CANARIE operates the Canadian Access Federation, a program with a set of services delivering Federated Single Sign On (FedSSO), and eduroam as services.
This presentation at REFED.org's day at Internet2 identity week is a high level view of what CAF is engaged in and interested in.
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
1. REFEDS Update on Canadian Access
Federation
Chris Phillips | Nov11,2013 | Internet2 idweek2013 | San Francisco
www.canarie.ca
2. About CANARIE
Operates Canada’s ultrahigh-bandwidth research
network
• Connects one million users at
1,100 institutions, “big science”
facilities like TRIUMF, NEPTUNE,
CLS, SNOLAB, and to Compute
Canada HPC consortia
• 19,000km of fibre with a 40 Gbps
backbone
• Funds programs that enable
greater access to research data,
tools and peers and to stimulate
the ICT sector
Operator of the Canadian
Access Federation
• SAML federation based on
Shibboleth
• Canadian Eduroam 802.1x
wireless roaming operator
• eduGAIN participant
Primary investment
from Government of
Canada - $480 M since 1993
Map date: 29 May 2012
www.canarie.ca
2
3. About CANARIE
Operates Canada’s ultrahigh-bandwidth research
network
• Connects one million users at
1,100 institutions, “big science”
facilities like TRIUMF, NEPTUNE,
CLS, SNOLAB, and to Compute
Canada HPC consortia
• 19,000km of fibre with a 40 Gbps
backbone
• Funds programs that enable
greater access to research data,
tools and peers and to stimulate
the ICT sector
Additional Programs
Operator of the Canadian
DAIR - Digital Accelerator for Innovation and Research
Access Federation
An on-demand, advanced R&D cloud environment that supports Canada’s
• SAML federation based on
Shibboleth
tech innovators. Openstack based, with 2 regions (Alberta, Quebec).
• Canadian Eduroam 802.1x
wireless roaming operator
RPI - Research Platform Infrastructure
• eduGAIN participant
An investment in middleware by CANARIE that leverages existing platforms &
Primary investment
is the evolution of the NEP program. Reduces duplication, increases re-use
from Government of
and collaboration between programs. http://science.canarie.ca/
Canada - $480 M since 1993
NEP - Network Enabled Platforms
Similar in nature to GEANT opencall. Research initiatives showing innovative
uses of the network. Has evolved to be even more collaborative and
generates new interfaces/ RPI services to be reused between projects.
Map date: 29 May 2012
www.canarie.ca
3
4. This is what it feels like trying to collaborate….
Image: Phil Roeder - Flickr
www.canarie.ca
4
5. This is how we want it to feel.
www.canarie.ca
5
8. Roaming wireless
•
•
•
•
International wireless roaming
Ability to automatically sign on
using your home credential
Reduces barriers to mobile
users
Worldwide and expanding
coverage:
• Canada: 64 sites
• 65 countries worldwide
Successful Logins
2,000,000
1,500,000
1,000,000
500,000
-
•
•
•
•
International
Canada
~3M logins Sept 2013
2.5x traffic growth in 1yr
48 sites ~50% universities in
Canada
40% growth in sites in 1yr
Federated identity
• Federated Single Sign On for
services
• Web and non web sign on
• Authentication
• Authorization
• Attribute release
• Across different security domains
Interfederation
• International wireless roaming
• • eduGAIN to automatically sign on
Ability as primary, exploring
other direct relationships
using your home credential
• • Bridge to internationalto mobile
Reduces barriers community
• Enables CAF participants to:
users
• Accept identities inbound
• Worldwide and expanding
from outside Canada to
coverage:
• Canadian services
Canada: 48 sites
• • Use Canadian identities in
60 countries worldwide
services outside Canada
Total CAF enabled users –
SAML & eduroam
1,040,000
1,020,000
1,000,000
980,000
960,000
940,000
920,000
900,000
880,000
1,011,793
1,020,387
986,765
937,000
• 24 Service Providers – 160%
increase in 1yr
• 21 Identity Providers
www.canarie.ca
• Int’l NREN CEO Forum placed
eduGAIN as a key effort
• CAF was early adopter - joined
last year when there were 8, and
eduGAIN now has 20 countries
9. A Glimpse at eduroam traffic
eduroam Successful Logins - up to Oct 30,2013
4,000,000
25.00%
3,500,000
20.00%
2,500,000
15.00%
2,000,000
10.00%
1,500,000
1,000,000
5.00%
500,000
-
0.00%
www.canarie.ca
% No Reply from Server
Successful Log ins
3,000,000
International
Canada
10. Closing the gap
• Eduroam evidence of success àWhy not same for FSSO?
• Talked to new & old participants, other federations
• Analyzed over a years worth of data
http://www.flickr.com/photos/asparagus_hunter/483841638/ asparagus hunter
www.canarie.ca
11. Regular Approach
Identity Appliance
Choose RADIUS server
Install & Configure
Test & Connect
Supported Server installed
Pre-configured
Tested & Connected
Choose platform
Install & Configure
Test & Connect
Supported platform installed
Pre-Configured
Tested & Connected
Why?
•
•
•
•
Evolved approach to better match campus IT reality
Reduced cost/effort to be CAF participant
Simplifies CAF installation experience
Easier day to day operations
http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy
www.canarie.ca
12. Regular Approach
Identity Appliance
Choose RADIUS server
Install & Configure
Test & Connect
Supported Server installed
Pre-configured
Tested & Connected
Choose platform
Install & Configure
Test & Connect
Supported platform installed
Pre-Configured
Tested & Connected
Why? Deeper
A Bit
•
•
•
•
•
•
•
Reviewed many styles, better match doing both eduroam
Evolved approach tobut no one really campus IT reality AND
Federated cost/effort to
Reduced SSO w/SAML be CAF participant
Inspired by many DevOps style approaches, adopted installer
Simplifies CAF installation experience
based model (SWAMID approach, others influencial too)
Easier dayalpha now, FedSSO going through test cycles
eduroam in to day operations
• Sites will be connected to both eduroam & eduGAIN
http://www.flickr.com/photos/madison_guy/3386919046/sizes/o/in/photostream/ Madison Guy
www.canarie.ca
13. Inter-federation
• In use and business as usual
• Eduroam Configuration Assistant Tool(CAT) driving current IdPs
• Appliance approach will see sites joining eduGAIN when they join
CAF.
www.canarie.ca
14. Eduroam CAT service (accessed via eduGAIN)
• Builds & hosts
profile installers for
all platforms and
devices(MSFT,App
le, Linux)
• Profile = specific
configuration on
your device to
connect to the
network
www.canarie.ca
15. Signing on to Manage Your eduroam Site
• Access is only for site
admins
• Requires Federated
Single Sign On +
invitation one time link
• Can create multiple
admins
• Can create multiple
‘profiles’ for testing prior
to release.
• Production Profiles can
be downloaded via CAT
www.canarie.ca
16. Once Signed in
Snapshot of eduroam CAT
•
•
•
•
# of federations with at least 1 production Idp: 30
Total idps registered: 391
IdPs which enabled public download interface: 264
End User Downloads of installersso far : 162,289
www.canarie.ca
17. Sub-national Topic
• Different groups across Canada expressed interest in ‘CAF+ . . .’
• Needs were diverse yet common: additional schema, workflow for
special sets of entities only, allow entities to be members of multiple
sets, notify about joining set.
• View is that it can be done centrally through CAF, but tools &
processes need improvements
www.canarie.ca
18. Unified Collaboration & Interconnection
CAF
SP
SP
SP
Idp
Idp
Idp
Special Interest Trust Groups
SP
SP
Idp
Higher Assurance
Local Fed
Idp
SP
SP
Local Fed
Idp
SP
SP
• Efficient, least effort for SP/IdP
• Local fed incubates federation
aware apps
• SITG can leverage common
infrastructure, and overlay
special attribute sets & specific
policies
Idp
www.canarie.ca
19. Improving Tools
• Federation Operations needed to rise to the challenge
• Federation Registry tools space has very rich offerings (AAF: Fed’n
Mgr, HEANET: Resource Registry, REEP to name a few)
• Tough to choose because of the great work out there
• Gravitated to HEANET RR
http://www.flickr.com/photos/chazferret/2075442918/
www.canarie.ca
20. Skating to where the puck will be
• Our usual ‘customers’ are changing, we need to as well.
• Centralized services with delegation functionality avoid
duplication of effort in the community and saves time and
effort for sites
http://www.flickr.com/photos/mag3737/1997114236/ mag3737
www.canarie.ca
21. Seed Topics for the ACAMP
• Effective Attribute release from IdPs
• Centralized authorization and user preferences being sought – should we
run an instance of grouper or CoManage?
• Non web SAML for restful webservices, looking for some interesting
approaches
• Interested in any mobile plays for Fed. SSO on smartphones.
http://www.flickr.com/photos/the_yes_man/4648999621/sizes/l/in/photostream/
www.canarie.ca
24. Digital Accelerator
for Innovation and Research (DAIR)
An on-demand, advanced R&D environment that
supports Canada’s tech innovators and
entrepreneurs in designing, prototyping, validating
and demonstrating their new technology apps,
products and services.
www.canarie.ca/en/dair
INTERNET
Cloud Computing and Storage
+
Optical Regional Advanced Networks
(ORANs)
Réseaux optiques régionaux évolués
(ROREs)
www.canarie.ca
Infonuagique et stockage