Europe Latin America Collaborative e Infrastructure for Research Activities‑

A Model for Federated Services

Brook Schofield, TERENA ● Sofia, Bulgaria ● 20th June 2014

A family of services

Worldwide eduroam status…

eduroam in productioneduroam pilot Missing eduroam

Overview

Partners• CLARA, GARR, RNP, TERENA, RedIRIS

Focus:

– Promoting and consolidating the foundations for creating a framework for authentication and authorization in Latin America, and facilitate the integration with the European initiatives under TERENA activities such as TF-EMC2 and REFEDS, and will make the necessary arrangements to join the GÉANT service eduGAIN

eduroam in Latin America

Before the Project1 production deployments

– Brazil, Peru

Zero pilot deployments

eduroam in Latin America

Year 1 of the Project3 production deployments

– Brazil, Peru, Chile

9 pilot deployments– Argentina, Colombia,

Costa Rica, Ecuador, El Salvador, Mexico, Nicaragua, Uruguay, Venezuela

eduroam in Latin America

Current progress…8 production deployments

– Argentina, Brazil, Chile, Colombia, Costa Rica, Ecuador, Mexico, Peru

4 pilot deployments– El Salvador, Nicaragua,

Uruguay, Venezuela6 Missing

– Bolivia, Guatemala, Honduras, Panama, Paraguay, Guyana

eduroam statement signed

Federation Development

Campus• Username/Password Store for AuthN

IdP• Expose Campus IdM via SAML/RADIUS

Federation• Aggregates IdPs & SPs; Builds Trust

Inter-Federation

• Aggregates Federations

Key steps

• eduroam at TICAL 2012– Regional Conference, Assess who has eduroam

and who uses it– Repeat at TICAL 2013 and TICAL 2014

• Offer services via federated access/eduGAIN– FileSender, Video Conference Portal,

RedCLARA Portal• Collaboration with GÉANT

Federation Development Criteria

Pilot• Name, Webpage, Metadata Feed

Production• Policy for IdPs & SPs

Candidate• Metadata Registration Practice Statement

eduGAIN• Declaration Signed, Metadata Feed Validated

Identity Federations and Latin America

Year 1• eduGAIN Participant

– Brazil (CAFe)• eduGAIN Candidate

– Chile (COFRe)• Pilot Federation

– Peru• MoU Federations

– Argentina, Colombia, Costa Rica, Mexico eduGAIN Member

Joining eduGAINCandidate FederationPilot FederationMoU Signed

Worldwide eduGAIN status…

CAFeCOFRe

eduGAIN MemberJoining eduGAINCandidate FederationPilot FederationMoU Signed

Identity Federations and Latin America

Current• eduGAIN Participant

– Brazil (CAFe)– Chile (COFRe)

• eduGAIN Candidate– Colombia (COLFIRE)

• Pilot/MoU Federations– Argentina, Costa Rica,

Ecuador, Mexico, PerueduGAIN MemberJoining eduGAINCandidate FederationPilot FederationMoU Signed with ELCIRA

Problems and Concerns

• Policy often more difficult then technical issues - Chile was 1st world wide to adopt Policy Template from GÉANT/REFEDS;

• Different models of sustainability in the NRENs in Latin America;

• Few technical people involved in the project;• NREN commitment/focus in setting up

eduroam infrastructure ahead of AAI.

* MATE (Argentina)

• MATE run by INNOVA|REDMarco para el Acceso a la Tecnología y la Educación (MATE)Model for Access to Technology and Education (MATE)

• Started operation in late 2013• Joined eduGAIN in early-2014 ;-)

• *This is NOT their logo (nor their name)!!

What to focus on?

• Federating your campus systems– Talk to your researchers, staff & students

• Investigate key services– Intranet and Website– Webmail

• Google Apps for Education, Microsoft 365– e-Learning – Moodle– Talk to your librarian about Journal Access– Find your own “killer app”.

• simpleSAMLphp– PHP– Multi-lingual support

• Shibboleth– IdP is Java, SP is C/mod_shib– Runs within Apache Tomcat

• PySAML2 – Python

• Many plug-ins or modules available for common tools.• Benefits are greater than using LDAP.

More that one choice is good…

Federation Development

Technology

Policy

Federation Development

Technology== Pilot

Policy==Production

Federation Development

Technology=>Campus

Policy=>NREN

Technology == Pilot

• Federation Core Services– “Routing”– Discovery

• Federation “Entities” (IdPs/SPs)– Shibboleth– simpleSAMLphp– PySAML– ADFS

Technology == Pilot

• NREN as Federation Operator– “Routing”– Discovery

• Campus, Content Providers, Research Infrastructures– Shibboleth– simpleSAMLphp– PySAML– ADFS

What to NOT focus on?

• Policy over business case/justification– What’s important for your campus’

• Waiting until …– your federation in “production” or in eduGAIN– …a “killer app” is found.

• “Other” or Future Federation Technologies– OpenID Connect + OAuth are being explored.– Hub&Spoke gateways already exist.

Identity FederationsWorld Wide

31 Production Federations

17 Pilot FederationsLast update May 2014

eduroam – roam across borders

26insert logo

eduroamPilot:-(

eduGAIN & Federations

24 eduGAIN Members 7 Joining eduGAIN

0 Candidate Federation16 Other Federations

15 April 2014

Next steps…

• Deploy eduroam Use it at TICAL2015• Pick a campus federation technology &

Deploy an IdP– PySAML2, simpleSAMLphp, Shibboleth– FreeRADIUS, Microsoft NPS, other…

• Connect with your NREN/Fed Operator• Connect with the community

– Country, EAP/CEENet, Europe and Globally• Federate your services

<!—Comments & Questions

-->Brook Schofield

schofield@terena.org