Identity Federations Status Report – January 2012

GÉANT Identity Federations currently have a lot of ongoing activities. Here is a summary of what we are working on, and the current status.

Federation Lab › Test Federation

Goal:

allow new SPs and IdPs to easily connect to a set of available entities that are available with no contract neccessary. Self-maintained.

Activity expected to be done April 2012.

Miro: Nothing to update.

Federation Lab › Monitoring and statistics

Miro: As I promised we’ve done preparations for using f-ticks with SSP in production in our federation. I’ll be able to report on that next month.

Federation Lab › SAMLtracer

A significant patch reveiced from Mark Dubrovnic. Some of the patches incorporated, some left. Including UI updates, and support for import export.

Some planned features: Notifications of SAML artifacts, support for IdP Discovery protocol.

Federation Lab › OpenID Connect

We’re making progress. In Februrary we’ll be able to connect the front-end test run UI with the backend test tool, and present to visible results.

There is an interop event in San Fransisco, then a new OpenID Connect meeting in Paris next to IETF. Roland is attending to IETF + Kantara meeting. Andreas might as well. We will have some demo available before that.

The backend test tool is able to produce test results for the initial simple test cases, it is tested against several OpenID Connect Provider implementations.

We’re planning on preparing test fascility for OAuth 2.0 in addition to OpenID Connect. That tool might be very useful for the VOOT work.

RedIRIS will perform an implementation of OpenID Connect that will be coordinated with the test fascility. RedIRIS already have experience and a library for Oauth 2.0, and will make use of that. They will also make an simpleSAMLphp module to make it very easy for enabling OpenID Connect support in an existing IdP or SP running SSP.

VOOT

Leif: Setup http://openvoot.org and prepared a drafted IETF templated spec.

Foodle: no updates.

UNINETT has implemented OAuth 2.0, and tested against Leifs implementation. Some problems, but we made it work. OAuth 2.0 support will be integrated into Foodle, this spring.

SurfNet: Ready to exchange OAuth keys with Foodle, is ready to also consume groups from Foodle as a client. Will implement OAuth 2.0 in second half of 2012.

Renater: Has already completed sympa VOOT OAuth 1.0 based implementation. OAuth 1.0 based implementation is made publicly available. Prepared to test against Foodle and SurfNet. Working on OAuth 2.0. Exepcted to be ready March 2012.

SAML2int

The SAML2int profile is being transferred to Kantara Initiative: Federation Interoperability WG.

Scot is will apply some minimal changes contribued by Ian Young.

Federated Provisioning

Mads Freek have been hired by Wayf to work on – mostly – Stinus.

Stinus is the ‘Federated provisioning and de-­provisioning’ project originally proposed by WAYF, SURFnet & JANET as per the enclosed pdf.

A description – one month old – of the architecture is available here: http://code.google.com/p/stinus/wiki/StinusOverview?show=content

I expect to have a pre-poc up an running in week 6 and expect to update the description to reflect some recent changes – mostly the use of Gearman both inside core and as the protocol between Stinus components.

Working prototype within 2 weeks.

Wayf will ensure comatibility with connectors used from the Sun provisioning Framework, that also used in Netherlands. Wayf and SurfNet is in dialogue.

Remco has already done some work on Federated Provisioning, will also do much work in the year to come, but it will be funded by another project. Remco will share a deliverable related to the work on the mailinglist.

DiscoJuice

No updates.

Moonshot

Technology is settling down, more mature, and spec.

Most activity on supporting customers on piloting activities.

Piloting activities around these areas:

  1. Classic e-Science fascilities. SSH access, visitors with physical access to console.
  2. UK National Grid Services.
  3. Cancer Research UK: for microsoft exchange, file sharing, etc. Large organization, divded into 5 institutes.
  4. UK National Health Services. Interested in starting piloting.

Likely initial most important use case: federated login to regular desktops (between different, unrelated MS Active Directory domains), not just applications

Other topics

  • Hot topic: GEANT 3+
  • Convention in Madrid for activity leaders, 27th February.
    • Trained on methodology for GN3+ methodology.

Next meeting in the beginning of March

Agenda for Identity Federations Meeting i Vienna.

Agenda for Identity Federations Meeting i Vienna.

  • Introduction, Andreas (5 min)
  • Virtual Organisations (50 min):
    • SWITCH: VO Platform, SAML-based (20 minutes)
    • SRCE: VO Platform, OAuth-based (20 minutes)
    • Discussion: SP-SAML, SP not-SAML or IdP-centric a la Corto. (10 min)
  • Best practice Documents (30 min):
    • NorduNet-Leif: De-Provisioning (15 minutes)
    • NIIF: Single Logout (15 minutes)
  • New focus area – The Login Experience – Discovery usability (15 min)
    • Andreas presents a new proposal for work item for year 3.
    • Some keywords: Kantara ULX, Embedded Discovery, SAML bridges, Browser add-ons, XAuth, etc.
  • New Deliverable – How to present our results (10 min)
  • Federated Provisioning Engine (10 minutes)
    • Proposal for Y3 activity.