Trust and identity

Trust and identity
Chair: Josh Howlett,
Head of trust and identity, Jisc

>Access management is critical to HE, FE, and
Research
>The R&E requirement is often challenging and hard to
address with commercial products
>The R&E requirement often requires effort from highly
skilled staff
>As a result, it can be complex and costly to organise
and deliver good access management
What is Liberate?

>A fully-managed, cloud-based solution for access
management
>Provides an access management solution for
>UK Access Management Federation
>Eduroam (Home and Visited)
>IP-authenticated services
>Assent
>Developed and operated by Jisc on AWS in Dublin, and
connected to Janet
>A subscription service which launched in October 2017
>Fully supported by our team of technical experts
What is Liberate?

>Fourteen subscribers
>Seven FE colleges
>Four HE institutions
>One Research organisation
>Two Library Authorities
>Many other organisations piloting
>Internal administrative issues resulted in a four month
delay to the Eduroam functionality
>100% uptime and no technical issues reported yet
Progress update

>Significant savings (£Ks) if replacing a competitor
>Obtain new access management capabilities that were
previously unaffordable
>Seamless transition with no interruption to services
>Staff able to focus on other priorities
>Peace of mind (software updates, etc.)
Key benefits seen by early adopters

>The SCL represents 151 Library Authorities in England,
Wales, and Northern Ireland
>Public Libraries share some of the same access
management issues as HE/FE institutions
>Currently being piloted by five Library Authorities
>Introducing chargeable service in April 2018 (two
already signed up)
Jisc collaboration with Society for Chief Librarians

Except where otherwise noted, this work is licensed under CC-BY-NC-ND.
Josh Howlett
Head, trust & identity
josh.howlett@jisc.ac.uk
I have been…
One Castlepark, Tower Hill, Bristol, BS2 0JA
T 01235 822 363
customerservices@jisc.ac.uk
jisc.ac.uk

UK Access
Management
Federation update
Rhys Smith,
Chief technical architect, trust and
identity, Jisc
Alex Stuart,
Principal technical support specialist,
Jisc

>Web Single Sign-On based on SAML
>1131 member organisations; 2278 entities
>Research and Education: 100% HE, ~80% FE,
and representation from schools, government,
public libraries, NHS
>Federation to solve problem of N2 interactions*
>Interfederation through eduGAIN allows interoperability
with thousands more entities from
50 other federations*
Some numbers...
* some conditions apply

Data:1-Mar-2018 00:00:00
Registered Entities byType
Entities
0
300
600
900
1200
1500
Dec 06Feb 08 Apr 09 Jun 10 Aug 11Oct 12Dec 13 Feb 15 Apr 16 Jun 17
SPs IdPs
Type of entities 1

>500 Shibboleth IdPs (66%) and
Open Athens (30%)
>Recent security advisories reported on
Shibboleth announce list:
>LDAPS connector using non-standard
configuration
>ROBOT
>Shibboleth IdP v2 to v3 transition, minority of
IdPs still on v2 (End of life was July 2016)
Type of
entities 2:
IdPs

>Publishers, collaboration tools, research project
sites, gateways to e-Infrastructures, business
apps, student sites, inventories...
>Linear growth “for ever”
>Over 1000 Shibboleth SPs (75%) with a long
tail of other types of software (many open
source libraries, some products)
>Security advisories in last 12 months distributed
on Shibboleth announce:
>XMLtooling x 2
>ROBOT
>MDQ client misconfiguration
Type of
entities 3:
SPs

>99% support SAML 2 so can we just turn off SAML 1?
>Unfortunately, support != use
>Using WAYF protocol with the Central Discovery
Service implies SAML 1, so in June 2017 we
deprecated the WAYF protocol
>MDUI support (primarily logos) at 30%
>Algorithmic agility for XML cryptography
Protocol support

>Not really “new” any more - live for over a year
>What is it?
>Traditional MD distribution is regular syncing of the
MD aggregate – currently 36MB
>MDQ is just-in-time fetching of bits of metadata
instead
>FAR lower resource requirements for software
– IdP uses far less memory
– SP will startup far faster
>Currently ~10% of clients now using MDQ.
>But the traffic for that 10% is 0.0001% of total
MDQ

>UKf CDS services ~4,000,000 CDS flows/month
>Very stable and reliable, but running on old code
>Currently deciding what to replace it with
>Awaiting results of RA21 working group
>Don’t worry – look and feel will remain as consistent
as possible (hopefully identical)
Central Discovery Service

>Web portal on the Jisc community website to manage
your own entities, domains, etc.
>Can still make use of helpdesk if you’re worried or
unsure about making changes!
>Coming later this year (finally)
Self Service

>For example:
>Improving quality of UKf Metadata
>UKf Working with eduGAIN to improve quality of
international metadata – better global interoperability
>Managed Federation – rebuilding UKf backend
systems in a containerised deployable way, to let us
run other federation’s backend systems.
>Rebuilding distribution infrastructure for MFS – UKf
infrastructure should become even more resilient and
performant
>Tracking OIDC and other emerging technologies
Behind the scenes tweaking

Rhys Smith
Chief technical architect, trust and identity
rhys.smith@jisc.ac.uk
We have been...
service@ukfederation.org.uk
jisc.ac.uk/uk-federation
Alex Stuart
Principal technical support specialist (UK federation)
alex.stuart@jisc.ac.uk

eduTEAMS
Niels Van Dijk,
SURFnet

GÉANT supports and represents over 40 NRENs across Europe.
Together they support over 10,000 institutions and 50 million academic users.
About GÉANT

eduroam - secure global roaming access service 250+ million authentications per
month in 89 territories
eduGAIN - interconnects identity federations around the world, simplifying access to
content, services and resources ~ 3500 identity providers accessing services
AARC project – collaborating with e-infrastructures, research collaborations,
libraries & federations to share policies, architectures, training materials & pilots that
avoid re-inventing the authentication & authorisation wheel
REFEDs – supporting identity federations worldwide
Trusted Introducer – services for security and incident response teams
Certificate Service – delivering cost-effective digital certificates.
In partnership with
Supporting users and enabling secure access to services
Trust, Identity & Security

• Challenges in Authentication space
• International Collaboration
• Collaborative organisations work with people outside
scope of R&E communities as well
• Requires Collaborative organisations to peer with other
non R&E Identity providers or maintain an additional
Identity provider
• Challenges in Authorization space
• Services run by Collaborative Organisations often need
attribute or group related information in the context of
their collaboration, which are not issued by Institutions
• Requires Collaborative Organisations to manage and
provide additional attributes and groups towards their
services, independently from the Institutions
37
Challenges for Collaborative Organisations

• The FIM4R paper (April 2012) was one of the first to articulate
collective requirements for using Federated AAI for VOs.
• The VOPaaS has performed a survey among several small and
large Pan-European VOs to (re-)validate the requirements.
38
Market Analysis

39
Market Analysis Results
http://www.geant.org/Projects/GEANT_Project_GN4-1/deliverables/D9-2_Market-
Analysis-for-Virtual-Organisation-Platform-as-a-Service.pdf

• Goal
• Investigate the conditions that would allow GÉANT to provide
services to support Collaborative organisations
• Focus on delivery of technical services
• Out of scope:
• Technical development
• Policy & LOA development
• Activities
• Gather requirements and priorities with/from communities
• Look at existing tools and technologies
• Look into delivery model
• Investigate business case & sustainability
• Pilot with communities
• Operations and Market
40
GEANT CO Platform as a Service Project

Objectives Conclusions Q&AChallenges Achievements
Components
• eduTEAMS Membership
Management service
• eduTEAMS Discovery
Service
• eduTEAMS Identity Hub
Characteristics
• 2 monthly release cycle
• Supports AARC
architecture
• Single- and multi-tenant
options
Documentation, Cookbooks,
Privacy Policy etc available
https://wiki.geant.org/display/ED
eduTEAMS
A suite of services for using federated AAI for collaborations
Collaboration suite
to enable use of
federated identity
in research
communities
Partner for any e-
Infra or Research
Infra inc. “long tail”,
informal groups
41

eduTEAMS - Pilots
Engaging with communities, eInfras and NRENs
42
Research communities and
e-Infrastructures
• AARC2-as-VO (Pilot committed)
• LifeScience AAI (Pilot)
• Umbrella (Pilot committed)
• HPC-Europe (Pilot intrest)
• EUDAT (Pilot committed)*
• EGI *
* as part of AARC2 interoperability
activity
NRENS
• JISC (UK)
Moonshot Pathfinder project
• SURFnet (NL)
Science Collaboration Zone project
• WAYF (DK)
eduVPN
Collaboration usecases

Components – LEGO approach
Choose how much of the platform they want
• eduTEAMS Membership Management service
• VO specific workflows for onboarding members
• Registry for VO persistent Identifier
• Limited set of attributes to maximise interoperability
• Use of eduperson entitlement to carry richer info
• Available through eduGAIN
• eduTEAMS Identity Hub
• One persistent (SAML) IdP for many ‘Guest’ Identity Providers
• Available and accessible through eduGAIN
• Supports Research and Scholarship Entity Category
• Discovery Service
• Service based or embedded discovery for eduGAIN SPs
• Allows per SP filtering of IdPs
• Allows per entity category filtering, e.g. R&S

44
eduTEAMS
ecosystem
REST AA
SAML AA
COmanage
eduTEAMS
Membership
Managemen
t
eduTEAMS
Identity Hub
IdP
AuthN:
ID + attributes
External IdP
SP(proxy)

Objectives Conclusions Q&AChallenges Achievements 45
eduTEAMS
Membership Management Service (MMS)
Manage Roles and Rights
• Available trough eduGAIN
• CoCo and R&S supported
• Strong focus on privacy and GDPR
• part of AARC2 interop activity
• Technical and cookbooks:
https://wiki.geant.org/display/ED/Membership
+Management+Service
• Service:
https://registry.eduTEAMS.org
NRENS
• JISC (Pilot committed)
• Moonshot Pathfinder project
• SURFnet (Pilot committed)
• Science Collaboration Zone project
• GARR (Pilot interest)
• SWITCH (Pilot interest)
• SWITCH eduID
• Swiss Personalised Health Network
• Swiss Data Science Center
• Swiss National Supercomputing Centre

Objectives Conclusions Q&AChallenges Achievements
eduTEAMS
Discovery Service
• Component of eduTEAMS, but
generically usable for eduGAIN SPs
• Based on proven service from CESNET
• Engaged in RA21 Pilot – Resource Access
for the 21st Century (https://ra21.org)
• Publishers, libraries and users
https://wiki.geant.org/display/ED/Discovery+Servic
e
46

Objectives Conclusions Q&AChallenges Achievements 47
eduTEAMS Identity
Hub Persistent ID
Account
Recovery
LOA
Implemented
Future
eduTEAMS
Identity Hub
https://wiki.geant.org/display/ED/Identity+Hub

• Moonshot interaction with third-party AA systems
• investigate potential for Assent service
• and also all kinds of scientific collaborations
• Combined access & authorization for web-based and non-web based
services
JISC eduTEAMS pilot
48

Moonshot and eduTEAMS
49
SAML AA
COmanage
eduTEAMS
Membership
Management
eduTEAMS
Identity Hub
IdP
External IdP
Webbased
Service
Moonshot
Compute
resource
Storage
resource
Groups
& roles

Any questions?
Thank you
Any questions?
Thank you

Trust and identity

More Related Content

Similar to Trust and identity

More from Jisc

Recently uploaded

Trust and identity

Editor's Notes