vienna 5-6 Feb 2018 - Federation - IDP # Monday - https://tiimeworkshop.eu/wwwTiimeworkshopEu/agenda.html ## IDM OSS Track 1 (Shibboleth for FO) IDM OSS Track 1 (Shibboleth for FO): Please prepare a VM for the hands-on part of the tutorial: - bring your notebook - install virtualbox - download the VM - import the downloaded VM into Virtualbox - try to login ## Peter Schober (ACOnet) - ACOnet - ACOnet is the Austrian National Research and Education Network (NREN) for science, research, education, and culture. It is operated by the Vienna University Computer Center, in co-operation with other universities in Austria. ## Architectural options - central IDP (eg KUL) - mesh - hub+spoke - and alternatives (consumer-/eGovernment-ID) ## Fundamental federation concepts based on SAML-based Web-SSO mesh model ### Trust management ## SAML metadata anatomy - Wolfgang Pempe (DFN) - eg. Shibboleth install == IdP - SP -- does not scale (maintaining cost of metadata config;) - Scenario 2: metadatamanagement by Federation Operator - https://www.aai.dfn.de/en/administration/ Resource registries, aggregators and registration policy Attribute release Crypto management Federation policy for B2B and B2C PKI-based federations and integraton of non-web clients with SAML ## ID Fraud - Patrick Curry (BBFA) - PKI -- certipath -- KICA -- https://www.intrinsic-id.com/ -- # Tuesday ## Federated provisioning - Peter Gietz (DAASI International) - SCIMv2: http://www.simplecloud.info/ ## Hub-and-Spoke Federation architecture and use cases - Raoul Teeuwen (SURFnet) - Profile Picture Raoul is product manager Trust & Identity (T&I) at SURF (https://www.surf.nl/en/about-surf ) - HUB disadvantages: SPOF - HUB pro: price/qlty ## Interfederation - Lukas Hämmerle (SWTICH) - SAML2 - OpenidConnect (next step?) - sample: eduGAIN: AAI (auth autho i) - https://technical.edugain.org/ ## Virtual Organizations - Lukas Hämmerle (SWTICH) ## Options for OIDC-based federations (OIDC ‘proper’, OIDCfed) - Roland Hedberg - RP : WebFinger : OP - App-Auth available for Android and iOS. : providing authentication for native applications for Interfederations using OpenConnectid - trust lifetime is 15 min. avoids revocation ## Keycloak - Peter Pfläging (pflaeging.net https://www.pflaeging.net/info/) - https://github.com/pflaeging/keycloak-ws - http://www.keycloak.org/ - fairlogin https://git.fairkom.net/fairlogin - installed on FF https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/ - https://server16.pflaeging.net:30443/ - login: * * - slack alt rocket.chat https://rocket.chat/ - install with https://snapcraft.io/ - redmine https://www.redmine.org/projects/redmine/wiki/Features ## Midpoint - Radovan Semančík, Katarína Valaliková ### basic terms - target system = resource - Resource -> connector (JAVA) -> target system - https://evolveum.com/downloads/workshops/tiime-2018.zip - openldap - 2-3 entities / sec import - validation of CSV : not really. - maybe set limits or dry-run - housekeeping rules: reconciliation option - campaing definitions to start remediation process - policyRule containing policyConstraints - privelige management: certification process - slow performance - https://en.wikipedia.org/wiki/H2_(DBMS) don't use H2 in production - assignments (what the user have) vs inducement (what the role has) - Meta roles: roles containing roles containing roles to keep the roles smarter. - SCIM connector - roles with : attributes. eg. location - assistant roles - midpoint-core (midpoint-logic) = engine - xsd: static schema + dynamic schema's (eg. provided by ldap) - shared users ? no support - application users ? - services (things, concepts) assign an account to a service - midpoint is not compliant with any meaningfull iso standard - apache licence - source 3 mljn. lines of Java - SSO + midpoint ### Q: - import task: validate data before importing? - not really - click on the key in form to access complete browser-passwordsafe # blog post - published on miccaman.neocities: https://miccaman.neocities.org/app/tiime.html