The AAI initiative in GN2 First steps towards an
Download
Report
Transcript The AAI initiative in GN2 First steps towards an
Connect. Communicate. Collaborate
The AAI initiative in GN2
First steps towards an
integrated infrastructure
Diego R. Lopez, Jürgen Rauschenbach, Klaas Wierenga
TNC2005, Poznan, June 2005
The GÉANT2 AAI
A result of GN2-JRA5
Connect. Communicate. Collaborate
• Intends to be one of the basic services of the panEuropean academic network
• Common to all services provided by the network
– Network access
– Premium IP
– Bandwidth on Demand
– ...
• And to all services based on the network
– Applications (essentially, Web-based)
– Grids
– ...
Requirements
Security
Connect. Communicate. Collaborate
• Reasonable security
– Balancing between the need to ensure secure access
and other practical requirements regarding usability and
performance
• Compliance with privacy regulations
– Avoid data leakage when performing AA interactions
– Provide users with the ultimate control over what
information about them is exchanged for what purposes
• Accountability
– Provide the necessary means to have appropriate
evidence about a certain interaction if requested
Requirements
Standard compliance, integration
Connect. Communicate. Collaborate
• Openness and neutrality
– Do not mandate specific technologies at its edges
– Open standards to interconnect elements, either internal
or external
• Integration
– Not a substitute of existing infrastructures
• Nation- or community-based
– A superstructure connecting them
– But able to build new federations where they do not exist
– And directly providing AA services access through specific
interfaces
Requirements
Operational
Connect. Communicate. Collaborate
• Scalability
– Able to grow in any dimension: geographically,
functionally, and structurally
• Ease of use
– Minimal burden on end users and on administrators
• Robustness
– Support high traffic load and relatively uncritical network
disruptions without catastrophic results
• Flexibility
– Apply the basic principles of federated administration
Architecture
Internal components
Connect. Communicate. Collaborate
• A local AAI Instance at each federation/domain/realm
– Providing the interfaces to the federation or services
within the domain/realm
• Common Services
– One defined: Home Location Service
– Others possible
• Certificate verification
• Common diagnostics
– Only available to the local AAI-I
Internal components
Connect. Communicate. Collaborate
Architecture
Connectors
Connect. Communicate. Collaborate
• Centralized for a federation
– The Local Federation Connector
• Local Connectors for those resources inside a federation
allowed to interact directly
– Trust links created by the common elements and the
LFC
• Service Access Points
– In charge of adapt AAI interfaces to the (isolated)
services AA queries/responses
Local Federation Connector
Connect. Communicate. Collaborate
Local Connectors
Connect. Communicate. Collaborate
Service Access Points
Connect. Communicate. Collaborate
Architecture
Interfaces and operations
•
•
•
•
Connect. Communicate. Collaborate
Web Services and SAML based
As Shibboleth-compatible as possible
Four (plus one) pairs of basic interactions
– ( AccessReq / AccesResp )
– AuthNDataReq / AuthNDataResp
– HomeLocationReq / HomeLocationResp
– AttrReq / AttrResp
– AuthZReq / AuthZResp
Defining parameters, protocols and profiles
Architecture diagram
Federation connectors
Connect. Communicate. Collaborate
Timeflow diagram
Federation connectors
Connect. Communicate. Collaborate
Architecture diagram
Federation and SAP connectors
Connect. Communicate. Collaborate
Timeflow diagram
Federation and SAP connectors
Connect. Communicate. Collaborate
Coming soon
to a network connection near you
Connect. Communicate. Collaborate
• Full architectural definition
– Including protocol and profiles
• A first interface implementation for SAPs
– To be used in some GN2 areas
• Implementation of connectors
– Based on AA-RR
• A demo of the GÉANT2 AAI
– At the next TNC
(with the permission of the Programme Committee)