Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | lucy-price |
View: | 29 times |
Download: | 0 times |
AAF Middleware update
February16 2012Presented by Terry Smith Technical Manager and Heath Marks Manager
Federation Registry
Requirement • Manages the federations
metadata• Support the AAF business
model
Introduces the Organisation
• 0..n IdPs and 0..n SPs
• Admins and Contacts• Involved in workflow
Builds on concepts from SWITCHaai Resource Registry
an extensible, open source web application that provides a central point of registration, management and reporting for identity and service providers participating in a standards compliant SAML 2 identity federation.
Federation RegistryFeatures
• Dashboard• Access control• Reporting / Compliance• Workflow• Integration
•Federated application•Registration wizards•Data validation•Help bubbles•Integrated with the AAF Support tool•SAML 2
Federation RegistryBehind the scenes
• 1 man year development effort• 2 major code releases to date• Groovy / Grails (Java) platform• Extensible design• Agile development• Continuous integration testing and
quality control• Next release in Q2 2012
Federation RegistryUtilization Reporting
ARCS Data Fabric – January 2012 • Utilisation Data recorded by AAF WAYFs and reported by the Federation Registry
Federation RegistryFederation Integration engine
The Federation Registry is the integration engine for AAF components, Identity providers and Service providers.
It is central to the successful on-going operation of the Australian Access Federation.
Federation Registry
• AAF Wiki http://wiki.aaf.edu.au/federationregistry/
• Try it, AAF Test Federation Registry https://manager.test.aaf.edu.au/federationregistry
• Source code, Issues tracking
https://github.com/ausaccessfed/federationregistrymaster
More Information
National Entitlements Service
Provides attributes that are beyond the scope of individual organisations to manage and maintain as part of Authn.– A central source for entitlements– Delegation and assignment of entitlements;– Self assignment of entitlements– A web portal – A technical interface.
The Solution must• be cost effective• have delivery aligned to Super Science initiatives
National Entitlements Service
Why NES• In support of Australian Super Science
initiatives such as – Research Data Storage Infrastructure (RDSI)– National eResearch Collaboration Tools and
Resources (NeCTAR)
• Improved Authz • User’s home institution can not easily provide
information– Not authoritative– Do not want the additional overhead
National Entitlements Service
The Feasibility Study – in peer review• Define the problem• Analyse existing open source and commercial
offerings • Review international federation (SAML) practices • Identify options to move forward,
What interest is there in making the study public?
National Entitlements Service
The options• Do nothing
• Purchase and integration of vendor or open source solution
• Development of a custom solution by a software development partner
• Development of a custom solution by the AAF
National Entitlements Service
What it will look like...
A nationally operated attribute authority with a group management component and user interface providing• delegated access• approvals work flows• user registration
Extension to the Federation Registry
National Entitlements Service
Timeframes• Deliver in 2012 aligning with Super Science
initiatives• Rolled out progressively, 3 or 4 releases• Agile development, collaborating with users
Other initiatives
A number of other initiatives are on the AAF drawing board
• Cloud IdP, a fully managed service for our subscribers
• Automated monitoring service• Improved data collection and reporting of
utilisation• New discovery service
Other initiatives
A fully managed Identity provider service for our subscribers1. New AAF VHO2. Partially hosted, for
organisations with an Identity store
3. Fully hosted
Not currently resourced
Cloud IdP
Other initiatives
ICINGA open source monitoring (NAGIOS variant)• Federated authentication• Simple dashboard showing the overall health of the
federation • Reporting and alerting to subscribers
Basic Monitors (March 2012)•Ping•Time Synchronisation •SSL Certificate expiry•Shibboleth Status Basic and Advanced•Basic port security checkAdvanced Monitor (June 2012)•End-to-end (RedIRIS monitoring tool)
Automated monitoring service
Integrated with the Federation Registry•Hosts and Services to monitor•Hosts and services groups•Contacts, people involved in the notification process
Other initiatives
Currently usage data collected from WAYFs• Leads to some data loss• Does not distinguish between successful and failed access
Investigate improvements thru capturing sanitized logs from IdPs
• See all the traffic that by-passes the WAYF• Identify hidden services – bi lateral agreements become
obvious• Can count successfully authentications• Can assist in identifying brut force attacks
Improved data collection and reporting of utilization
Other initiatives
Currently utilizing the SWITCHaai WAYF
Federation Registry• Extend to populate MDUI elements into the metadata
Investigate • what options are available for the Discovery Service• Multi-tiered Discovery Service
– General access– Higher LOA
New discovery service