UBUNTUNET CONNECT 2018 Federations Introduction Justin Knight Jisc
UBUNTUNET CONNECT 2018 Federations: Introduction Justin Knight, Jisc Justin. knight@jisc. ac. uk
Recap YESTERDAY IDENTITIES AND GOOD IDENTITY MANAGEMENT REGISTRIES STATUS AND OUTLOOK WHERE YOU ARE
This session INTRODUCTION TO FEDERATION TYPES: IDENTITY AND ROAMING KEY SIMILARITIES KEY DIFFERENCES KEY BENEFITS VALUE PROPOSITION LOCAL TO GLOBAL LATE MOVER ADVANTAGE – TOMORROW’S SESSION
Acknowledgements GUY, SCOTT AND CHRIS
Two federation types IDENTITY SSO TO WEB-BASED RESOURCES *NON-WEB ALSO EXISTS, BUT NOT OUR FOCUS ROAMING
Key similarities Foundation of federated identity: Trust is good; built into policy to Provide a basis for a mutual understanding of responsibilities Make the boundaries of the trust relationship clear to all parties Reduce the risk that the relationship will break down as the result of inadvertent or malicious actions by a minority
Key similarities Three common components Identity Provider (Id. P) Service Provider (SP) Operator of central infrastructure Federation Operator (Identity) National Roaming Operator (NRO) (eduroam) An organisation can be both and Id. P and an SP Common in terminology, not in technology (we’ll come on to this)
Key similarities Good identity management at the institution is critical Starting point for institutions Setting up a user’s identity poorly can lead to lack of access to services/Wi. Fi Poor user experience = poor usage, uptake and reputation
Key similarities Easy access to services Goal of both is to make user experience of service access easier Single credential for accessing multiple resources (IDENTITY FEDERATION) Single credential for accessing wireless networks in multiple locations (eduroam)
Key similarities The role of the operator is to facilitate the trust relationship between Id. Ps and SPs Infrastructure Policy
Key differences PURPOSE OPERATORS UNDERLYING TECHNOLOGIES/INFRASTRUCTURE
Purpose – identity federation Video courtesy of Jisc (and quite old now!)
Purpose - eduroam Video courtesy of AARNet
Purpose summary IDENTITY FEDERATION SINGLE CREDENTIAL FOR ACCESSING MULTIPLE WEB-BASED RESOURCES GLOBAL WIRELESS ROAMING ACCESS SERVICE SINGLE CREDENTIAL FOR ACCESSING WIRELESS NETWORKS IN MULTIPLE LOCATIONS
Key differences OPERATORS
eduroam NROs Coordinate eduroam within their country or territory Own the trademark for eduroam® in their service area Define national policy Responsible for ensuring compliance with global policy Operate a RADIUS proxy Generally one RO per country (NRO), but there are exceptions to this
eduroam – an important note It is “eduroam” not “Eduroam” or “Edu. Roam” (or other student favourites Euro. Dam and Edu. Ram) Why does the case matter? Wireless networks are case sensitive – we want users to connect automatically so we all need to call our networks the same thing Helps with trademark enforcement
Identity Federation operators Choose deployment method SAML OIDC Mesh Hub & Spoke edu-ID (user centric) Set policy for Id. Ps and SPs to participate in their federation, and support them Aggregate, sign and publish the metadata of entities, facilitating the trust relationship between them Opt into or out of entity categories such as R&S, GEANT Co. CO, and SIRTFI Can apply to join edu. GAIN, the global inter-federation service (more on this later)
Key differences UNDERLYING TECHNOLOGY / INFRASTRUCTURE
Identity federation underlying technology/infrastructure Several options available SAML (popular with R&E) Shibobleth (Id. P, SP) Simple. SAMLphp OIDC (popular with commercial operators) Shibboleth (Id. P)
eduroam underlying technology/infrastructure EDUROAM IS A GLOBAL WIRELESS ROAMING NETWORK, BASED ON: WPA 2 & 802. 1 X (NETWORK ACCESS CONTROL) RADIUS (INFRASTRUCTURE TO TRANSPORT CREDENTIALS) TRUST FABRIC (RADIUS HIERARCHY AND POLICY)
Key benefits (Identity federation)
Key benefits (Identity federation)
Value proposition (identity federation)
Key benefits (eduroam)
Value proposition (eduroam) Modest implementation & maintenance costs Making it easier to get access to the Internet promotes cooperations and collaborative research It also makes students less dependent on geography Users expect access to the Internet to just work
Value proposition (eduroam Id. P) Allows your staff and students to gain access the Internet for free all over the world Improves their productivity; makes them happy Gives you the peace of mind that its probably more secure than a public hot-spot Relatively straight-forward and low risk If it doesn’t work, only your staff and students know
Value proposition (eduroam SP) Makes it easier for visitors to use your network good for your reputation; good for their productivity makes your campus more attractive for academic events In most cases, leverages off your existing wireless infrastructure Cost savings by reducing: the amount of support your help desk does for visitors the number of temporary visitor accounts you create One South African university saw a 25% decrease in the first year
Value proposition SUMMARY COLLABORATION OPPORTUNITIES REPUTATION AND BRANDING SECURITY (NETWORK AND IDENTITY) COST AND TIME
Discovery DISCOVERY SERVICES IN IDENTITY FEDERATIONS EXAMPLE
Discovery EXAMPLE (CONT)
Discovery EXAMPLE WAS THROUGH THE UK FEDERATION, WHICH USES THE SHIBBOLETH CENTRAL DISCOVERY SERVICE (CDS) THAT SOFTWARE IS EOL (2016) IN THE SHIBBOLETH PROJECT FOR SUPPORT THERE ARE OTHER DISCOVERY SERVICES AVAILABLE SWITCH WAYF (WHERE ARE YOU FROM) CESNET SERVICE RA 21 WORK WORTH INVESTING TIME IN WHAT IS MOST SUITABLE FOR YOU
Local to global BOTH IDENTITY AND ROAMING FEDERATIONS ARE DEPLOYED AT NATIONAL LEVEL GLOBAL ARCHITECTURES EXIST FOR BOTH
Local to global NATIONAL IDENTITY FEDERATIONS INTER-FEDERATE VIA GLOBAL AUTHENTICATION INFRASTRUCTURE OPENING GLOBAL SERVICES TO USERS WHOSE INSTITUTIONS ARE REGISTERED IN NATIONAL IDENTITY FEDERATIONS USER > INSTITUTIONAL IDENTITY > IDENTITY FEDERATION (> NATIONAL SERVICES) > EDUGAIN > GLOBAL SERVICES
edu. GAIN provides policy framework and standard to build trust between members. The MDS (Metadata Distribution Service) fetches, aggregates and republishes metadata – like collating a global phonebook of white/yellow pages from federations.
HTTPS: //TECHNICAL. EDUGAIN. ORG/DOCUMENTS
Identity federations November 2018
November 2018
Local to global GLOBAL EDUROAM GOVERNANCE COMMITTEE GEGC IS RESPONSIBLE FOR THE OVERALL TECHNICAL STANDARDS FOR EDUROAM ALSO INDIRECTLY FOR THE TOP LEVEL RADIUS PROXIES HAS A CHAIR REPRESENTATIVES FROM THE AFRICAN REGION: MOHAMED ALIOUAT, (ARN, ALGERIA) KENNEDY ASEDA (KENET, KENYA) SAMUEL OUYA (SNRER, SENEGAL) HAVE I MISSED YOU?
November 2018
Late mover advantage MAPS SHOW LEVEL OF DEPLOYMENT IN AFRICA ADVANTAGES OF DRAWING ON EXPERIENCE OF OTHERS SESSION TOMORROW ON RESOURCES, TOOLS AND HELP
Thank you! Questions?
- Slides: 42