CAF Workshop BCNet2014
1 like721 views
The document summarizes a workshop on federation tools hosted by CANARIE. It includes an agenda for the workshop covering topics like using the IdP installer and federation management tools. It also provides introductions and outlines the goals of improving understanding of the IdP installer, highlighting key deployment considerations, and socializing the direction of federation management tools. Additional sections provide overviews of the IdP installer and federation management tools to provide context for the workshop.
![www.canarie.cawww.canarie.cawww.canarie.ca
Installation Overview
Download
installer
Plan &
Prepare
installation
Do
Installation
Post
installation
tailoring
Local
acceptance
testing
Contact
CANARIE
to complete
registration
1. Download Installer
1. From http://bit.ly/caftools
2. Plan & Prepare your installation
1. Review System Requirements to prepare your environment.
2. Prepare your network
3. Prepare your environment (settings for Directory, Certificates, etc)
4. Review and choose a preferred deployment approach
5. Review your federation specific post install steps
3. Do the installation
1. Create a configuration from your federations' configuration builder
2. Save configuration as 'config' in this directory on your server
3. Run the script ./deploy_idp.sh
4. Answer any inline questions (use self signed cert? password creation for keystores)
4. Perform Post installation Tailoring
1. Based on items previously identified, finalize the installation
2. Identity steps needed to be repeated in production
5. Locally Test Installation
6. Repeat installation steps for production installation as needed
[1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer](https://image.slidesharecdn.com/caf-workshop-bcnet2014-140429131553-phpapp01/85/CAF-Workshop-BCNet2014-13-320.jpg)
![www.canarie.ca
Planning: SSID strategy augment or replace?
Recommendation: Consider consolidating to eduroam
≒ Why:
Less to configure for end users:
≒ setup once, use everywhere why do one that only works for you?
≒ Less to manage as wifi infrastructure operator reduces helpdesk
support
Eduroam can be VLANd based on authentication
≒ Local users VLANd to local IP space and remote to remote1,2
Configuration Assistant Tool (CAT) performs configuration
≒ To resolve how do I get on? for users, offer eduroam_help SSID
Behaves as captive portal and only able to reach eduroam configuration
information (cat.eduroam.org) and your specific information
Working with UFV through IdP Installer with the
Some Canadian sites already using just eduroam as singular SSID
[1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus
[2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/](https://image.slidesharecdn.com/caf-workshop-bcnet2014-140429131553-phpapp01/85/CAF-Workshop-BCNet2014-15-320.jpg)
CAF Workshop BCNet2014
- 1. www.canarie.cawww.canarie.ca CAF Workshop on Federation Tools IDP Installer and Federation Management Tools Chris Phillips | April 2014 | CANARIE | Vancouver
- 2. www.canarie.ca Agenda 8:00-8:30 Coffee & Registration 8:30-8:45 Introductions and Workshop Overview 8:45-10:15 Using the IdP Installer, Sample Installation, Walkthrough 10:15-10:30 - Break 10:30-11:15 CAF Tools walkthrough 11:15-12:15 Federation Management Tools 12:15 12:30 Q&A, Closing remarks
- 3. www.canarie.cawww.canarie.cawww.canarie.ca In theory, there is no difference between theory and practice. But, in practice, there is.
- 5. www.canarie.ca Outcomes for today ≒ Improved understanding of the IdP Installer ≒ Highlight key deployment considerations ≒ Know where to go for CAF resources ≒ Socialize Federation management tools direction https://www.flickr.com/photos/reway2007/3137608759 reway2007
- 7. www.canarie.cawww.canarie.ca Roaming wireless ≒ International wireless roaming ≒ Ability to automatically sign on using your home credential ≒ Reduces barriers to mobile users ≒ Worldwide and expanding coverage: ≒ Canada: 78 sites ≒ 60 countries worldwide ≒ Federated Single Sign On for services ≒ Web and non web sign on ≒ Authentication ≒ Authorization ≒ Attribute release ≒ Across different security domains Federated identity ≒ International wireless roaming ≒ Ability to automatically sign on using your home credential ≒ Reduces barriers to mobile users ≒ Worldwide and expanding coverage: ≒ Canada: 48 sites ≒ 60 countries worldwide ≒ eduGAIN as primary, exploring other direct relationships ≒ Bridge to international community ≒ Enables CAF participants to: ≒ Accept identities inbound from outside Canada to Canadian services ≒ Use Canadian identities in services outside Canada Interfederation ≒ 3.4M logins March 2014 ≒ 2x traffic growth in 1yr ≒ 78 sites - 500,000 1,000,000 1,500,000 2,000,000 Successful Logins International Canada ≒ 33 Service Providers ≒ 25 Identity Providers 937,000 986,765 1,011,793 1,020,387 880,000 900,000 920,000 940,000 960,000 980,000 1,000,000 1,020,000 1,040,000 Total CAF enabled users SAML & eduroam ≒ Intl NREN CEO Forum placed eduGAIN as a key effort ≒ CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
- 8. www.canarie.ca Identity Providers Service Providers Universities Colleges Research inst. Cloud providers Specialized R&E Apps Libraries Commercial SP Research teams Regional CommunityCommunity Group Gateway Partners BCNET Provincial governments Organizing bodies Applicants Parents Temporary staff Professor Student Researcher Researcher App Developer IDM Expert Group Admin CAF Ecosystem
- 9. www.canarie.cawww.canarie.cawww.canarie.ca CAF Roadmap Federation Infrastructure & Governance Knowledge Base + more tools! Federation Community Manager CAF Marketplace Operating Policies VALUE Training & Technical Support Marke9ng Material Today FY 2015 FY16 IDP Installer
- 11. www.canarie.ca IdP Installer ≒ What is it? VM image + html configuration forms ≒ What does it do? Auto installs and configures IdP server components Easier connection to CAF servers Supports eduroam and Shibboleth ≒ Benefits Fewer steps Hides technical complexity from user Identity Appliance" Shibboleth Identity Provider" freeRADIUS" Apache Tomcat" Java" Operating System (centOS)"
- 12. www.canarie.ca IdP Installer Consolidating & Reducing Effort
- 13. www.canarie.cawww.canarie.cawww.canarie.ca Installation Overview Download installer Plan & Prepare installation Do Installation Post installation tailoring Local acceptance testing Contact CANARIE to complete registration 1. Download Installer 1. From http://bit.ly/caftools 2. Plan & Prepare your installation 1. Review System Requirements to prepare your environment. 2. Prepare your network 3. Prepare your environment (settings for Directory, Certificates, etc) 4. Review and choose a preferred deployment approach 5. Review your federation specific post install steps 3. Do the installation 1. Create a configuration from your federations' configuration builder 2. Save configuration as 'config' in this directory on your server 3. Run the script ./deploy_idp.sh 4. Answer any inline questions (use self signed cert? password creation for keystores) 4. Perform Post installation Tailoring 1. Based on items previously identified, finalize the installation 2. Identity steps needed to be repeated in production 5. Locally Test Installation 6. Repeat installation steps for production installation as needed [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
- 14. www.canarie.ca Planning: Deployment Model Test & Prod
- 15. www.canarie.ca Planning: SSID strategy augment or replace? Recommendation: Consider consolidating to eduroam ≒ Why: Less to configure for end users: ≒ setup once, use everywhere why do one that only works for you? ≒ Less to manage as wifi infrastructure operator reduces helpdesk support Eduroam can be VLANd based on authentication ≒ Local users VLANd to local IP space and remote to remote1,2 Configuration Assistant Tool (CAT) performs configuration ≒ To resolve how do I get on? for users, offer eduroam_help SSID Behaves as captive portal and only able to reach eduroam configuration information (cat.eduroam.org) and your specific information Working with UFV through IdP Installer with the Some Canadian sites already using just eduroam as singular SSID [1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus [2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/
- 16. www.canarie.cawww.canarie.cawww.canarie.ca Planning: Certificates FedSSO / SAML2 Eduroam / 802.1x 16 ≒ 2 certificates 則р End user facing(port 443) for SSO userid/password ≒ commercial rooted certificate to avoid browser pain 則р IdP/SP Certificate for metadata ≒ Self signed, 2048 bit SHA2 ≒ Autogenerated on install ≒ Usually long lived (10yrs) 則р Possession & comparison of certs present in metadata crux of trust ≒ 2 TLS pieces: CA + server cert. 則р Laptops and mobile devices asked to trust both CA and server certificate 則р If CA= commercial root, slightly less pain on MSFT clients (avoids popup of trust this root?) 則р eduroam CAT installer critical to help streamline installation & trust regardless of cert type. Recommendation: Use your usual commercial cert for end user facing port 443 Let tools do what they should do for long lived self signed Recommendation: Simply put: YMMV & up to you to tailor the experience Quick video example:eduroam CAT w/ comm. cert & w/ non commercial certificate. IDP Installer automatically uses self-signed everything & is a base for build outs.
- 17. www.canarie.ca Certificates & HeartBleed ≒ Heartbleed risk present on hosts susceptible to OpenSSL handshake FedSSO/SAML ≒ Metadata signing was not at risk since that key is never used in handshake & OpenSSL version was safe. ≒ Handful of SAML entities did have to do key roll over (regenerate and replace keys) ≒ Risk was possible exposure of private key and therefore emulation or decryption of traffic could have been done extremely remote and require extraordinary attack, but risk present nonetheless must regenerate private key and metadata cert and do roll over. Eduroam ≒ Eduroam trust built on shared secrets therefore not susceptible in server to server trusts. ≒ HOWEVER, the RADIUS server certificate suffered same style attack vector but between RADIUS server and clients (mobile devices) Key compromise and therefore decrypt traffic if such was done risk extremely remote but present. The few sites patched and made necessary changes. ≒ Global eduroam had validator within hours of announcement and scanned many sites, including Canadian ones very early on. ≒ Within 72hrs all Heartbleed risk was eliminated from the affected few sites in FedSSO and eduroam in Canada. Would self signed or commercial have made a difference? No. Risk was same regardless of root. A private key is a private key and both would need to have been regenerated. Many thanks to admins who were very responsive to the issue!
- 18. www.canarie.ca IdP Installer Test Shib walkthrough
- 20. www.canarie.ca CAF Tools Walkthrough ≒ Eduroam weathermap http://weathermap.canarie.ca/caf/eduroam ≒ Eduroam CAT https://cat.eduroam.org/ ≒ eduGAIN https://www.edugain.org/ ≒ FedSSO Discovery Guidance https://discovery.refeds.org ≒ CAF FAQ system http://tts.canarie.ca/otrs/public.pl ≒ Collaboration.canarie.ca http://collaboration.canarie.ca ≒ CAF Guest IdP & 'external identities' (aka social2SAML) http://id.canarie.ca External identity demo with SAML sharepoint sign on All available at: http://bit.ly/caftools
- 21. www.canarie.ca CAF Guidance on Attribute Release ≒ Current CAF policy mandatory release of eduPersonTargetedID ≒ Example of the importance of attribute release ≒ What the community at large is doing In Canada Examining various profiles for attribute bundles ≒ Collaboration profile ≒ Canadian Researcher profile ≒ Canadian Student profile ≒ K-12 specific attributes Internationally Entity categories in metadata, rules in IdPs for release K-12 conversations in US. ≒ SAML metadata representation
- 23. www.canarie.ca
- 24. www.canarie.ca Federation Community Manager Features ≒ UI-based provisioning of privacy and security policies (e.g. ARPs) ≒ Self-serve user interface for Partner, IDP and SP admins ≒ Consolidated view of all community groups, IDPs and SPs in CAF ≒ Auto-generates meta data Benefits ≒ Reduces development time faster implementation ≒ Reduces errors and facilitates debugging Status ≒ Seeking pilot participants
- 25. www.canarie.cawww.canarie.cawww.canarie.ca Collaboration via CAF & Community Groups CAF Identity Providers Regional CommunityCommunity Group (CG) Shared Services CAF Service Providers ≒ Services available to IDPs within the community group ≒ Define operating polices (e.g. attribute release) specific to CG ≒ Gives IDPs access to national and international CAF SPs
- 26. www.canarie.cawww.canarie.cawww.canarie.ca Community Group Responsibilities PrivacyHelp Desk Community Groups Admin Hosted IDP Operations Local Outreach Central Operations Technical Support Technical Community Trust Assertion Governance National Outreach Tool Development Opera- tions International Representation CAF Participant Agreements Implementation Guidance Community Agreements Institutions CAF Partners CAF
- 27. www.canarie.ca Closing Remarks / Q&A