Upgrade to Pro — share decks privately, control downloads, hide ads and more …

EduCloud Auth (SSO) status

EduCloud Auth (SSO) status

Henri Mikkonen (CSC)

EduCloud Alliance

March 03, 2015

More Decks by EduCloud Alliance

Other Decks in Technology


  1. 3

  2. 4

  3. Proxy IdP Initially a new authentication provider for the existing

    EduCloud SSO pilot-instance, later will replace it – Up to the production operator to decide between one “big” proxy or a set of proxies (e.g. social proxy, strong authn proxy, etc) Developed by CSC, running in Pouta cloud Based on Shibboleth open source software – Co-operation with the Finnish Population Register Centre’s national proxy implementation project 5
  4. 6 Authentication Providers Service Providers Proxy IdP 1. Authn ID

    calculation 2. Oppija ID resolution Opintopolku Stores links between Authn ID and Oppija ID SAML: Static User ID SAML: Oppija ID REST: Resolve Oppija ID for Authn ID
  5. Proxy IdP – Action points Authentication ID –calculation algorithm –

    Input: static user ID from the authentication provider – Output: privacy-preserving authentication ID (will be stored to the Opintopolku system) SAML profile definition – “global” role attributes, IdP and SP connections, authentication levels Opintopolku connection Back-channel API – SAML AttributeQuery (SOAP) vs. new REST API 7
  6. Authentication Selector Service Needed for linking the existing student ID

    (oppija ID) to a user-selected authentication method – Invitator: e.g. teacher, secretary – Invitee: student, who can select his preferred authentication method Specification for the first version has been done – Web UI, supporting invitation via email or “live” Back-channel API will be developed later, if needed – Invitator & invitee authentication via IdP proxy (SAML) – https://github.com/educloudalliance/educloud-sso/wiki/Authn-Selector-Service 8
  7. 9