groups

Being this the REFEDS blog you would expect to only read about REFEDS related topics. However, I think it is worth sharing the work done by the Identity & Trust Technologies Research Activity (Id&Trust RA) [1] for at least two reasons: (i) it’s relevant for those involved in identity and (ii) it’s good to share what happens in the Gn3plus project.

We had our last meeting in Rome at the end of November; I was really pleased with the progresses made by the team. There are in particular three areas of work that are could be of interest for the REFEDS crowd.

 

1. Federated Authorisation

This work has been mostly done by Andrea Biancini (GARR).

The goal of this research work is to manage authorisation using attribute authorities. Grouper is the tool chosen to manage heterogeneous groups of users, effectively using it as an Attribute Authority (AA) operated at federation level. VOOT [2] and SAML are used to query Grouper and to retrieve groups and attributes from it. Whilst SAML is used in the standard way (at login time) to query Grouper, VOOT is used to query Grouper to retrieve attributes when the user is not logged in.

The communication between Grouper and VOOT happens via the VOOT REST API and it is not mediated by any federation component. An extension to Grouper was developed by GARR to talk to the VOOT API.

GARR tested the approach with three different applications: MediaWiki, Moodle and GARRBox (a sort of dropBox for GARR users). Moodle is IMO the most interesting proof-of-concept – groups information are retrieved at login time as well as off-line to obtain the list of courses, teachers and students for each course.

GARR also developed a new enrolment plugin for Moodle to get groups information using VOOT. The code has been submitted to Moodle. Community feedback for this work is welcome; if interested please have a look at:
https://tracker.moodle.org/browse/CONTRIB-5413

More information on this work can be found on the public Id&Trust RA wiki.

See also the talk at the last I2 Technology Exchange.

2. Monitoring Tools for federations

The updates on this area were presented by Roland Hedberg (SUNET) during the REFEDS meeting held during th I2 Technology Exchange.

I think Roland Hedberg has done a very good job in upgrading the initial Fedlab suite (initially developed by Andreas Solberg, UNINETT) of testing tools for federation operators. There are now a number of tools that we should encourage federations/IdPs/SPs to use, namely:

  • SAML2test – To verify that the implementation conforms to the standard and the profile.
  • Metadata Analysis – To verify the correctness of metadata. This could also be used to verify if the attributes provided by the IdP to verify if they comply the EU Data Protection Directive.
  • Verify_entcat – to verify that an IdP acts according to the an entity category
  • IdP monitor – to verify that the whole authentication process works for a user.

REFEDS plan to run some of these tools as pilots for the REFEDS community in 2015 (hopefully REFEDS will have enough budget for this). The aim is to get feedback on them. Based on the feedback further work may be carried out in the GEANT project.

3. Certificate transparency

Last topic I want to briefly touch upon is Certificate Transparency (CT). Certificate Transparency is an open framework promoted by Google “to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority”. The goal is to identify certificates that have been either mistakenly issued or issued by a compromised CA, by using public logs of certificates. With CT all TLS/SSL certificates issued are monitored at real-time in a public logbook.

The engagement in this area has been two-folded:

  • on one side SUNET (Leif Johansson and Linus Nordberg, both SUNET) have been involved in the specs work that takes place  in the IETF working group Public Notary Transparency (trans WG);
  • on the other hand efforts have been spent to implement the specs (SUNET) and to test Google’s implementation of the specs (SURFnet). More information on the tool being developed by SUNET, Catlfish , can be found online.

References

[1] This work if funded by the EC GN3plus project. The Gn3plus project will end in March 2015; its follow up is expected to start in April 2015.

[2] VOOT is meant to be an orthogonal protocol to manage groups independently from the federation. Once a group is created, VOOT enables applications that support it to use the same group for further authorisation purposes. VOOT has been revisited several times over the last years. The initial specs were based on OpenSocial; due to the limited uptake of OpenSocial it was decided to move to SCIM. The latest VOOT specs use SCIM data model. There is a lot of discussion within the Id&Trust RA group on how to progress this work.

See also SURFnet blog on Groups.