The MetaData Service Distributing trust in AAI confederations

Connect. Communicate. Collaborate

The MetaData ServiceDistributing trust in AAI confederations

Manuela Stanica, DFN


DF

Outline

• What is the MetaData Service (MDS)?

• Role of a MetaData Service in AAI confederations

• Use of the MDS in eduGAIN

• The MDS URLs

• Publishing and retrieving metadata

• Trust and security considerations

• Conclusions


DF

What is the MetaData Service (MDS)?

• eduGAIN component developed in GN2-JRA5

• eduGAIN: the GÉANT2 AAI

• Support dynamic establishment of trust relations between members of AAI confederation

• Information model conform to SAML v 2.0 Metadata Specification

• SAML: Security Assertions Markup Language (OASIS)


DF

Outline




• The MDS URLs



• Conclusions


DF

AAI confederation hierarchy

• AAI confederation interconnecting AAI federations

• AAI federation participant institutions users

– access to external resources & services

– unaware of participants in other federations

– require procedure of trust establishment between them


DF

AAI confederation hierarchy (2)


DF

Role of metadata

• Connecting to entities in other federated AAIs – required information:– where (in which federation)?– how to reach ?– what is supported (protocols and functionalities)?

metadata– distribution to all confederation members

• static (pre-configured upon software installation)• dynamic (on request)


DF

Role of a MetaData Servicein AAI confederations

• AAI confederations

– non-static environments!

– frequent updates

means for dynamic collection & distribution of metadata:

MetaData Service (MDS)


DF

Outline




• The MDS URLs



• Conclusions


DF

Basic principles

• Centralised storage of metadata for eduGAIN components

• Dynamic retrieval & update– metadata exchange interface: eduGAINMeta– based on REST architecture model

• Distributed publishing & querying– among local federations – no central admin– multiple metadata publishers and consumers


DF

eduGAIN components


DF

Bridging Elements

• MDS used by Bridging Elements (BEs):

– gateways eduGAIN – local federations

– communication with peers (BEs) in other federations

– query MDS for metadata about Home BE

– MDS response: SAML 2.0 Metadata doc

– consumers/publishers of metadata


DF

Outline




• The MDS URLs



• Conclusions


DF

URL structure

• Syntax of REST URL mapping:

MDS base URL[/federation ID][/entity ID][?query string]

• Combinations of:

– MDS base URL: https://mds.geant2.net/ – federation ID: dfn, feide,...– entity ID: be1 – query string – Home Locator(s): homeDomain=uio.no


DF

Home Locators

• eduGAIN specific atribute-value pairs

• For: locating a remote BE (Home BE)

• From: – hints provided by user

– contents of certificate extensions

• Types: – Home domain (homeDomain=switch.ch)– URN (urn=urn:geant:edugain:component:be:switch:be1)


DF

Outline




• The MDS URLs



• Conclusions


DF

Publishing/ updating

• Who: metadata publishers– Federation Peering Point (FPP)– authorized Bridging Elements (BEs)

• What: SAML 2.0 Metadata documents– EntityDescriptor root ( one BE)– EntitiesDescriptor root ( several BEs)

• How: HTTP POST/PUT


DF

Publishing/ updating (2)

• For whole federation:– only by FPP– EntitiesDescriptor– URL syntax: <MDS base URL/federation ID>

http://mds.ladok.umu.se/feide

• For single entities:– by FPP / authorized BEs– EntityDescriptor– URL syntax: <MDS base URL/federation ID/entity ID>

http://mds.ladok.umu.se/switch/be1


DF

Retrieving metadata

• BE queries MDS via HTTP GET

• Metadata lookup– entity/federation name is known– <MDS base URL[/federation ID][/entity ID]>

http://mds.ladok.umu.se

http://mds.ladok.umu.se/switch

http://mds.ladok.umu.se/switch/entity1

• Metadata search

– entity name unknown, home locators

– <MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch


DF

Outline




• The MDS URLs



• Conclusions


DF

Trust establishment

• Elements of trust establishment in eduGAIN:– MDS– eduGAIN PKI– Component identifiers (CIDs)

• MDS trust tightly bound with eduGAIN PKI

minimal trust in the service itself

• Transitive trust


DF

Security checks

• MDS validations:– publisher‘s X.509 certificate– publishing rights

• Publishers‘ signatures fwd with metadata

validation by consumers


DF

Outline




• The MDS URLs



• Conclusions


DF

Conclusions

• MDS: dynamic metadata distribution in AAI confederations

• Centralised storage, distributed trust

• Employes standard SAML 2.0 Metadata

• Possible use in any SAML-based infrastructure

• Deployment together with eduGAIN-like PKI


DF

Thank you for your attention!

Questions?

Documents

The MetaData Service Distributing trust in AAI confederations