Transcript - TERENA
Connect. Communicate. Collaborate
The MetaData Service
Distributing trust in AAI confederations
Manuela Stanica, DFN
Outline
Connect. Communicate. Collaborate •
What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions
DF
What is the MetaData Service (MDS)?
Connect. Communicate. Collaborate • eduGAIN component developed in GN2-JRA5 • eduGAIN: the GÉANT2 AAI • Support dynamic establishment of trust relations members of AAI confederation between • Information model conform to SAML v 2.0 Metadata Specification • SAML:
S
ecurity
A
ssertions
M
arkup
L
anguage (OASIS)
DF
Outline
Connect. Communicate. Collaborate • What is the MetaData Service (MDS)?
•
Role of a MetaData Service in AAI confederations
• Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions
DF
AAI confederation hierarchy
Connect. Communicate. Collaborate • AAI confederation interconnecting AAI federations • AAI federation participant institutions users – access to external resources & services – unaware of participants in other federations – require procedure of trust establishment between them
DF
AAI confederation hierarchy (2)
Connect. Communicate. Collaborate
DF
Role of metadata
Connect. Communicate. Collaborate • Connecting to entities in other federated AAIs – required information: – where (in which federation)?
– how to reach ?
– what is supported (protocols and functionalities)?
metadata
– distribution to all confederation members • static (pre-configured upon software installation) • dynamic (on request)
DF
Role of a MetaData Service in AAI confederations
Connect. Communicate. Collaborate • AAI confederations – non-static environments!
– frequent updates means for dynamic collection & distribution of metadata :
MetaData Service (MDS) DF
Outline
Connect. Communicate. Collaborate • What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations •
Use of the MDS in eduGAIN
• The MDS URLs • Publishing and retrieving metadata • Trust and security considerations • Conclusions
DF
Basic principles
Connect. Communicate. Collaborate • Centralised storage of metadata for eduGAIN components • Dynamic retrieval & update – metadata exchange interface: eduGAINMeta – based on REST architecture model • Distributed publishing & querying – among local federations – no central admin – multiple metadata
publishers
and
consumers
DF
eduGAIN components
Connect. Communicate. Collaborate
DF
Bridging Elements
Connect. Communicate. Collaborate • MDS used by Bridging Elements (BEs) : – gateways eduGAIN – local federations – communication with peers (BEs) in other federations – query MDS for metadata about Home BE – MDS response: SAML 2.0 Metadata doc –
consumers/publishers
of metadata
DF
Outline
Connect. Communicate. Collaborate • What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN •
The MDS URLs
• Publishing and retrieving metadata • Trust and security considerations • Conclusions
DF
URL structure
Connect. Communicate. Collaborate • Syntax of REST URL mapping:
MDS base URL[/federation ID][/entity ID][?query string]
• Combinations of: – – – –
MDS base URL
: https://mds.geant2.net/
federation ID
: dfn , feide ,...
entity ID
: be1
query string – Home Locator(s)
: homeDomain=uio.no
DF
Home Locators
Connect. Communicate. Collaborate • eduGAIN specific atribute-value pairs • For: locating a remote BE (Home BE) • From: – hints provided by user – contents of certificate extensions • Types: –
Home domain
(homeDomain=switch.ch) –
URN
(urn=urn:geant:edugain:component:be:switch:be1)
DF
Outline
Connect. Communicate. Collaborate • What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs •
Publishing and retrieving metadata
• Trust and security considerations • Conclusions
DF
Publishing/ updating
• Who: metadata publishers – Federation Peering Point (FPP) – authorized Bridging Elements (BEs) • What: SAML 2.0 Metadata – documents
EntityDescriptor
root ( one BE) –
EntitiesDescriptor
root ( several BEs) • How: HTTP POST/PUT Connect. Communicate. Collaborate
DF
Publishing/ updating (2)
Connect. Communicate. Collaborate • For whole federation : – only by FPP –
EntitiesDescriptor
– URL syntax: <
MDS base URL/federation ID> http://mds.ladok.umu.se/feide
• For single entities : – by FPP / authorized BEs –
EntityDescriptor
– URL syntax: <
MDS base URL/federation ID/entity ID> http://mds.ladok.umu.se/switch/be1 DF
Retrieving metadata
Connect. Communicate. Collaborate • BE queries MDS via HTTP GET • Metadata lookup – entity/federation name is known – <
MDS base URL[/federation ID][/entity ID]> http://mds.ladok.umu.se
http://mds.ladok.umu.se/switch http://mds.ladok.umu.se/switch/entity1
• Metadata search – entity name unknown, home locators – <
MDS base URL[/federation ID]?query string> http://mds.ladok.umu.se/?homeDomain=switch.ch
DF
Outline
Connect. Communicate. Collaborate • What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata •
Trust and security considerations
• Conclusions
DF
Trust establishment
Connect. Communicate. Collaborate • Elements of trust establishment in eduGAIN: – MDS – eduGAIN PKI – Component identifiers (CIDs) • MDS trust tightly bound with eduGAIN PKI minimal trust in the service itself • Transitive trust
DF
Security checks
• MDS validations: – publisher‘s X.509 certificate – publishing rights • Publishers‘ signatures fwd with metadata validation by consumers Connect. Communicate. Collaborate
DF
Outline
Connect. Communicate. Collaborate • What is the MetaData Service (MDS)?
• Role of a MetaData Service in AAI confederations • Use of the MDS in eduGAIN • The MDS URLs • Publishing and retrieving metadata • Trust and security considerations •
Conclusions DF
Conclusions
Connect. Communicate. Collaborate • MDS: dynamic metadata distribution in AAI confederations • Centralised storage, distributed trust • Employes standard SAML 2.0 Metadata • Possible use in any SAML-based infrastructure • Deployment together with eduGAIN-like PKI
DF
Thank you for your attention!
Questions?
Connect. Communicate. Collaborate
DF