croatian research and education identity federation · croatian research and education identity...
TRANSCRIPT
![Page 1: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/1.jpg)
Miroslav Milinović
University of Zagreb, University Computing Centre (SRCE)
CESSDA SAW Workshop
Zagreb, March 1-2, 2017
AAI@EduHr
Croatian Research and EducationIdentity Federation
![Page 2: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/2.jpg)
2/25
Contents
• Identity federations
• AAI@EduHr
• eduGAIN
• AAI@EduHr for SPs / developers
![Page 3: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/3.jpg)
3/25
e-infrastucture
Network services
Data centers
Computing resources(servers, storage, HPC, grid, …)
Middleware(identity federations, AAA, …)
Data services(digital archives, repositories, …)
Information systems and applications
![Page 4: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/4.jpg)
4/25
Identity federation model
IdP SPtrust
1
2
3
consumes attributes;
allows access
authenticates user;
provides attributes
user accesses service
![Page 5: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/5.jpg)
5/25
Mash federation model
SP 1
WAYF
(MDS)
IdP B
login
IdP A
login
SP 2
![Page 6: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/6.jpg)
6/25
Hub-and-spoke federation model
SP 1
IdP B
IdP A
SP 2
Hub(WAYF)
login
![Page 7: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/7.jpg)
7/25
Virtual Organisations (VOs) / Attribute Authorities (AAs)
SP
Entry point
AAI
component
User
IdP
AAI
component
(LDAP)
directory
AA
AAI
component
data
![Page 8: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/8.jpg)
8/25
AAI@EduHr: Croatian R&E Identity Federation
• Autentikacijska i autorizacijska infrastruktura znanosti i (visokog) obrazovanja u RH
• in production since March 1, 2006
• hub-and-spoke architecture
• Policy document: Pravilnik o ustroju, ver.1.3.1(http://www.aaiedu.hr/docs/[email protected])
• March 1, 2017:
• 229 IdPs
• 603 SPs
• 878.173 e-identites
• connected to:
• global services: eduroam and eduGAIN
• National e-gov service: NIAS (e-Građani)
• Web: http://www.aaiedu.hr(notice: most of the documentation is in Croatian language only)
![Page 9: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/9.jpg)
9/25
AAI@EduHr in numbers
Successful Web SSO authN:
last 30 days: 2.964.140
last 24 hours: 104.587
Successful RADIUS authN:
last 30 days: 14.013.800
last 24 hours: 603.678
(March 1, 2017)0
500000
1000000
1500000
2000000
2500000
3000000
01/15 03/15 05/15 07/15 09/15 11/15 01/16 03/16 05/16 07/16 09/16 11/16
successful SSO authN
![Page 11: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/11.jpg)
11/25
Connections with other services
www.eduroam.org
www.edugain.org
NIAS
(e-Građani)
![Page 12: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/12.jpg)
12/25
AAI@EduHr: Hub-and-spoke federation
SP 1
IdP B
IdP A
SP 2
Hub(WAYF)
login
Central services
provided by Srce
![Page 13: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/13.jpg)
13/25
AAI@EduHr architecture
SP
entry point
AAI@EduHr
component
Central
AAI@EduHr services
(RADIUS proxy, FWS,
MDS, login/SSO, VO/AA)
user [email protected]
IdP
AOSI-WS
&
RADIUS server
LDAP directory
HTTPS / SAML
RADIUS
HTTPS / SAML
eduGAINsocial networks eduroam
RADIUS
RADIUS
HTTPS / SOAP
OpenID, …
NIAS
HTTPS / SAML
![Page 14: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/14.jpg)
14/25
AAI@EduHr: IdM
RADIUS
AOSI - WS
LDAP
AOSI - Web
AAI@EduHr
IdP
![Page 15: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/15.jpg)
15/25
What is eduGAIN?
• educational Global Authentication Infrastructure
• basic components:• eduGAIN Policy Framework (https://technical.edugain.org/documents)
• MDS (Metadata Distribution Service; mds.edugain.org)
![Page 16: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/16.jpg)
16/25
eduGAIN
• in production since 2011
• 41 member federations
• www.edugain.org
• technical.edugain.org
![Page 17: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/17.jpg)
17/25
AAI@EduHr in eduGAIN
• AAI@EduHr is eduGAIN member
• Srce represents AAI@EduHr in eduGAIN bodies
• AAI@EduHr entites in eduGAIN:• all IdPs are automatically „in” eduGAIN
• attribute release based on eduGAIN Attribute Profile
• an IdP can opt-out
• all SPs are „out”
• an SP has to opt-in (ask Srce to be included)
• an SP has to fulfill organisational and technical requirements
![Page 18: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/18.jpg)
18/25
AAI@EduHr for SPs (Web SSO scenario)
SP
entry point
AA component
Central AAI@EduHr
services
user [email protected]
IdP
AOSI-WS
LDAP directory
HTTPS / SAML 2.0
login
![Page 19: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/19.jpg)
19/25
AAI@EduHr for SPs (Developers)
• supported protocols:
• SAML 2.0
• RADIUS (network access, special cases of non-web-based services)
• supported platforms:
• PHP (simpleSAMLphp)
• Java (Spring Security SAML, …)
• .NET (OIOSAML.NET):
• Python / Django
• Shibboleth compatible tools/platforms
• any platform compatible with SAML 2.0
• testing environment: AAI@EduHr Lab
![Page 20: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/20.jpg)
20/25
SP set-up in AAI@EduHr
• study:
• AAI@EduHr Policy(http://www.aaiedu.hr/docs/[email protected])
• documentation for SPs
• (http://www.aaiedu.hr/za-davatelje-usluga)
• register your application via resource registry:
• www.aaiedu.hr/aairr
• indicate special cases: eduGAIN and/or additional login via social networks
• make necessary ajustments in your application:
• install missing components (e.g. SSP, SAML modules, …)
• use AAI@EduHr LAB for testing
• AAI@EduHr team provides support via e-mail address [email protected]
![Page 21: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/21.jpg)
21/25
AAI@EduHr and social networks
http://www.unizg.hr/authdemo/
![Page 22: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/22.jpg)
22/25
How to opt-in eduGAIN with your SP?
• let Srce know:• we provide support / know-how
• we publish your metadata / register your app. in eduGAIN
• ajust your service policy:• privacy policy / CoCo (see eduGAIN documentation)
• ajust technical components of your service:• attribute handling
• discovery service (login screen / WAYF)
• metadata handling
• verify before production
![Page 23: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/23.jpg)
23/25
Discovery service examples
https://foodl.org/
http://monitor.eduroam.org/db_web
![Page 24: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/24.jpg)
24/25
Learning opportunity
• we organize a workshop for SPs / application developers on April 4
• check http://www.srce.unizg.hr/dei/radionice
![Page 25: Croatian Research and Education Identity Federation · Croatian Research and Education Identity Federation. 2/25 Contents •Identity federations •AAI@EduHr •eduGAIN •AAI@EduHr](https://reader034.vdocuments.us/reader034/viewer/2022043013/5fad2c1afb07ce6b92267301/html5/thumbnails/25.jpg)
Srce politikom otvorenog pristupa široj javnosti
osigurava dostupnost i korištenje svih rezultata rada
Srca, a prvenstveno obrazovnih i stručnih informacija
i sadržaja nastalih djelovanjem i radom Srca.
Ovo djelo je dano na korištenje pod licencom
Creative Commons Imenovanje-Nekomercijalno
4.0 međunarodna.
www.srce.unizg.hr creativecommons.org/licenses/by-nc/4.0/deed.hr www.srce.unizg.hr/otvoreni-pristup
AAI@EduHr
http://www.aaiedu.hr