belnet federation belnet – loriau nicolas brussels – 12 th of june 2014

Belnet FederationBelnet – Loriau Nicolas

Brussels – 12th of June 2014

Agenda

• Presentation of Belnet R&E federation

• IdPs / SPs / DS

• Technical framework

• eduGAIN

• Belnet Federation services• Antispam Pro

• Mconf

• Filesender

• Viabel.net

• Personal Certificate

12/06/2014 Workshop Belnet R&E Federation 2

Belnet R&E Federation

4

Belnet R&E Federation

What is a federation?

Why a federation?

“Evolving to streamlined access for web services”


What is a federation?

“A federation is an association of organizations that use a common

set of attributes, practices and policies to exchange information

about their users and resources in order to enable collaboration

and transactions”

(www.Incommon.org, Internet2, 2012)


6

What is Belnet R&E Federation

Identity & Access Management

Research &Education

Community

IdentityProviders

Federated Partners CommercialNon-profit

GovernmentAgencies

OtherFederations

ServiceProviders


7


7


Research &Education

Community

IdentityProviders

Federated Partners

ServiceProviders

Administration?

Legal?

Technical?

TrustedMediator


8


8


Research &Education

Community

IdentityProviders

Federated Partners

ServiceProviders

TrustedMediator


9

Why use a federation? - Philosophy

- Technical aspect

Let us briefly go back in time, when:- users were still new to the network

- security & privacy concerns were minimal

Why: Belnet R&E Federation


LAN

10


User = johnPwd = abc123

User = janePwd = abc456

User = jdoe1Pwd = def123


User = johndoePwd = ghi123

User = jd456Pwd = jkl123

User = john456Pwd = mno123

User = jd123Pwd = pqr123

User = jdoePwd = ghi456


User = jane123Pwd = mno456


1991


11


User = johnPwd = abc123Birth dateHome address…

User = jdoePwd = def123Birth dateHome address…

User = johnPwd = abc123Birth dateHome address

User = jdoePwd = def123Birth dateHome address

User = jdoePwd = def123Birth date

User = johnPwd = abc123Birth date


12


2001


13



Role-BasedAccesControl

Add Mod Del

One account& passwordper user

2001


The Cloud

14


SoftwareasaService

20142014 or

1991?User = john

Pwd = abc123

User = janePwd = abc456



User = johndoePwd = ghi123


User = john456Pwd = mno123


User = jdoePwd = ghi456


User = jane123Pwd = mno456



15


15


ServiceProvider 1

ServiceProvider 2

IdentityProvider 1

IdentityProvider 2

One agreement

One language:SAML2

1-timesetup

1-timesetup

“Evolving to streamlined access for web services”

One account& passwordper user

Identity & Access

Management

Identity & Access

Management


Actors of a federation

Identity Providers

Workshop Belnet R&E Federation12/06/2014 19

Service Providers


Discovery service


Benefits

• For IdP:• Access to wider range of services than available locally

• No extra administrative burden if you are already participating in a

federation

• One user name and password

• For SP:• Grow your audience

• Lower costs per user

• No local user database


Technical framework

Software Components

Identity Provider– Hosted on systems of organisation

– Shibboleth IdP

– simpleSAMLphp

– Verifies user’s credentials (username/password):Bridge between Federation and user database

– Knows user attributes, implements the attribute release policy


Software Components

Service Provider– Shibboleth SP

– simpleSAMLphp

– Integrates with IIS and/or Apache


Attributes

All relevant information about user:− Name, First name, date of birth, …

− Role (student, staff, alumni, …)

− Email address, anonymized ID, …

Stored on LDAP or AD

Attribute Release Policy− Only a few attributes required to join the Federation

− The IdP decides how and to whom to release attributes

− Respect of the privacy of users


Authentication process

Identity Provider Service Provider

User

1

2

34

5

6

7

8


Metadata

• What's in the metadata− Mandatory!

− Who are the IdPs?

− Who are the SPs?

− What are their URLs and certificates

− Organisation and Technical Contact


Metadata

• Entity metadata vs. Federation metadata − Entity metadata:

− for single IdP or SP

− Federation metadata:− aggregation of entity metadata

− for all IdPs and SPs in the Federation


eduGAIN

eduGAIN

• Interconnecting federations

• Metadata Service : aggregates and pushes


eduGAIN

• Extends the portfolio of services

• Extends the audience

• To get access to eduGAIN, you need to request it


Belnet Federation services

Antispam Pro


Antispam Pro

Cloud-based– Data/servers are in Belgium @ Belnet

(trust)

Flexible– Easy user management and delegation

– Customizable

Complete– Inbound and outbound

– Antispam and Antivirus

– Reporting


Mconf

Collaborative web interface with public/private space.

Recently added to the Federation

Go ahead and use it


Mconf @ Belnet


Mconf

Give us your feedback via [email protected]

Not a Belnet service

Limited support


FileSender

• Sends e-mail with big files attached

• From the members of the R&E Federation

• To any recipient


FileSender


Viabel.net


Personal Certificates


belnet federation belnet – loriau nicolas brussels – 12 th of june 2014

Documents