Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS As Federations Grow Connect. Communicate. Collaborate • The risk of dying of success – Do we really need to go on selling the federated idea? • Different communities, different needs – Not even talking about international collaboration – Different (but mostly alike) solutions – Grids and libraries as current examples – And many to come: Governments, professional associations, commercial operators,… • Don’t hold your breath waiting for the Real And Only Global Federation Confederations Federate Federations Connect. Communicate. Collaborate • Same federating principles applied to federations themselves – Own policies and technologies are locally applied • Independent management – Identity and authentication-authorization must be properly handled by the participating federations • Commonly agreed policy – Linking individual federation policies – Coarser than them • Trust fabric entangling participants – Whitout affecting each federation’s fabric – E2E trust must be dynamically built Applying Confederation Concepts in eduGAIN Connect. Communicate. Collaborate • An eduGAIN confederation is a loosely-coupled set of cooperating federations – That handle identity management, authentication and authorization using their own policies • Trust between any two participants in different federations is dynamically established – Members of a participant federation do not know in advance about members in the other federations • Syntax and semantics are adapted to a common language – Through an abstract service definition The eduGAIN Model Metadata Query Metadata Publish Connect. Communicate. Collaborate MDS R-FPP R-BE AA Interaction Resource(s) Metadata Publish H-FPP AA Interaction H-BE AA Interaction Id Repository(ies) An Adaptable Model Connect. Communicate. Collaborate From centralized structures... MDS FPP FPP BE BE IdP SP SP IdP SP IdP IdP IdP SP SP IdP IdP SP SP SP SP An Adaptable Model Connect. Communicate. Collaborate ...to fully E2E ones... MDS SP SP BE IdP SP BE BE BE SP BE SP IdP BE IdP BE BE IdP BE IdP IdP BE SP SP BE BE BE IdP BE SP BE SP BE An Adaptable Model Connect. Communicate. Collaborate ...including any mix of them MDS FPP IdP BE IdP IdP SP FPP BE IdP BE BE BE SP SP IdP SP SP IdP SP SP IdP BE BE SP BE SP BE A General Model for eduGAIN Interactions Connect. Communicate. Collaborate https://mds.geant.net/ MDS <EntityDescriptor . . . ?cid=someURN <samlp:Request ...... <samlp:Response entityID= ResponseID=”092e50a08…” RequestID=”e70c3e9e6…” ”urn:geant2:..:responder"> IssueInstant=“2006-06…”> InResponseTo=“e70c3e9e…”> . . . . . . <SingleSignOnService . . . </samlp:Request> </samlp:Response> Location= “https://responder.dom/” /> . . . urn:geant2:...:requester Requester TLS Channel(s) Responder urn:geant2:...:responder Resource Id Repository A Layered Model for Implementation Component logic eduGAINBase Profile Access eduGAINBase + eduGAINVal + eduGAINMeta SAML toolkit (OpenSAML) SOAP/TLS/XMLSig libraries Connect. Communicate. Collaborate The eduGAIN APIs: Trust Evaluation Connect. Communicate. Collaborate Is this trust material (cert/signature) valid? Does it correspond to component X*? Configuration Valid/not valid Corresponds to component X eduGAINVal Sign this piece of XML Key Store Signature Trust Store Which trust material to use for connecting Trust material The eduGAIN APIs: Metadata Access Connect. Communicate. Collaborate Publish these metadata through MDS server Publishing result Which component(s) can be queried to retrieve data about someone with these Home Locators? eduGAINMeta Configuration Component metadata Give me metadata about this part of eduGAIN Metadata eduGAINVal The eduGAIN APIs: Abstract Service Connect. Communicate. Collaborate Create/manipulate an abstract service object Abstract service object Transform these abstract service object to/from wire protocol eduGAINBase Configuration Abstract service object or Protocol element Send ASO: (AuthN/Attr/AuthR) request (Vanilla profile) Corresponding ASO response eduGAINMeta eduGAINVal The eduGAIN APIs: Profile Access Connect. Communicate. Collaborate Is this AuthN/Attr material valid? Valid/not valid Provide data from the requester Data Create/modify a security token Configuration eduGAIN Profile API eduGAINBase Token eduGAINMeta Is this request authorized? eduGAINVal Authorization response eduGAIN Profiles Connect. Communicate. Collaborate • Oriented to – Enable direct federation interaction – Enable services in a confederated environment • Four profiles discussed so far – WebSSO (Shibboleth browser/POST) – AC (automated cilent: no human interaction) – UbC (user behind non-Web client: use of SASL-CA) – WE (WebSSO enhanced client: delegation) • Others envisaged – Extended Web SSO (allowing the send of POST data) – eduGAIN usage from roaming clients (DAMe) • Based on SAML 1.1 – Mapping to SAML 2.0 profiles along the transition period The WebSSO Profile Connect. Communicate. Collaborate The AC Profile Connect. Communicate. Collaborate The UbC Profile Connect. Communicate. Collaborate The WE Profile Connect. Communicate. Collaborate The Paved Way Connect. Communicate. Collaborate • The first eduGAIN enabled resource is already available – http://www.rediris.es/jra5wiki/ – As a result of the implementation of the WebSSO profile • Prototypes for – The MDS – The component ID registry – The PKI components • eduGAIN base APIs available at the GN2 SVN server • Cookbook and reference material The Road Ahead Connect. Communicate. Collaborate • Implementing the rest of initial profiles – Direct collaboration with initial user activities – And initial liaisons with some others • Migration to SAML2 – Plans to align as much as possible with Shibboleth 2 • Building stable support services – Many component IDs foreseen – Web-based and extensible PKI services • Keeping coolness – CardSpace – OpenID • And policy!