IdPnube: RedIRIS approach to IdP as a service

José-Manuel Macías / IdPnube Team

idpnube@rediris.es

Topics

• Objectives
• Short IdPnube history
• Components
• Some IdPnube Internals
• Current and future developments

Objectives

• Created with security in mind
• Flexible enough to support several use cases
• Fast deployment for new organizations
• Able to scale up to hundreds of organizations
• Easy to use for staff with minimal training
• For end users, no training at all
• Support for organization branding
• SAML IdP… and eduroam IdP, too

=

+

IdPnube history

2018

2019

2020

2021

2022

survey

• small organizations interested
• orgs low in dedicated staff
• service perceived as complex to setup
• interest in having eduroam, too

initial development and pilot

• focus in Unique Science and Technology Infraestructures (ICTS)
• Below 250 users
• Included ~10 organizations initially

​

• a training was held in fall 2019
• several use cases covered
• gathered new requirements from organizations feedback
• different use cases to cover (new functionalities)

new developments / production

• new organizations added
• improvements in the different elements
• work started on “bespoke IdPnube”
• Start partial code rewriting and improvement of existing work flows

Components

SAML Identity Provider

eduroam Identity Provider

Dashboard

&

Password Reset

Log collector

Identity repository, stats, and preferences

Components: solutions used

SAML Identity Provider

eduroam Identity Provider

Dashboard, IdM,

&

Password Reset

Log collector

Identity repository, stats, and preferences

internal development

From request to delivery

IdPnube team

• security team

• DNS configuration
• assign internal configuration parameters
• firewall configuration
• inform organization about details if they want to act as an eduroam SP

IdPnube team + organization

• Admin receives confirmation the IdP is ready
• Initial meeting with admin(s)
• Request to sign acceptance of service conditions (including federation and eduroam policies, if apply)
• IdP published to federation
• IdP visible in CAT, and routed from NTLRs

Organization

• organization requests the service
• minimal information is gathered about organization and requester

IdPnube team

• check organization eligibility
• ask for more details if necessary
• verify requester is an entitled organization member

IdPnube team

• federation team
• eduroam team

• Run initial deployment
• eduroam CAT preparation
• eduroam proxy preparation
• SAML metadata preparation
• Run health checks
• Add external monitoring

Request

Approval

Preparation

Deployment

Delivery

Architecture

firewall

eduroam

NTLRs

eduroam proxy

k8s-ingress

k8s-nodeport

K8S Cluster

Jenkins

Private image registry

NFS shares

central log collector

SAML IdP

Institution logo

Image carrousel can be personalised too

Dashboard details (IdM)

Home Page

IdM (this page)

Stats (SSO & eduroam)

Log visualizer

Organization Preferences

Create individual user

Export users (CSV)

Import users (CSV)

Usual CRUD operations

Force password reset

Password Reset

Reset knowing previous password

Reset by token via email

Fixed password complexity policy

Recaptcha to avoid messing with password reset

Some IdP details

• We decided to use passwords, but
• Use a strong hashing algorithm (argon2)
• Passwords never known by admins
• Fixed minimum complexity forced
• Reset via emailed token

​

• SQL authsource module used as basis for SAML IdP
• had to add support for argon2
• eduroam authentication possibilities limited
• TTLS-PAP used
• decided to use FreeRADIUS rlm_rest for authentication
• No passwords stored if remote repository is used
• Plans to get rid of passwords…
• We use F-TICKS for stats in both IdPs

Current and future work

• Dashboard being rewritten using the Laravel framework
• Implement the groups functionality
• Implement SCIM (server)
• Improvement CI/CD workflows
• Improve resilience of the K8S cluster
• Better handling of secrets
• Marketing actions

Current and future work

• Bespoke IdPnube
• Testing Packer+ansible playbooks for:
• deployment over organization own infrastructure
• containerised IdPs, too
• Also, we want to explore
• WebAuthn instead of passwords
• Introduce MFA + assurance
• EAP-TLS for eduroam
• Let’s WiFi + get eduroam probably a good solution

Thanks for your attention!

​

Questions?