Identity federations play a pivotal role in facilitating easier collaboration and sharing of services around the globe. While the protocols, technology, and best practices of federations and their services are reasonably mature, the adoption and installation of needed tools and services to participate with them can be significantly improved.
A digital divide appears to have developed and is growing between those who are participating and those who want to, but feel they cannot. Pinpointing why this divide exists and how to close the gap is a source of debate but some simple statements can be made:
● Reducing the time to deploy services will help relieve pressure on time and resources for all
● Easier deployment of local components benefits both new participants grappling with the technology adoption curve and existing participants by growing the community
● Embedding best practices and core principles of security and service operation help avoid re-inventing the wheel for new participants as well as help maintain overall quality for the whole community.
Attempting to address this divide has been the work of a number of federation operators and NRENs each at different stages of their plans. This presentation will explore and discuss the various approaches that the NREN community has undertaken and contrast them with how SUNET’s SWAMID and CANARIE’s CAF collaboratively created approach compares. A key component of the approach is to streamline software deployments to support eduroam federated 802.1x authentication using FreeRADIUS and SAML2 federation services using Shibboleth software on a single VM instance. While each service on their own may have been done in the past, combining them in a federation aware context, and simplifying the overall experience is relatively new and revealed a great deal of overlap and efficiencies that could be gained doing so.
The presentation will discuss the various collaboration and decision challenges encountered with implementers in two different federations on two different continents and an eye to other federation’s needs. The implementers feel that design decisions have led to an implementation that is able to be extended to other federations which will also be explored and discussed. Time permitting, a demonstration of the solution deployment process will be shown.
1. www.canarie.ca | www.swamid.se
Presenters:
Chris Phillips – CANARIE, Canada
Anders Lördal– SWAMID, Sweden
Think Globally, Act Locally: Simplifying
Federated Technologies
May 18 ,2014| TNC2014 | Dublin, Ireleand
2. www.canarie.ca | www.swamid.se
About CAF & SWAMID
CAF SWAMID
Size of Community
89 Universities, ~120
colleges
52 Institutions
Size of Federation
103
SAML IdP:24 Shib,1 SSPHP, 33 SPs
eduroam: 78 IdPs 78+ campus’
333
SAML IdP: 45 Shib,1 SSPHP 4 ADFS, 1
pysaml, 278 SP
eduroam: 39 IdPs 773 locations
Coverage >48% > 98%
Participate in eduGAIN? ✔ ✔
Challenge
Uptake parity between
eduroam & SAML related to
time and skills
Participants ability to remain
current & maintain skills
Shib=Shibboleth, SSPHP= SimpleSAMLPHP
• Even at different stages and coverage, we encounter similar challenges
• Opportunity to collaborate & leverage each others investments
3. www.canarie.ca | www.swamid.se
Response to the challenge
• Evolved approach to better match campus IT reality
• Reduced cost/effort implement & support
• Simplifies installation experience
http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy
Choose RADIUS server
Install & Configure
Test & Connect
Preferred Server installed
Pre-configured
Tested
Classic Approach IdP Installer Approach
Preferred platform installed
Pre-Configured
Tested
Choose platform
Install & Configure
Test & Connect
4. www.canarie.ca | www.swamid.se
Chris Phillips
Origin of the collaborative work
• We both came to the table with something:
• SWAMID: original SAML installer & was refactoring
• CAF adopted paradigm for eduroam automation work
• Critical pieceà bootstrapped collaboration with ½ day in person session
identifying key principles & mechanics
5. www.canarie.ca | www.swamid.se
Chris Phillips
Origin of the collaborative work
• We both came to the table with something:
• SWAMID: original SAML installer & was refactoring
• CAF adopted paradigm for eduroam automation work
• Critical pieceà bootstrapped collaboration with ½ day in person session
identifying key principles & mechanics
Simple as possible, complex as needed
Core Principle
6. www.canarie.ca | www.swamid.se
https://www.flickr.com/photos/75905404@N00/7126146307 OZinOH
Principle Drives Design
• It’s not just the tool, but the techniques applied in the tool:
• Highly Extensible – be Federation aware, be tech agnostic..
• Internalize complexity to simplify end users experience
• Internationalize by default instead of retrofit
• Embody best practices to avoid error in implementations
7. www.canarie.ca | www.swamid.se
The Results – The IDP Installer
• What is it?
– Installation script with HTML
configuration to image a blank VM
• What does it do?
– Auto installs and configures IdP
server components
– Configures entire system, not just
software
– Supports eduroam and
Shibboleth
• Benefits
– Fewer steps
– Hides technical complexity from
user
VM"
Shibboleth
Identity
Provider"
(2.4.0)"
freeRADIUS"
(2.1.12)"
Apache Tomcat (6.0)"
Java (openjdk 1.7)"
Operating System (centOS6.4+ or Ubuntu 12.0.4)"
8. www.canarie.ca | www.swamid.se
Installation Improvements
Outcomes
• Install effort reduced from 2 discrete projects to 1 on participant site
• Automated configuration reduces installation complexity and editing needs
• Speeds up installation
• Reduces errors
9. www.canarie.ca | www.swamid.se
Installation Overview
Plan &
Prepare
installation
Review System
Requirements to
prepare your
environment.
Prepare your
network
Prepare your
environment
(settings for
Directory,
Certificates, etc)
Review and
choose a
preferred
deployment
approach
Review your
federation
specific post
install steps
Do Installation
Create a
configuration
from your
federations'
configuration
builder
Save
configuration as
'config' in this
directory on your
server
Run the script ./
deploy_idp.sh
Answer any
inline questions
(password
creation for
keystores)
Post
installation
tailoring
Based on items
previously
identified,
finalize the
installation
Identity steps
needed to be
repeated in
production
Local
acceptance
testing
Contact
FedOp to
complete
registration
[1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
12. www.canarie.ca | www.swamid.se
Contrasting Implementation Styles
Model Benefit Drawback Example?
Centralized/
Command &
Control
Centralized control
Remote management
capabilities
• Complexity is high for
backend
• Not easily hosted locally
• May not meet needs for
hands off remote operation
GAAR
Download VM
preconfigured
• Quick, good degree of
consistency
• Reliable troubleshooting
• Large binary distribution (is
it necessary?)
• Expectation of
responsibility for patching
• VM may not have all
components & site wants
access to root.
• Hard to scale variants.
• Cost of maintaining
unwieldy
Eduroam in a box
VM
Installer tool
(implemented)
• Pre-existing code base
• Least complexity
• Smallest footprint
• Knowledge readily available
• Interface translation friendly
• Keeping current with
dependencies takes effort
• Testing complexity is
higher
• SWAMID
original
installer
• DevOps tools
13. www.canarie.ca | www.swamid.se
Contrasting Implementation Techniques
Technique Benefits Drawbacks
Puppet/Chef based
In Producton
Scales nationally
Command and control with puppet
Command and control
required, some rigidity
dilutes autonomy of
sites
Ansible based
Able to get support
DevOps friendly
Not a broad skill set in
the target community
Various
languages(java,perl,
Expect)
Various reasons (choose your
favorite)
Skill set hit and miss in
the field.
Existing investment in
bash for installer
Configuration in
standalone HTML
+javascript
Ubiquiteous - Available inherent in
system shell
Maintainable
Sophisticated or as primitive as you
would like to use
Easily tweaked because we know it
will be
Internationalization(i18n) friendly
It’s bash & there’s a bit
of baggage with that.
HTML interface for
cross browser
compatibility
14. www.canarie.ca | www.swamid.se
Usage & Feedback
CAF SWAMID
Status to respective
community
• Available as ‘Beta’.
• Awaiting feedback from
handful of sites so we may
transition to ‘General
Availability’
Widely available for sites to
use and test
Community
feedback
Positive.
One pilot site:
Found deploying eduroam easier and
are transitioning to eduroam as the
only campus SSID for Fall 2014.
Positive.
At least four sites running
One with active/standby config.
15. www.canarie.ca | www.swamid.se
Collaboration – Managing Change
• GitHub public repository used
• https://github.com/idp-installer-manager
• Core codebase in ‘idp-installer-global’ repo
• To use, strongly encouraged to fork your own ‘idp-
installer-<Fed’n_name>’
• Loosely couples code management
• Enables isolation for feature development
• (push) to global for review & promote to
community.
• Other forks can retrieve (pull) from global at
their own pace– as quick or as slowly as
needed
idp-installer-global
idp-installer-CAF
idp-installer-
SWAMID
ipd-installer-
YOUR_FED_HERE
16. www.canarie.ca | www.swamid.se
Your Invited!
• Code base in use at CAF and SWAMID.
• Clone one of ours now to try it out (http://bit.ly/caf-idp / http://bit.ly/swamid-idp )
• Want your own? Come talk with us or fork your own from:
http://bit.ly/global-idp
http://www.flickr.com/photos/shutter/105497713/sizes/l/in/photostream/ Chris Owens
17. www.canarie.ca | www.swamid.se
Thank you!
Contact:
Chris Phillips Chris.Phillips@canarie.ca
Anders Lördal Anders.lordal@hig.se
Chris & Anders in the hotel lobby IdP Installer hack-a-thon in San Francisco Nov’13
Identity week.
Photo by Nicole Harris