national federation perspectives & insights

www.canarie.ca

National Federation Perspectives & Insights

Chris Phillips | October 1st, 2012 | Internet2 Fall Member Meeting | Philadelphia

www.canarie.cawww.canarie.ca

About CANARIE

Map date: 29 May 2012

Operates Canada’s ultra-high-bandwidth research network• Connects one million users at

1,100 institutions, “big science” facilities like TRIUMF, NEPTUNE, CLS, SNOLAB, and to Compute Canada HPC consortia

• 19,000km of fibre with a 40 Gbps backbone

• Funds programs that enable greater access to research data, tools and peers and to stimulate the ICT sector

Operator of the Canadian Access Federation• SAML federation based on

Shibboleth• Canadian Eduroam 802.1x

wireless roaming operator• eduGAIN participant

Primary investment from Government of Canada - $480 M since 1993

2


Current CAF Services

SAML via

• For web and non web Authentication Authorization Attribute release

802.1x via

3

• For wireless authentication

20-Jul 16-AugFY12Q4 FY13Q1 FY13Q2 FY13Q2

860000880000900000920000940000960000980000

1000000

902737

937000957766

976200

CAF enabled Users(SAML & eduroam)

1/1

1

3/1

1

5/1

1

7/1

1

9/1

1

11/

11

1/1

2

3/1

2

05-2

012

07-2

012

-

200,000

400,000

600,000

800,000

eduroam Successful Logins

Other Canada


Vision for CAF

To be the preferred access management service for electronic resources in the Canadian innovation ecosystem in support of Research and Education (R&E) Guiding Principles

Increase Reach

• Users & Technology adoption

• Communities of Practice

• Geographical

Increase Services

• # of Service Providers

• Service Types

Technical Leadership

• Operational Excellence

• Next Gen topics

www.canarie.ca

This is what it feels like trying to collaborate…. 5

Image: Phil Roeder - Flickr

www.canarie.caThis is how we want it to feel.

6


How?

Facilitate collaboration at the largest scale possible.


How?

Facilitate collaboration at the largest scale possible.

Easiest

but

trustedv

Seamlessl

y

v

www.canarie.ca

Benefits

• For the End User– Less credentials to remember, but stronger ones– Easier access to resources/data, but in the right way– Alignment of identity across systems– Ability to collaborate internationally (both inward & outward)

• For Operations– Least

• Development effort• Support costs• Risk

– Most• Secure• Accurate• Auditable

– Benefit from various network effects• You don’t have to do all the integration effort, but when you do, it’s

easier• You benefit from others adding services important to them

9

www.canarie.ca

Areas of Interest

• Cloud Identity Provider– Reduce complexity for coming into federation– Eases overall effort

• Guest IdP• Gateway IdP via Social2SAML gateway• Non web sign on (SAML, Moonshot/abfab)• Self service interfaces for SP/IdPs (Australian Federation

Manager)• Attribute sets


Non Web Signon

SAML Hybrid SAML+802.1x

11

• SAML Enhanced Client SASL and GSS-API Mechanisms[1]

• Application Bridging for Federated Access Beyond web (abfab) aka Moonshot[2]

[1] http://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-saml-ec/[2] http://datatracker.ietf.org/doc/draft-ietf-abfab-aaa-saml/

Common To Both:• Underway in IETF standards body• Require touch points at the client & server• A (big) part of a larger environment

www.canarie.ca 12www.canarie.ca

International Linkages are Critical

www.canarie.ca

International Federation Landscape

13

www.canarie.ca

How Federations Interconnect

14

www.canarie.ca

The Big Picture:Collaboration & Interconnection

CAF

Local FedIdp SP

SP

Local Fed

Idp SP

SP Idp

SP

Special Interest Trust Groups

IdpIdp

Idp

• Efficient, least effort for SP/IdP• Local fed incubates federation

aware apps• SITG can leverage common

infrastructure, and overlay special attribute sets & specific policies

SPSP

SP

SP Idp

Higher Assurance

www.canarie.ca

[email protected]