Federation as a Service Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014

Federation as a Service

Marina Vermezović, AMRES

Federated Identity Technology Workshop

Sofia, Bulgaria, 20. Jun 2014.

2Connect | Communicate | Collaborate

Federation as a Service

Lower the technology barrier for NRENs and other interested groups in order to build their Identity federation and use eduGAIN.

Number facts, when we started:

43 partners in GN3plus

almost all GN3plus partners in eduroam, 18 federations in eduGAIN

21 GN3plus partners don’t have WebSSO Identity federation

source: www.edugain.org source: www.eduroam.org


Federation as a service

Half of the GN3plus partners do not operate and WebSSO Federation

As the consequence, they are not able to use othe GN3plus services such as:

eduGAIN

Cloud services supported by SA7 activity:– Collaboration suites– File storage and synchronization services– Realtime communication, webconferencing services– Infrastructure as a Service


FaaS Market Analysis

First, we needed to understand what are the issues hindering development of Identity federations in NRENs

April - September 2013 FaaS was conducting Market Analysis talking to NRENs

6 NRENs responded and were interviewed

Based on the results, we wrote Market Analysis and Pilot Service Definition document

https://intranet.geant.net/SA5/_layouts/15/WopiFrame.aspx?sourcedoc=/SA5/Shared%20Documents/Milestones/MS83_MS5-4-1_Federation-as-a-Service-Pilot-Service-Definition-and-Market-Analysis.docx&action=default




interestmanpowerknowledgeserver infrastructure

priorityfundingserver infrastructureknowledgemanpower policyno SPs

FaaS Survey – Identifying Issues

interestmanpowerknowledgeserver infrastructuremanagement of user identites

NREN

Institution Authentication Infrastructure

Institution Identity Management






NREN








NREN




Federation and Interfederation trustmodel

SPmetadata

IdPmetadata

Federationmetadatalocal federation

Interfederationmetadatalocal federation opt-ed+ eduGAIN

Identity Federation

Options for exposing the entities to eduGAIN: opt-IN or opt-OUT


Federation metadata management

Task list:

Registration of IdP and SP entites metadata

Validate metadata

Enrich entites metadata – e.g. geolocation, logo

Aggregate metadata

Sign metadata

Republishing interfederation metadata in local federation

Publish local federation entites that want to interfederate

Important

Gets too cumbersome to do this manually, use tools for automatization!

Important to perform securely and trustworthy


FaaS in GN3plus

Goal: Lower the technology barrier for deployment of Identity federation for NRENs and other groups

Provide the tools to efficently manage Identity federation and connect to eduGAIN

Each FaaS customer gets its own FaaS instance with hosted tools:

Resource Registry – register IdPs and SPs and their metadata

Metadata Aggregation

Metadata signing using HSM

Central Backup Discovery service


FaaS workflow

IdP/SP administerively register in federation outband from the RR

In this procedure IdP/SP administrators are appointed

IdP/SP admin can register the entity in RR via simple registration form

Federation operator needs to approve registration

IdP/SP admin can enrich entity metadata through rich and user friendly form

IdP/SP admin can request for entity to be published in the local federation and interfederation

Federation operator needs to approve such request


FaaS timeline

Entered the pilot in May 2014

Currently piloting with 2 NRENs - ACOnet and AMRES

Preparing for FaaS workshop in October 2014 for all interested NREN

Workshop will focus on Federation operator practices and hands-on for FaaS tools !

If you are interested to participate in the workshop please contact us!

[email protected], [email protected]

mailto:[email protected]

mailto:[email protected]


www.geant.net

www.twitter.com/GEANTnews | www.facebook.com/GEANTnetwork | www.youtube.com/GEANTtv

Connect | Communicate | Collaborate

Thank you!