1 / 11

A A I @ TERENA

A A I @ TERENA. TF-EMC2 15 feb 2011 Dyonisius Visser visser@terena.rg www.terena.org. Where it all started. REFEDS Wiki Dog food MediaWiki + SimpleSAMLphpAuth One SP Accumulated ~ 20 bilateral IdPs. <lastname@terena.org>. Next SP comes along. TACAR 

anthea
Download Presentation

A A I @ TERENA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAI @ TERENA TF-EMC2 15 feb 2011 DyonisiusVisser visser@terena.rg www.terena.org

  2. Where it all started • REFEDS Wiki • Dog food • MediaWiki+ SimpleSAMLphpAuth • One SP • Accumulated ~ 20 bilateral IdPs <lastname@terena.org>

  3. Next SP comes along • TACAR  • Will need to contact several IdPsagain to exchange metadata  • 3rd SP • 4th SP etc etc

  4. Too many IdP-SP combinations • Difficult to manage:

  5. New approach: proxy • Create one SP to connect as many IdPs as … • “Hide” all our other SPs behind that • SPs can all have one statically configured IdP • So no need to have a disco on each SP • External IdPs only do business with a single TERENA SP

  6. LDAP Refeds wiki SimpleSAMLphp Secretariat IdP SimpleSAMLphp SP Proxy TACAR WordPress etc CORE Google SimpleSAMLphp Bridge OpenID Yahoo FileSender SP IdP ??????? Twitter LinkedIn FaceBook Confluence Windows Live My.terena.org MySpace † Event reg Sympa eduGAIN 3 more federations 15 more bilaterals… Guest IdPs… SURFfed AAI@EduHR

  7. ?????? = Globally unique ID • Generate globally unique identifier for ALL users that could possibly come in • Pick first available attrname+value from: • eduPersonTargetedID • eduPersonPRincipalName • Openid/Twitter/FB/Myspace/windowslive/linkedin • Append !IdP • Result + demo: https://tnc2011.core.terena.org • (PG table)

  8. Pre-login user provisioning • Invitation system (demo)

  9. TO Do • Central user repository (LDAP/SQL) • Central group repository (DIY/Grouper/SURF/?) • Profile page to manage your data (SWICTH’s javascript side bar/?) • Account linking (Login4life,David? ) • Consent dialog upon first login • -> Cherry pickin’ from community

  10. Automated IdP checks? All configured IdPs IdPS that have our metadata IdPs that have our metadata and that send usable attrs

  11. Issues encountered • Changing your SP metadata at remote parties takes a long time • So don’t start with 1K keys  • Non-federated users – guest accounts? • Too many guest options now

More Related