tnc2014 think globally act locally: simplifying federated technologies

www.canarie.ca | www.swamid.se

Presenters: Chris Phillips – CANARIE, Canada Anders Lördal– SWAMID, Sweden

Think Globally, Act Locally: Simplifying Federated Technologies

May 18 ,2014| TNC2014 | Dublin, Ireleand


About CAF & SWAMID

CAF SWAMID

Size of Community 89 Universities, ~120 colleges 52 Institutions

Size of Federation 103

SAML IdP:24 Shib,1 SSPHP, 33 SPs eduroam: 78 IdPs 78+ campus’

333 SAML IdP: 45 Shib,1 SSPHP 4 ADFS, 1 pysaml, 278 SP eduroam: 39 IdPs 773 locations

Coverage >48% > 98% Participate in eduGAIN? ✔ ✔

Challenge Uptake parity between

eduroam & SAML related to time and skills

Participants ability to remain current & maintain skills

Shib=Shibboleth, SSPHP= SimpleSAMLPHP

•  Even at different stages and coverage, we encounter similar challenges •  Opportunity to collaborate & leverage each others investments


Response to the challenge •  Evolved approach to better match campus IT reality •  Reduced cost/effort implement & support •  Simplifies installation experience

http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy

Choose RADIUS server

Install & Configure Test & Connect

Preferred Server installed

Pre-configured Tested

Classic Approach IdP Installer Approach

Preferred platform installed Pre-Configured Tested

Choose platform Install & Configure Test & Connect

www.canarie.ca | www.swamid.se Chris Phillips

Origin of the collaborative work •  We both came to the table with something:

•  SWAMID: original SAML installer & was refactoring •  CAF adopted paradigm for eduroam automation work

•  Critical pieceà bootstrapped collaboration with ½ day in person session identifying key principles & mechanics

www.canarie.ca | www.swamid.se Chris Phillips

Origin of the collaborative work •  We both came to the table with something:

•  SWAMID: original SAML installer & was refactoring •  CAF adopted paradigm for eduroam automation work

•  Critical pieceà bootstrapped collaboration with ½ day in person session identifying key principles & mechanics

Simple as possible, complex as needed Core Principle

www.canarie.ca | www.swamid.se https://www.flickr.com/photos/75905404@N00/7126146307 OZinOH

Principle Drives Design •  It’s not just the tool, but the techniques applied in the tool:

•  Highly Extensible – be Federation aware, be tech agnostic.. •  Internalize complexity to simplify end users experience •  Internationalize by default instead of retrofit •  Embody best practices to avoid error in implementations


The Results – The IDP Installer

•  What is it? –  Installation script with HTML

configuration to image a blank VM •  What does it do?

–  Auto installs and configures IdP server components

–  Configures entire system, not just software

–  Supports eduroam and Shibboleth

•  Benefits –  Fewer steps –  Hides technical complexity from

user

VM"Shibboleth

IdentityProvider"(2.4.0)"

freeRADIUS"(2.1.12)"

Apache Tomcat (6.0)"

Java (openjdk 1.7)"

Operating System (centOS6.4+ or Ubuntu 12.0.4)"


Installation Improvements

Outcomes •  Install effort reduced from 2 discrete projects to 1 on participant site •  Automated configuration reduces installation complexity and editing needs

•  Speeds up installation •  Reduces errors


Installation Overview

Plan & Prepare

installation

Review System Requirements to

prepare your environment.

Prepare your network

Prepare your environment (settings for Directory,

Certificates, etc)

Review and choose a preferred

deployment approach

Review your federation

specific post install steps

Do Installation

Create a configuration

from your federations'

configuration builder

Save configuration as

'config' in this directory on your

server

Run the script ./deploy_idp.sh

Answer any inline questions

(password creation for keystores)

Post installation

tailoring

Based on items previously identified, finalize the installation

Identity steps needed to be repeated in production

Local acceptance

testing

Contact FedOp to complete

registration [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer


Configuration Demo & Walk Through

http://youtu.be/7DpHL9akgrg

www.canarie.ca | www.swamid.se https://www.flickr.com/photos/julia_manzerova/4748112382/ Julia Mnazernova

Weighing the Options

•  A lot of great tools and techniques out there à had to choose wisely •  Driven by Principles and Requirements. How closely do these match yours?


Contrasting Implementation Styles

Model Benefit Drawback Example?

Centralized/Command & Control

Centralized control Remote management capabilities

•  Complexity is high for backend

•  Not easily hosted locally •  May not meet needs for

hands off remote operation

GAAR

Download VM preconfigured

•  Quick, good degree of consistency

•  Reliable troubleshooting

•  Large binary distribution (is it necessary?)

•  Expectation of responsibility for patching

•  VM may not have all components & site wants access to root.

•  Hard to scale variants. •  Cost of maintaining

unwieldy

Eduroam in a box VM

Installer tool (implemented)

•  Pre-existing code base •  Least complexity •  Smallest footprint •  Knowledge readily available •  Interface translation friendly

•  Keeping current with dependencies takes effort

•  Testing complexity is higher

•  SWAMID original installer

•  DevOps tools


Contrasting Implementation Techniques

Technique Benefits Drawbacks

Puppet/Chef based

In Producton Scales nationally Command and control with puppet

Command and control required, some rigidity dilutes autonomy of sites

Ansible based Able to get support DevOps friendly

Not a broad skill set in the target community

Various languages(java,perl, Expect)

Various reasons (choose your favorite)

Skill set hit and miss in the field.

Existing investment in bash for installer Configuration in standalone HTML+javascript

Ubiquiteous - Available inherent in system shell Maintainable Sophisticated or as primitive as you would like to use Easily tweaked because we know it will be Internationalization(i18n) friendly

It’s bash & there’s a bit of baggage with that. HTML interface for cross browser compatibility


Usage & Feedback

CAF SWAMID

Status to respective community

•  Available as ‘Beta’. •  Awaiting feedback from

handful of sites so we may transition to ‘General Availability’

Widely available for sites to use and test

Community feedback

Positive. One pilot site: Found deploying eduroam easier and are transitioning to eduroam as the only campus SSID for Fall 2014.

Positive. At least four sites running One with active/standby config.


Collaboration – Managing Change •  GitHub public repository used

•  https://github.com/idp-installer-manager •  Core codebase in ‘idp-installer-global’ repo •  To use, strongly encouraged to fork your own ‘idp-

installer-<Fed’n_name>’ •  Loosely couples code management •  Enables isolation for feature development

•  (push) to global for review & promote to community.

•  Other forks can retrieve (pull) from global at their own pace– as quick or as slowly as needed

idp-installer-global

idp-installer-CAF

idp-installer-SWAMID

ipd-installer-YOUR_FED_HERE


Your Invited!

•  Code base in use at CAF and SWAMID. •  Clone one of ours now to try it out (http://bit.ly/caf-idp / http://bit.ly/swamid-idp )

•  Want your own? Come talk with us or fork your own from: http://bit.ly/global-idp

http://www.flickr.com/photos/shutter/105497713/sizes/l/in/photostream/ Chris Owens


Thank you!

Contact: Chris Phillips [email protected] Anders Lördal [email protected]

Chris & Anders in the hotel lobby IdP Installer hack-a-thon in San Francisco Nov’13 Identity week. Photo by Nicole Harris

www.canarie.ca

tnc2014 think globally act locally: simplifying federated technologies

Technology