1 / 30

Towards a Federation as a Service

Towards a Federation as a Service. From IdP in the Cloud project to FaaS. Agenda. What is an Identity Federation. An Identity Federation is a collection of organizations that agree to interoperate under a certain rule to manage user identities.

galvin
Download Presentation

Towards a Federation as a Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards a Federation as a Service From IdP in the Cloudproject to FaaS Andrea Biancini

  2. Agenda Andrea Biancini

  3. What is an Identity Federation • An Identity Federationis a collection of organizations that agree to interoperate under a certain rule to manage user identities. • Within a Federation different organizations cooperate in managing identities by taking care of their users and services. • The Federation builds a global trust within the different organizations. Andrea Biancini

  4. What needs to be done to operate a Fed. • Participants have to: • Define procedures to create and manage an IdP; • Define procedures to create and manage an SP. • Federation managers have to: • Registering an entity (IdP or SP) in the Federation • Validating metadata information toward Federation policies; • Performing all security controls and signing metadata; • Guiding the participants in the implementation of an Identity Management policy. • Signing and distributing the Metadata. • Providing accessory services (like information pages or Discovery Service). Andrea Biancini

  5. What we learnt from our communities • From a participant’s point of view, the more complex task is that of creating and managing an IdP. • In this activity, in fact, the participant has to: • Manage a lot of different technologies (Shibboleth, Tomcat, LDAP, security on the server, …); • Monitor and update constantly the technical infrastructure (for security and quality of service); • Manage privacy and identity management policies; • Manage users and passwords. • Many entities do not have enough skills or resources to manage them all! Andrea Biancini

  6. The answer to this problem! • To tackle this problem, GARR started the “IdP in the cloud” service • Goal: offering IdPs as a service on a cloud infrastructure! • This service permitted totake away greater part of the job from Federation participants. • All technological aspects are managed by GARR on behalf of the participating entity (including monitoring and updates); • Compliance to regulation and Federation policy is delegated to GARR; • The participating entity “only” has to manage users and passwords. Andrea Biancini

  7. How wedidthis: the infrastructure • Service VMs • Nagios, Splunk, Collectd • DNS • Puppet Master IdPVMs go here VM unique flavor Public IPs Openstack Instances, images & Data GlusterFS 2 sites, 12 servers Andrea Biancini

  8. How wedidthis: automatization • Use a Puppet recipe to describe the features of the “IdP in the cloud” VM => IDP in the Cloud openLDAP Web interfaces Base VM – 2 vCPU, 4 GB RAM, 20 GB disk Ubuntu 12.04 + Puppet Agent Andrea Biancini

  9. Key benefits of IdP in the cloud Andrea Biancini

  10. Project results • With this approach the Identity Federation is diffusing into new communities: • Institutions in the biomedical research with small IT teams; • Cultural heritage institutions. • From request to Federated IdP in a few days (including administrative tasks) with no technical effort from requestor! • Possibility to manage all these systems with limited human resources (~10 IdP, < 0.5 FTE) Andrea Biancini

  11. Extendingthisapproach • We are extending this approach (used for IdP in the Cloud) from participants to Federation managers! • We plan to provide a Federation «appliance»(provisioned on a Cloud) with all the required technological components to implement a fully functional Federation. Andrea Biancini

  12. Indentifying the keyprocesses • As said, the main processes a Federation manager has to implement are: • Registering an entity (IdP or SP) in the Federation • Signing and distributing the Metadata. • Providing accessory services (like information pages or Discovery Service). • Among them, we have found that the more complex to be implemented is the first. In fact: • it requires human and technical validation; • it is the process that permits to create the trust; • entities are what the users see of the Federation! Andrea Biancini

  13. Registering an entity in the Federation Andrea Biancini

  14. Supporting the process • To support and standardize the process, we implemented a workflow for entity registration • This flow spans two integrated tools: • Resource Registry: to validate metadata information (and diffuse awareness); • Metadata Aggregator: to verify all the security aspects bound to certificates and to sign the metadata for the distribution to the Federation (and inter-federations). Andrea Biancini

  15. The scenario Andrea Biancini

  16. Technology to be developed • To provision the Federation «appliance»new Puppet recipes are being developed to automatize installation of the software components. • With these developments, the IdP in the cloud schema will be extended to permit the provisioning of a complete Federation as a service on a Cloud infrastructure. Andrea Biancini

  17. Expectedgoals • With this «appliance» we plan to standardize and support Federation operations. • By consuming this FaaS service, it will be possible to: • Start rapidly the operation of a new Federation, by almost eliminating the technological step in; • Leverage experiences and best practices to operate effectively a Federationeven starting with little or no prior experience. Andrea Biancini

  18. ELCIRA: adopting Federations • ELCIRA will support the adoption of Identity Fedarations in Latin America. • But, as we have seen, deploy Federations is hard! • Technology needs to be installed and managed • Processes, steps, attribution of responsibility have to be implemented • ELCIRA will borrow GARR experience in automatizing components installation in a cloud and in operating a Federation. Andrea Biancini

  19. ELCIRA: supporting IdP installation • We will leverage GARR experience and solutions, developed during IdP in the Cloud project, to grow IdP diffusion within new or existing Federations. • This will permit NRENs to: • Guarantee compliance to qualitative standards for new IdPs in the Federation; • Give the opportunity to enter rapidly in production with a Federation entity! Andrea Biancini

  20. ELCIRA: how to sustain new Federations? • GARR also provides support in sustaining the birth of new Federations by: • Sharing best practicesfor the key processes; • Sharing lesson learnt, dos and don’ts; • Providing technical solutions, as the “federation appliance” described earlier. Andrea Biancini

  21. Thanks! Q&A Andrea Biancini

  22. IdP in the Cloud Showcase Andrea Biancini

  23. What IdP in the Cloud is First cloud service from GARR The service goal: make the deployment and the management of the identity providers easy, by minimizing the activities and the complexity for home organizations. • IdP as a Service (PaaS) • IdMas a Service (SaaS) • =>IdP in the Cloud • Benefits • Dedicatedvirtualappliance • Updates and customization • Federation policy compliancy • Cloudadvantages Andrea Biancini

  24. Getting an IdP in the cloud Tutor the user in preparing the documents requested by GARR and the IDEM Federation Ready-to-use dedicated IdP VM to access federated services. Requestortutored in managing users identities. • The service creates a new IdPtaking care of • Tools installation and configuration • Pre-production assessment • Federation policies Andrea Biancini

  25. The requestdocument • Is a very easy document to be produced by the requesting organization, with the following information (used to customize IdP and its Metadata): • Organization name • Organization internet domain • IdPname (or EntityID) • Description of the service • Organization public web site URL • Organization privacy policy page URL • IdP Informative web page URL (shown to users) • Organization logo images • Technical contact mailing list Andrea Biancini

  26. Provisioning the VM • Live demo! • A new configuration for the IdP will be installed on the Puppet agent (with the support of two scripts created ad-hoc). • Puppet will take care of all the rest! Andrea Biancini

  27. Puppet • Open source framework able to automate repetitive system administration tasks. • Automatize the provisioning and configurationof IT servers. Andrea Biancini

  28. Basic principles of Puppet Andrea Biancini

  29. IdP in the cloud: userperspective • User interfaces: • Custom IdP login page • IdM interface • Access log analysis tools We are evaluatingPerun a toolthatcouldreplacephpldapadmin. More information here: http://perun.cesnet.cz. Andrea Biancini

  30. That’s all folks! Q&A Andrea Biancini

More Related