Trust Router Workshop15th October 2014
Introduction to the DayMoonshot Workshop
Agenda
10:00 – 10:10 Intro to the morning10:00 – 12:30 Trust Router & Peering (11:00 Break)12:30 – 13:30 Lunch
13:30 – 13:40 Summary13:40 – 15:45 Set up a Trust Router! (15:00 break)
15:45 – 16:00 Summary
Moonshot & Communities
• A quick reminder… What are communities?
Communities and Policy
Authentication Policy Community /(Community of Registration)
Community A
Community B
Community C
Organisation validationto APC’s defined standards
Policy coming from communityrequirements. Could include:• Registration LoA• AuthN LoA• Operational Practices• User behaviour• Attribute release (RADIUS
& SAML)• Etc.
Moonshot & Communities
• Communities will consist of a subset of the entities connected to a particular APC.
Whole Trust Network
Community A
Community B
Community C
Trust Router
Trust Router
Hey TR, do you know bob.com?
Yeah, he’s over there!
P.S. I’ve done some DH magic.
kthxbye
Hi IdP, I’ve got someone
claiming to be one of your users.
Trust Router
Hey TR1, do you know bob.com?
Yeah, he’s over there!
P.S. I’ve done some DH magic.Hmm, I don’t.
TR2 is my default peer, I’ll
ask it…
Hey TR2, do you know bob.com?
Hmm, I don’t. TR3 is my
default peer, I’ll ask it…
Hey TR3, do you know bob.com?
He’s over there. P.S. DH magic.
He’s over there. P.S. DH magic.
He’s over there. P.S. DH magic.
Hi IdP, I’ve got someone
claiming to be one of your users.
Routing between Trust Routers
• Eventually will have routing tables across the whole network
• For now, default peers can be configured.
Trust Router Peering
• Peering Policy• APCs
Current Trust Network
@dev.ja.net
tr1.moonshot.ja.net
ms-tr.cf.ac.uk
ms-rp-ssh.cf.ac.uk
By End of Today
@dev.ja.net
tr1.moonshot.ja.net
ms-tr.cf.ac.uk
ms-rp-ssh.cf.ac.uk
Your TRYour Test RP
By End of Today
@dev.ja.net
tr1.moonshot.ja.net
ms-tr.cf.ac.uk
ms-rp-ssh.cf.ac.uk
Your TRYour Test RP
By End of Today
@dev.ja.net
tr1.moonshot.ja.net
ms-tr.cf.ac.uk
ms-rp-ssh.cf.ac.uk
Your TRYour Test RP
Your TRYour Test RP
Your TRYour Test RP
Your TRYour Test RP
Setting up a Trust Router is easy!
In the world of Moonshot, a Trust Router is just a resource provider.
The resource it’s providing is trust.
Like any RP, the TR needs to query an Identity Provider to authenticate users…
TR’s own IdP
The IdP used by a TR is just an ordinary moonshot IdP, with the identity realm ‘apc.moonshot.ja.net’ - this is the IdP representing the Authentication Policy Community.
It keeps a list of credentials used by IdPs and RPs - the XML files that you’ve used to add your own IdPs and RPs to Janet’s TR.
For this workshop this step will be skipped, as you’ve probably set up at least one IdP by now.
Process
1. Register your RP and TR in the portal as a new RPs– If you don’t have access to the portal, ask for assistance
2. Configure and deploy your TR– See next slide and readme files
3. Test!4. Configure and deploy your RP5. Test!6. Bonus: Reconfigure your IdP to talk to your TR
Deploying a Trust Router• RHEL/CentOS:
– TR: https://wiki.moonshot.ja.net/x/hIQy– RP: https://wiki.moonshot.ja.net/x/vAEp
• Debian:– TR: https://wiki.moonshot.ja.net/x/goQy– RP: https://wiki.moonshot.ja.net/x/ugEp
• Sample configurations and key material is available at:– https://portal.moonshot.ja.net/keys/– U: octoberws– P: homemade-push-whistle
peering.cfg
{ "default_servers":[ "tr1.moonshot.ja.net" ]}
Trusts.cfg
• communities:– APC, Followed by all CoIs
• Each has list of idp_realms and rp_realms
• idp_realms:– Details of each idp_realm (hostname, apc, shared
config)
• rp_realms:– Details of each rp_realm (domain & realm
constraints, filters, gss names)
• gss_names:– gss name for your trust router
• Domain constraints:– What acceptor hostnames are legal.– (these hosts can claim to be in that realm)– Constrain gss acceptor hostname
• Realm Constraints:– Constrain gss acceptor realm names
• Filters:– RP Permitted filters– Future - more– Constraints
THANK YOUJanet, Lumen House
Library Avenue, Harwell Oxford
Didcot, Oxfordshire
t: +44 (0) 1235 822200
f: +44 (0) 1235 822399