Aligning Federation Capabilities Globally
May 30, 2017 | TNC 2017, Linz, Austria
Chris Phillips, CANARIE | Nick Roy, InCommon | Rhys Smith, UK Access Management Federation
canarie.ca | @canarie_inc
incommon.org | @InCommonUS
jisc.ac.uk | @jisc
Overview
> Explore influencing factors
> Methodology applied
> Current areas of focus
> Discussion
2
3
Virtuous Design Cycle
Size matters . . .
But maybe not in the way you think it does!
5
eduGAIN
1563
SPs
18%
60%
Federation Size Influence
• Smaller can be more nimble and be able to react/pivot/act faster
• Larger:
• First mover advantage means many services reside in the two
largest federations.
• Impact – changes applied here first have more impact
*Bubble area represents total size of federation
7
It’s our differences that provide balance.
8
Our size is not as important as
the size of work we want to do.
9
Dividing Work into Buckets
• Operations
• Outreach and documentation
• Creation or introduction of tools and/or features
10
http://www.flickr.com/photos/linneberg/4481309196/sizes/l/in/photostream/
Characterizing the Work
Collaboration
goal:
Drive activity up
and to the left.
11
Inter-Federation Drives You To Convergence
High Impact
Fit to
Environment
Ability to
Execute
12
How Does This Relate to REFEDS’ Work Plan?
Women’s 8s 2000m: 5:54 (2013)
Women’s 4s 2000m: 6:14 (2014)
Dragonboat 2000m: 10:07 (2016)
13
> It’s not one or the other, it’s
both – we’re in the same race
together.
> Crossing the finish line is a
result of many things, not just
one.
> Number & composition of
collaboration partners is key to
pulling together in same
direction.
> Just because you have more
people in the boat with you
doesn’t mean you go twice as
fast
Deploying MetaData Query (MDQ)
Metadata aggregates are too large, signed per entity metadata relieves the problem
Solution definition
InCommon WG, other collaborators, with output of a comprehensive
recommendation/report
Implementation
Piloted by UKFed first, shared challenges/experience of config
nuances
Next focus
• How can we be each other’s failover between 3 federations?
• How to containerize/automate configuration to be more
portable?
Outcome
Participating peers implement MDQ with less effort & maximal utility,
and benefit from hard-earned lessons from early adopters
14
Improving Metadata Quality
eduGAIN minimal validation criteria is good, but not as stringent as UKFed and
InCommon where many services reside.
Solution definition
• CAF, InCommon, reviewed UKFed ruleset & are augmenting
current practices with them.
• Improved metadata validation to produce ‘cleaner’ eduGAIN
exports
Implementation
UKFed ruleset from metadata handling pipeline is on github and CAF,
InCommon ingesting rules into their processes
Next focus
Deploy ruleset practice where they can be best applied:
• backend validation post submission and maybe frontend
validation to immediately allow compliance to metadata practices
Outcome
• Those desiring services from UKFed and InCommon can augment
eduGAIN practices with ruleset
• Helps ensure even easier and cleaner eduGAIN exports
15
Deploy a Sustainable Discovery Service
Shibboleth Consortium had ended the CDS code. CAF & UKFed were the main users of
the service and needed an alternative that was sustainable.
Solution definition
CAF and UKFed pooled requirements and did early investigation on
common platform and selected SWITCH’s WAYF tool.
Implementation
• CAF implemented SWITCH’s WAYF PHP code in Docker container
• Created reference image for out-of-the-box solution
• Have customization strategy reducing effort to hours.
Next focus
• Opportunity to be a platform for enhanced discovery
Outcome
A reusable, shareable, containerized solution of utility to anyone with
an aggregate and the ability to run Docker.
16
Improve the Ability to Deploy an Identity Provider
Federation adoption challenging if sites cannot deploy Identity Providers more easily.
Solution definition
CAF IdP-Installer platform being reviewed by TIER and Shibboleth
Consortium on how to ingest elements of the work to produce easier
IdP installations
Implementation
CAF has IdP-Installer; InCommon TIER work looking to benefit from
some items
Next focus
• CAF providing Shibboleth Consortium insight/suggestions on the
installation of IdP for both Linux and Windows to ease overall
installations.
Outcome
Overall easier IdP setup with reference install; therefore increased
adoption and more sustainable maintenance.
17
Topics in the Queue
> Assessing security posture of entities
• What is the security posture of a federation’s Identity Providers?
─ Understanding what it is, how can it be improved
> Consistent integration pattern for OIDC/SAML
• How can OIDC be integrated without compromising existing
principles or triggering tremendous work on all SPs?
─ REFEDS OIDC Working Group likely area to advance this
> Review unique identifier practices for better
recommendations
• Unique identifiers and their use are terribly inconsistent; the
community benefits from clarity and guidance
─ InCommon Working Group appears to be the venue for this
18
19
http://www.flickr.com/photos/wiemann/1521876735/
20
Signs of Progress …
•
•
•
Our smaller collaborations complement larger activities making focused headway in key areas
Sharing requirements capitalizes on ‘all of us is smarter than one of us’ approach
Convergence is already happening, so how do we leverage it to our benefit?
• Can we be tenants in our respective regions?
• Can we deliver better service more sustainably than we can today?
http://www.flickr.com/photos/wiemann/1521876735/
21
Where to Collaborate
> Connect with us directly
> Leverage existing venues
• REFEDS lists, relevant working groups
• InCommon working groups
> REFEDS wiki/list space (new)
• https://wiki.refeds.org/display/GROUPS/Incubator
• https://lists.refeds.org/sympa/info/incubator
22
What do YOU think?
23
24