June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van...

June 9, 2009

SURFfederatie: implementing a multi-protocol federationHans Zandbelt & Joost van Dijk, SURFnet

SURFnet. We make innovation work2

Overview- Identity Federation Models- SURFfederatie gateway- Implementation/Deployment- Features/Experiences- SURFnet Service Provider- Conclusion

SURFnet. We make innovation work3

Federation Models- 1-1

- Business: SAML 1.x- de-facto

- NxN- Shared trust, pt2pt- Education VS/Europe- Shibboleth

- 2xN- Central gateway (CFC)- Protocol translation- SURFfederation SURFnet =

CFC, IDP, SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SP

IDP SPCFC

SURFnet. We make innovation work4

Functional View

CentralFederation

Components

A-Select Cross

A-Select Cross

Shibboleth

SAML 2.0

WS-Fed / ADFS

SAML 2.0

WS-Fed / ADFS

Identity Providers Service ProvidersSURFfederatie CORE

ApplicationsCredentials

SURFnet. We make innovation work5

Authentication Redirect Flow

SP SFS IDPweb service authenticationbackend

browser requestauth request

SSO1 request

SSO22 request

LDAP/Radius/..

access & attributes

SSO1 response

SSO22 response

auth response

SURFnet. We make innovation work6

Deployment View

server1 server2 server3

phpFederate phpFederate phpFederate

PingFederate PingFederate PingFederate

management

failover

PingFed/Mgmt

wayf.surfnet.nl

sfs.surfnet.nl

round-robin DNS

phpFederate

PingFederate

PingFed/Mgmt

SURFnet. We make innovation work7

Server Node

apache2

mod_fcgid

php5_cgi

phpFederate

memcached(state sharing)

mysql(logging)

sendmail(error reporting)

heartbeat2(failover)

pingFederate

SURFnet. We make innovation work8

Connections- Federation Protocols

- IDP:- SAML 2.0 (5), ADFS (15) , A-Select (10)

- SP:- SAML 2.0 (5), Shibboleth 1.3 (5), A-Select (3)

- Federation Products- Microsoft ADFS, Shibboleth (1/2), A-Select,

Novell Access Manager, simpleSAMLphp, Oracle IdM, PingFederate

SURFnet. We make innovation work9

Implementation- PHP:

- implementation programming language- metadata/configuration store- configuration and processing language- provisioning tool

- Provision connections to PingFederate- Federate connections transparency across

protocols (!= simpleSAMLphp); caveat: identifiers- IDPs “see” 1 SP; SPs “see” 1 or all IDPs

- IDP ARPs: (configured) filter by SURFfederatie gateway

SURFnet. We make innovation work10

Features- Pure stateless switch vs. stateful processing

gateway- Transparent vs. single-point-of-entry- Detailed and accurate logging/statistics- ARP and ACLs implemented in PHP

- TBD: attribute processing/enrichment…- SP “personalized” IDP discovery and authorisation

- Limited SP access for IDPs- EduGAIN, OpenID, InfoCard- Optional: management APIs for members (IaaS)

- Metadata/configuration- ARP, IDP/SP authorisation

SURFnet. We make innovation work11

Experiences- Multi-protocol abilities speed up institutional

deployment: fits in their home ICT environment (!= JAVA, = Microsoft)

- Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs

- SAML 2.0 implementations are hard (specs/products/knowledge) -> slow SP take-up

- Scalability is ok: up to national level- Trust model of centralized federation is functionally

equivalent to distributed federations: federation-operator is TTP (signed responses vs. signed metadata)

SURFnet. We make innovation work12

Future Developments- Web-services (gateway as WS-Trust STS!)- Cross-layer identity (unified SSO)- Identity-as-a-Service extensions- User Centric privacy extensions: user consent- Geneva- SURFnet services: OpenID- Confederations: Kennisnet, EduGAIN

SURFnet. We make innovation work13

SURFnet Service Provider- SURFnet plays three roles in the SURFfederatie:

- Federation operator, gateway- IDP, for SURFnet employees- SP, for services offered by SURFnet to federation

members- Services are connected via a proxy- Proxy is running phpFederate

SURFnet. We make innovation work14

SURFnet Service Provider

SURFnetService Provider

SURFfederatiegateway

IDP

SURFmedia

SURFmailfilter

SURFdomeinen

SP

SP IDP

IDP

Proxy benefits- Protocol translation:

- Hook up any service using A-Select/Shibboleth/SAML/WS-Federation

- Centralize features needed for all services:- Access Control- Attribute enrichment- Guest access to selected services- Migrating user data when users switch identity

SURFnet. We make innovation work15

SURFnet. We make innovation work16

Guest access

SURFnetService Provider

Guest IDP

SURFfederatieIDP

IDPIDP

SURFmedia

SURFmailfilter

SURFdomeinen

SURFnet. We make innovation work17

Attribute enrichment

SURFnetService Provider

SURFmedia

SURFmailfilter

SURFdomeinen

SURFfederatieIDP

IDPIDP

attributedatabase

Attributes

Current developments- OpenID Gateway:

- SURFnet SP as OpenID RP (guest access)- SURFfederatie as OpenID Provider (requires user

consent)- Federated Groups

- Join people from multiple IDPs into groups- Centrally managed- Across multiple services

- Federated directory- Step-up authentication (introduce second factor)

- OTP per SMS- Mobile PKI (authN using private key on SIM)

SURFnet. We make innovation work18

SURFnet. We make innovation work19

OpenID protocol handler

SURFnetService Provider

OpenID Provider

SURFfederatieIDP

IDPIDP

SURFmedia

SURFmailfilter

SURFdomeinen

OpenIDRP

SURFnet. We make innovation work20

Mobile PKIMobile PKI web page accessMobile PKI web page access

You are accessing a web service using Mobile PKI

Signing access code: 52745

SURFnet. We make innovation work21

Conclusions- Rapid deployment: 500.000 users

- From gateway towards Identity-as-a-Service

- Outlook: from use-once-a-month content towards every-day use hosted web applications