CAF Workshop BCNet2014

www.canarie.ca www.canarie.ca

CAF Workshop on Federation Tools

IDP Installer and Federation Management Tools

Chris Phillips | April 2014 | CANARIE | Vancouver

www.canarie.ca

Agenda

8:00-8:30 – Coffee & Registration 8:30-8:45 – Introductions and Workshop Overview 8:45-10:15 – Using the IdP Installer, Sample Installation, Walkthrough 10:15-10:30 - Break 10:30-11:15 – CAF Tools walkthrough 11:15-12:15 – Federation Management Tools 12:15 – 12:30 – Q&A, Closing remarks

www.canarie.ca www.canarie.ca www.canarie.ca

In theory, there is no difference between theory and practice.

But, in practice, there is.

www.canarie.ca

Introductions

www.canarie.ca

Outcomes for today •  Improved understanding of the IdP Installer •  Highlight key deployment considerations •  Know where to go for CAF resources •  Socialize Federation management tools direction

https://www.flickr.com/photos/reway2007/3137608759 reway2007

www.canarie.ca

Setting Today’s Context

www.canarie.ca www.canarie.ca

Roaming wireless

•  International wireless roaming •  Ability to automatically sign on

using your home credential •  Reduces barriers to mobile

users •  Worldwide and expanding

coverage: •  Canada: 78 sites •  60 countries worldwide

•  Federated Single Sign On for services

•  Web and non web sign on •  Authentication •  Authorization •  Attribute release •  Across different security domains

Federated identity

•  International wireless roaming •  Ability to automatically sign on

using your home credential •  Reduces barriers to mobile

users •  Worldwide and expanding

coverage: •  Canada: 48 sites •  60 countries worldwide

•  eduGAIN as primary, exploring other direct relationships

•  Bridge to international community •  Enables CAF participants to:

•  Accept identities inbound from outside Canada to Canadian services

•  Use Canadian identities in services outside Canada

Interfederation

•  3.4M logins March 2014 •  2x traffic growth in 1yr •  78 sites

- 500,000

1,000,000 1,500,000 2,000,000

Successful Logins

International

Canada

•  33 Service Providers •  25 Identity Providers

937,000

986,765

1,011,793 1,020,387

880,000 900,000 920,000 940,000 960,000 980,000

1,000,000 1,020,000 1,040,000

Total CAF enabled users – SAML & eduroam

•  Int’l NREN CEO Forum placed eduGAIN as a key effort

•  CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries

www.canarie.ca

Identity Providers

Service Providers

Universities Colleges Research inst. Cloud providers

Specialized R&E Apps Libraries Commercial SP Research teams

Regional Community

Community

Group

Gateway

Partners BCNET Provincial governments Organizing bodies

Applicants Parents Temporary staff

Professor Student Researcher

Researcher App Developer

IDM Expert Group Admin

CAF Ecosystem


CAF Roadmap

Federation Infrastructure & Governance

Knowledge Base + more tools!

Federation Community Manager

CAF Marketplace

Operating Policies

VALU

E

Training & Techn

ical Sup

port

Marke9n

g Material

Today

FY 2015

FY16

IDP Installer

www.canarie.ca

IDP Installer

www.canarie.ca

IdP Installer

•  What is it? –  VM image +

html configuration forms •  What does it do?

–  Auto installs and configures IdP server components

–  Easier connection to CAF servers

–  Supports eduroam and Shibboleth

•  Benefits –  Fewer steps –  Hides technical complexity

from user

Identity Appliance"

Shibboleth IdentityProvider"

freeRADIUS"Apache Tomcat"

Java"

Operating System (centOS)"

www.canarie.ca

IdP Installer Consolidating & Reducing Effort


Installation Overview

Download installer

Plan & Prepare

installation Do

Installation Post

installation tailoring

Local acceptance

testing

Contact CANARIE

to complete registration

1.  Download Installer 1.  From http://bit.ly/caftools

2.  Plan & Prepare your installation 1.  Review System Requirements to prepare your environment. 2.  Prepare your network 3.  Prepare your environment (settings for Directory, Certificates, etc) 4.  Review and choose a preferred deployment approach 5.  Review your federation specific post install steps

3.  Do the installation 1.  Create a configuration from your federations' configuration builder 2.  Save configuration as 'config' in this directory on your server 3.  Run the script ./deploy_idp.sh 4.  Answer any inline questions (use self signed cert? password creation for keystores)

4.  Perform Post installation Tailoring 1.  Based on items previously identified, finalize the installation 2.  Identity steps needed to be repeated in production

5.  Locally Test Installation 6.  Repeat installation steps for production installation as needed [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer

www.canarie.ca

Planning: Deployment Model – Test & Prod

www.canarie.ca

Planning: SSID strategy – augment or replace?

Recommendation: Consider consolidating to eduroam •  Why:

–  Less to configure for end users: •  setup once, use everywhere à why do one that only works for you? •  Less to manage as wifi infrastructure operator à reduces helpdesk

support –  Eduroam can be VLAN’d based on authentication

•  Local users VLAN’d to ‘local IP space’ and remote to remote1,2

–  Configuration Assistant Tool (CAT) performs configuration •  To resolve ‘how do I get on?’ for users, offer eduroam_help SSID

–  Behaves as captive portal and only able to reach eduroam configuration information (cat.eduroam.org) and your specific information

–  Working with UFV through IdP Installer with the –  Some Canadian sites already using just eduroam as singular SSID

[1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus [2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/


Planning: Certificates

FedSSO / SAML2 Eduroam / 802.1x

16

•  2 certificates §  End user facing(port 443) for SSO

userid/password •  commercial root’ed certificate to

avoid browser pain §  IdP/SP Certificate for metadata

•  Self signed, 2048 bit SHA2 •  Autogenerated on install •  Usually long lived (10yrs)

§  Possession & comparison of certs present in metadata crux of trust

•  2 TLS pieces: CA + server cert. §  Laptops and mobile devices asked

to trust both CA and server certificate

§  If CA= commercial root, slightly less pain on MSFT clients (avoids popup of ‘trust this root?)

§  eduroam CAT installer critical to help streamline installation & trust regardless of cert type.

Recommendation: Use your usual commercial cert for end user facing port 443 Let tools do what they should do for long lived self signed

Recommendation: Simply put: YMMV & up to you to tailor the experience Quick video example:eduroam CAT w/ comm. cert & w/ non commercial certificate.

IDP Installer automatically uses self-signed everything & is a base for build outs.

www.canarie.ca

Certificates & HeartBleed •  Heartbleed risk present on hosts susceptible to OpenSSL handshake

–  FedSSO/SAML •  Metadata signing was not at risk since that key is never used in handshake & OpenSSL

version was safe. •  Handful of SAML entities did have to do key roll over (regenerate and replace keys) •  Risk was possible exposure of private key and therefore emulation or decryption of

traffic could have been done –  extremely remote and require extraordinary attack, but risk present nonetheless à must

regenerate private key and metadata cert and do roll over. –  Eduroam

•  Eduroam trust built on shared secrets therefore not susceptible in server to server trusts. •  HOWEVER, the RADIUS server certificate suffered same style attack vector but

between RADIUS server and clients (mobile devices) –  Key compromise and therefore decrypt traffic if such was done –  risk extremely remote but present. The few sites patched and made necessary changes.

•  Global eduroam had validator within hours of announcement and scanned many sites, including Canadian ones very early on.

•  Within 72hrs all Heartbleed risk was eliminated from the affected few sites in FedSSO and eduroam in Canada.

–  Would self signed or commercial have made a difference? No. Risk was same regardless of root. A private key is a private key and both would need to have been regenerated.

–  Many thanks to admins who were very responsive to the issue!

www.canarie.ca

IdP Installer Test Shib walkthrough

www.canarie.ca

Break

www.canarie.ca

CAF Tools Walkthrough

•  Eduroam weathermap –  http://weathermap.canarie.ca/caf/eduroam

•  Eduroam CAT –  https://cat.eduroam.org/

•  eduGAIN –  https://www.edugain.org/

•  FedSSO Discovery Guidance –  https://discovery.refeds.org

•  CAF FAQ system –  http://tts.canarie.ca/otrs/public.pl

•  Collaboration.canarie.ca –  http://collaboration.canarie.ca

•  CAF Guest IdP & 'external identities' (aka social2SAML)

–  http://id.canarie.ca –  External identity demo with SAML

sharepoint sign on

All available at: http://bit.ly/caftools

www.canarie.ca

CAF Guidance on Attribute Release

•  Current CAF policy àmandatory release of eduPersonTargetedID •  Example of the importance of attribute release •  What the community at large is doing

–  In Canada à Examining various profiles for attribute ‘bundles’ •  Collaboration profile •  Canadian Researcher profile •  Canadian Student profile •  K-12 specific attributes

–  Internationally –  Entity categories in metadata, rules in IdPs for release –  K-12 conversations in US.

•  SAML metadata representation

www.canarie.ca

Federation Management Tools

www.canarie.ca

www.canarie.ca

Federation Community Manager

Features •  UI-based provisioning of privacy and security policies (e.g. ARPs) •  Self-serve user interface for Partner, IDP and SP admins •  Consolidated view of all community groups, IDPs and SPs in CAF •  Auto-generates meta data

Benefits •  Reduces development time à

faster implementation •  Reduces errors and facilitates

debugging

Status •  Seeking pilot participants


Collaboration via CAF & Community Groups

CAF Identity Providers

Regional Community

Community Group (CG)

Shared Services

CAF Service Providers

•  Services available to IDPs within the community group

•  Define operating polices (e.g. attribute release) specific to CG

•  Gives IDPs access to national and international CAF SPs


Community Group Responsibilities

Privacy Help Desk

Community Groups Admin

Hosted IDP Operations

Local Outreach

Central Operations Technical Support Technical

Community

Trust Assertion Governance National

Outreach Tool Development

Opera-tions

International Representation

CAF Participant Agreements

Implementation Guidance

Community Agreements

Institutions

CAF Partners

CAF

www.canarie.ca

Closing Remarks / Q&A

Internet

CAF Workshop BCNet2014