Upgrade to Pro — share decks privately, control downloads, hide ads and more …

EduCloud Auth (SSO) status

EduCloud Auth (SSO) status

Henri Mikkonen (CSC)

EduCloud Alliance

March 03, 2015

More Decks by EduCloud Alliance

Other Decks in Technology


  1. EduCloud Auth – Status 3.3.2015

    View full-size slide

  2. Contents
    Architecture (recap from Tallinn)
    Proxy IdP
    Authentication Selector Service

    View full-size slide

  3. Proxy IdP
    Initially a new authentication provider for the existing
    EduCloud SSO pilot-instance, later will replace it
    – Up to the production operator to decide between one “big” proxy or a
    set of proxies (e.g. social proxy, strong authn proxy, etc)
    Developed by CSC, running in Pouta cloud
    Based on Shibboleth open source software
    – Co-operation with the Finnish Population Register Centre’s national
    proxy implementation project

    View full-size slide

  4. 6
    Proxy IdP
    1. Authn ID calculation
    2. Oppija ID resolution
    Stores links between
    Authn ID and Oppija ID
    SAML: Static User ID
    SAML: Oppija ID
    REST: Resolve Oppija ID for Authn ID

    View full-size slide

  5. Proxy IdP – Action points
    Authentication ID –calculation algorithm
    – Input: static user ID from the authentication provider
    – Output: privacy-preserving authentication ID (will be stored to the
    Opintopolku system)
    SAML profile definition
    – “global” role attributes, IdP and SP connections, authentication levels
    Opintopolku connection
    Back-channel API
    – SAML AttributeQuery (SOAP) vs. new REST API

    View full-size slide

  6. Authentication Selector Service
    Needed for linking the existing student ID (oppija ID) to
    a user-selected authentication method
    – Invitator: e.g. teacher, secretary
    – Invitee: student, who can select his preferred authentication method
    Specification for the first version has been done
    – Web UI, supporting invitation via email or “live”
    Back-channel API will be developed later, if needed
    – Invitator & invitee authentication via IdP proxy (SAML)
    – https://github.com/educloudalliance/educloud-sso/wiki/Authn-Selector-Service

    View full-size slide