Cloud”

IdP instantiation and configuration

IdP delivery and user management

Tutor the user in preparing the documents requested by GARR and the IDEM Federation

The service creates a new IdP taking care of Tools installation and configuration Pre-production assessment Federation policies

Ready-to-use dedicated IdP VM to access federated services.

Requestor tutored in managing users identities.

Andrea BianciniCancún - Mexico, 28.05.2014

Page 25: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

25

The request document

Andrea BianciniCancún - Mexico, 28.05.2014

Is a very easy document to be produced by the requesting organization, with the following information (used to customize IdP and its Metadata):

Organization name Organization internet domain IdP name (or EntityID) Description of the service Organization public web site URL Organization privacy policy page URL IdP Informative web page URL (shown to users) Organization logo images Technical contact mailing list

Page 26: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

26

Provisioning the VM

Andrea BianciniCancún - Mexico, 28.05.2014

Live demo!

A new configuration for the IdP will be installed on the Puppet agent (with the support of two scripts created ad-hoc).

Puppet will take care of all the rest!

Page 27: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

27

Puppet

Andrea BianciniCancún - Mexico, 28.05.2014

Open source framework able to automate repetitive system administration tasks.

Automatize the provisioning and configuration of IT servers.

Page 28: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

28

Basic principles of Puppet

Andrea BianciniCancún - Mexico, 28.05.2014

Everything is described as a

resource

Puppet executes transitions among resource states

(without a definite precedence)

The final state

represents the desired

result

Page 29: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

29

IdP in the cloud: user perspective

User interfaces:• Custom IdP login

page• IdM interface• Access log analysis

toolsAndrea Biancini

Cancún - Mexico, 28.05.2014

We are evaluating Perun a tool that could replace phpldapadmin.More information here: http://perun.cesnet.cz.

Page 30: Cancún - Mexico, 28.05.2014 Andrea Biancini Towards a Federation as a Service From IdP in the Cloud project to FaaS

30

That’s all folks!

Q&A

Andrea BianciniCancún - Mexico, 28.05.2014