Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
From DARIAH AAI 2.0 to 3.0
why and how
15th FIM4R Workshop, Vienna Feb. 17, 2020
Peter Gietz, Martin Haase, DAASI International
What is DARIAH
● DARIAH: Digital Research Infrastructure for the Arts and Humanities● DARIAH is a pan-european infrastructure for arts and humanities
scholars working with computational methods. It supports digital research as well as the teaching of digital research methods.
● One of the few ESFRI research infrastructures for the humanities (ERIC is in working since 2014)
● DARIAH’s mission is to develop, maintain and operate an infrastructure in support of ICT-based research practices Infrastructure is administration, software and storage services but also Curricula and Methodology
● Working with communities of practice: humanities scholars supporting their VREs
Virtual Research Environments in the humanities
DARIAH AAI V 1.0
DARIAH AAI V 2.0
Proxy SP
Resource SP
Proxy IdP
Resource SP
Resource SP
de.dariah.eu
DARIAH AAI 2.0 and 3.0have this same architecture
de.dariah.eu
DARIAH AAI 2.0● Current DARIAH AAI 2.0 technology
– AAI Proxy: based on Shibboleth IdP+SP+small glue code for handing over attributes
– Dariah "homeless" IdP: Shibboleth IdP
● Proxy has been in production since 2018
● IdP has run much longer (~2012, then as DARIAH AAI v1, which used Attribute Queries from every Mesh SP)
● All DARIAH-DE and a number of DARIAH-EU services are "behind" the Proxy
de.dariah.eu
DARIAH AAI 3.0 with simpleSAMLphp● Switch from Shibboleth had following advantages:
– re-using SSO infrastructure of GWDG (Max Planck/Goö ttingen University Computing Centre) which will be in charge for operating the AAI long-term
– sustainable and fault-tolerant deployment using Puppet directly from Gitlab
– in AAI 2.0, proxy's SP part used SAML Aggregation with Attribute Queries against the "homeless" IdP. Now simpleSAMLphp allows direct LDAP queries (faster) with inbuilt means
de.dariah.eude.dariah.eu
● We still think that simpleSAMLphp has a number of disadvantages compared to Shibboleth:– PHP Versioning unclear, they make API changes that are not well-defined (people
seem to push to github central repo without strict QA)
– ...which can be a time bomb: it took us quite some (different) glue code as well:● Generation of SubjectID / pairwiseID● sending users off to registration● re-modeled Shibboleth IdP attribute filtering logic● ...
– GUI templates: major shift to TWIG, which also breaks old GUIs
– seems much more suited to rapid development and not to sustainable operation
– badly missing Shibboleth's Attribute Authority Command Line Interface (AACLI) to simulate issuance of SAML Assertion
de.dariah.eu
DARIAH AAI 3.0 with simpleSAMLphp
de.dariah.eude.dariah.eu
● Other goodies: Jagger!
– The same Puppet installation spawns a dockerized Jagger instance
– actually three: dev, stage, prod
– People love the new Web-based tool to manage their metadata
– The maintainers love to not need editing XML files that only live on the Proxy / IdP
● Dev / Stage / Prod is also new with IdP and Proxy now – which is a good thing, together with a strict GIT deployment
DARIAH AAI 3.0
de.dariah.eude.dariah.eu
● PoC done (without Puppet)
● Development with Puppet done
● Integration tests succeeded (Dev/Stage)
● In the coming weeks (planned for 2020-03) actual switch
– Need a hard shift for some SPs since both IP Address and Endpoints in SAML Metadata change
– Need to switch IdP and Proxy at the same time (SAML Attribute Queries vs. LDAP Queries)
● If there will ever be a DARIAH AAI 4.0 my proposal would be to base it on Satosa ;-)
DARIAH AAI 3.0 Roadmap
de.dariah.eude.dariah.eu
Thanks a lot!
Questions ?Contact and Infos:
● https://wiki.de.dariah.eu/display/publicde/DARIAH+AAI+Documentation
● https://www.dariah.eu
● https://www.daasi.de