AAI @ TERENA

EUROCamp 2010

Dyonisius Visser

visser@terena.rg

www.terena.org

Slide 2

Where it all started

› REFEDS Wiki› Dog food› MediaWiki + SimpleSAMLphpAuth› One SP› Accumulated > 20 IdPs

<lastname@terena.org>

Next SP comes along

› TACAR › Will need to contact several IdPs again to

exchange metadata › 3rd SP› 4th SP etc etc

Slide 4

Too many IdP-SP combinations

› Difficult to manage:

Slide 5

New approach: cheating

› Create one SP to connect all our IdPs to› “Hide” all our REAL SPs behind that

› External IdPs only do business with a single TERENA SP

› We get to do fancy stuff at our magic SP

Slide 6

Slide 7

What could be the “?”

› Attribute injection› authproc: SmartAttr.php

Slide 8

SmartAttr.php

› Generate globally unique identifier for ALL possible users

› Pick first available attribute name+value from:› eduPersonTargetedID› eduPersonPRincipalName› openid› sha1(salt.serialize(attributes))

› Append @$IdP› Results:

Slide 9

SmartID exa,mples:

› urn:mace:dir:attribute-def:eduPersonTargetedID:c4bcbe7ca8eac074565291fd5524caa88f3115c8@terena.org@https://login.terena.org/idp/saml2/idp/metadata.php

› urn:mace:dir:attribute-def:eduPersonPrincipalName:horvath@terena.org@https://login.terena.org/idp/saml2/idp/metadata.php

› openid:https://www.google.com/accounts/o8/id?id=AItOawk1wEwIIRLSKf6kWb_1Rb0X00psc3lPqWU@https://login.terena.org/bridge/saml2/idp/metadata.php

Slide 10

More attributes

› Fullname: Stolen from Olav › Organisation: first available from:

› organizationName› Uppercase version of schacHomeOrganization,

without TLD› Uppercase version of email domain without TLD› Uppercase version of eduPersonPrincipalName

domain without TLD› String ‘MY_ORG’

› Country, fname, lname, email, etc

Slide 11

Group membership

› To be implemented…..

Slide 12

Concepts

› We will have homeless users -> guest accounts› Everyone can login to any service› “logged-in” does not mean anything (well….)

› https://tnc2010.omega.terena.org

› One page to manage all your data (‘profile’ page)› Similar to Switch.ch javascript sidebar› To be implemented

Slide 13

Issues encountered

› Changing your SP metadata at remote parties takes a long time non-technical, so think twice

› Non-federated users – don’t run ourselves› Too may guest options now!!!

› Provisioning before users log in -> not possible› Globally persistent ID

Slide 14