EduCloud Auth (SSO) status

Transcript

1. EduCloud Auth – Status 3.3.2015

2. Contents Architecture (recap from Tallinn) Proxy IdP Authentication Selector Service

   2

3. 3

4. 4

5. Proxy IdP Initially a new authentication provider for the existing

   EduCloud SSO pilot-instance, later will replace it – Up to the production operator to decide between one “big” proxy or a set of proxies (e.g. social proxy, strong authn proxy, etc) Developed by CSC, running in Pouta cloud Based on Shibboleth open source software – Co-operation with the Finnish Population Register Centre’s national proxy implementation project 5

6. 6 Authentication Providers Service Providers Proxy IdP 1. Authn ID

   calculation 2. Oppija ID resolution Opintopolku Stores links between Authn ID and Oppija ID SAML: Static User ID SAML: Oppija ID REST: Resolve Oppija ID for Authn ID

7. Proxy IdP – Action points Authentication ID –calculation algorithm –

   Input: static user ID from the authentication provider – Output: privacy-preserving authentication ID (will be stored to the Opintopolku system) SAML profile definition – “global” role attributes, IdP and SP connections, authentication levels Opintopolku connection Back-channel API – SAML AttributeQuery (SOAP) vs. new REST API 7

8. Authentication Selector Service Needed for linking the existing student ID

   (oppija ID) to a user-selected authentication method – Invitator: e.g. teacher, secretary – Invitee: student, who can select his preferred authentication method Specification for the first version has been done – Web UI, supporting invitation via email or “live” Back-channel API will be developed later, if needed – Invitator & invitee authentication via IdP proxy (SAML) – https://github.com/educloudalliance/educloud-sso/wiki/Authn-Selector-Service 8

9. 9