Upgrade to Pro — share decks privately, control downloads, hide ads and more …

EduCloud Auth (SSO) status

EduCloud Auth (SSO) status

Henri Mikkonen (CSC)

Avatar for EduCloud Alliance

EduCloud Alliance

March 03, 2015
Tweet

More Decks by EduCloud Alliance

Other Decks in Technology

Transcript

  1. 3

  2. 4

  3. Proxy IdP Initially a new authentication provider for the existing

    EduCloud SSO pilot-instance, later will replace it – Up to the production operator to decide between one “big” proxy or a set of proxies (e.g. social proxy, strong authn proxy, etc) Developed by CSC, running in Pouta cloud Based on Shibboleth open source software – Co-operation with the Finnish Population Register Centre’s national proxy implementation project 5
  4. 6 Authentication Providers Service Providers Proxy IdP 1. Authn ID

    calculation 2. Oppija ID resolution Opintopolku Stores links between Authn ID and Oppija ID SAML: Static User ID SAML: Oppija ID REST: Resolve Oppija ID for Authn ID
  5. Proxy IdP – Action points Authentication ID –calculation algorithm –

    Input: static user ID from the authentication provider – Output: privacy-preserving authentication ID (will be stored to the Opintopolku system) SAML profile definition – “global” role attributes, IdP and SP connections, authentication levels Opintopolku connection Back-channel API – SAML AttributeQuery (SOAP) vs. new REST API 7
  6. Authentication Selector Service Needed for linking the existing student ID

    (oppija ID) to a user-selected authentication method – Invitator: e.g. teacher, secretary – Invitee: student, who can select his preferred authentication method Specification for the first version has been done – Web UI, supporting invitation via email or “live” Back-channel API will be developed later, if needed – Invitator & invitee authentication via IdP proxy (SAML) – https://github.com/educloudalliance/educloud-sso/wiki/Authn-Selector-Service 8
  7. 9