Federation monitoring Jaime Prez < jaime.perez@ j p @ - - PowerPoint PPT Presentation

Federation

Jaime Pérez < jaime.perez@ j p @ Virginia Martín-Rubio < virgini

TF-NOC meeting Brussels, October 2011

monitoring

rediris.es> ia.martinrubio@rediris.es>

What is an identity fed

A set of infrastructures between several authentication and aut Two types of membership Two types of membership – Identity Providers – Service Providers In a hub & spoke fede In a hub & spoke fede central infrastructure logout services logout services. The main advantage: loca

deration?

, policies and agreements institutions to share thorization information. p: p: eration, there’s also some eration, there s also some including discovery and

ation independent access.

How does it work?

In hub & spoke federation Service) the usual flow 1 The user tries to acc

• 1. The user tries to acc

for a valid local sessio th t th t l the user to the central

Service

ns like SIR (RedIRIS Identity w looks like this: cess an application It looks cess an application. It looks

• n. If there’s none, redirects

f d ti i f t t federation infrastructure.

Provider

How does it work?

• 2. The user is presente

WAYF (Where Are Yo

Di

( home institution from

Discovery

ed a Discovery Service or

• u From?), and selects his

S i

) m the list.

y Service

How does it work?

Discovery Service: Discovery Service:

• Filter by region and / or name
• Mobile and non-javascript versions

Mobile and non javascript versions s

• Automatically select IdP or

region by IP address

• Comprehensive interface

s p

How does it work?

• 3. Once selected, the us

, institution, where he c

• Username and passwo
• Username and passwo
• Digital Certificate

El i ID d

• Electronic eID card

ser is redirected to his home an authenticate by:

• rd
• rd

Institution login

How does it work?

4 The institution verifies

• 4. The institution verifies

central infrastructure, i f ti b t th

Instit

information about the

Instit

the data and returns to the the data, and returns to the making an assertion with

ution

user.

ution

How does it work?

5 The federation inf

• 5. The

federation inf assertion and filters li i Th t

• policies. Then returns

the Service Provider.

Federation In

frastructure receives the frastructure receives the s attributes according to th ( difi d) ti t s the (modified) assertion to

nfrastructure

How does it work?

6 Finally the Service

• 6. Finally,

the Service assertion and evaluat h th if th whether if the user access the resource.

Service

Succ

e Provider receives the e Provider receives the tes the attributes to decide i th i d t t is authorized or not to

Provider

cess?

How does it work?

Use cases

– Library resources documentation Wiley documentation, Wiley, – Hardware/software: d academic community federation. – Cloud services: acce the cloud the cloud. – Other resources: ou panel, network applica s: magazines,

• nline

IEEE ScienceDirect , IEEE, ScienceDirect… discounts and offers for the y guaranteed through the ess to e-mail or storage in ur own wikis, blogs, service ations…

And what’s the proble

The central federatio iti l If it t

• critical. If it stops wo
• nline publications, n

nor many other resour Therefore, we need the Therefore, we need the diagnose problems th A l f A t An example: from Aug t increment of more t And that’s because jus

em?

• n

infrastructure became ki t

• rking, users cannot access

nor their institutional e-mail, rces. e ability to monitor it and e ability to monitor it and hat might affect the service. t S t i d to Sept we experienced an than a half million logins. st one university!

Goals

• 1. The ability to monitor

y and/or Service Prov federation federation.

• 2. User centric: provider

f th i t f i from the point of view

• 3. Deploy a complete

allows us to manag statistics, and more. statistics, and more. r the status of the Identity viders

• f
• ur

production r’s status must be seen as f th w of the users. monitoring platform that ge alerts, reports, graphs,

Requisites

1.It must be compatible p infrastructure, based on

• Automated tests execu

Automated tests execu

• Follow the Nagios plug

2 I b i d 2.It must be indepen technology:

• SIR federation is a mix
• Users don’t know abo

with our running monitoring g g n Nagios:

uted on demand uted on demand gins API

d f h d l i ndent

• f

the underlying

xture of protocols

• ut technology, they just use it

gy, y j

Challenge #1: find the

– We started looking for t the requirements the requirements.

• Some

software to user’s (and his/her – We made our choice to We made our choice to

• Mainly used as a ben

t i l t b b to simulate web brow

• It

lacks support

• f

mechanisms to simula

e appropriate tools

the most suitable tools to fit allow automation

• f

the web browser) behaviour. be Apache JMeter. be Apache JMeter. nchmarking tool, it’s perfect wsers. Javascript, but provides ate it.

Apache JMeter

Automating JMeter

• 1. First we developed a

l i th h f d login through our fed returns back to a spec test plan that simulates a d ti th ti t d deration, authenticates and cially crafted SP.

Automating JMeter

• 2. Then we set up a ded

t t l it b test plan on it by mea line interface. dicated machine to run the f th JM t d ns of the JMeter command

Automating JMeter

• 3. We also considered

th t i th servers that receive th better performance a using a farm of JMeter h t t l d th he test plans and run them: nd scalability.

Automating JMeter

– Since it is desirable to all monitored IdPs, we d variables that we cha specific details of each p

• Username
• Password

Password

• The names of the input fields
• A cookie to bypass the WAY

A cookie to bypass the WAY

have just one test plan for designed it with macros and ange in runtime to fit the

• IdP. That is:

s of the login form YF and go straight to the IdP YF and go straight to the IdP.

Challenge #2: nagios

– Once we were able to te needed a way to run th eeded a ay o u t in a specific Nagios for W d l d h – We developed a she command line paramete before, modifies the t JMeter with it and translate to Nagios data. data.

integration

est individually each IdP, we he tests and get the results e tests a d ge e esu s rmat. ll i t th t i ell script that receives as ers the variables mentioned test plan in runtime, runs evaluates the output to service status/performance

Challenge #2: nagios

– It is flexible enough to settings of an IdP. For sett gs o a d

• mandatory attributes a

any of them is missing: any of them is missing:

• adding logic to the Fak

– It also allows us to pe making sure a fake us g authenticate to the IdP: testing t ice ith real

• testing twice with real

integration

• allow us to evaluate the

r instance, looking for some s a ce, oo g o so e and triggering a warning if ke Service Provider erform security tests, like er is unable to successfully and fake sers and fake users

Achievements

#1 Private Nagios interface

24 IdPs already being monitored and increasing

Achievements

#2 Manual testing of an IdP: tha itself! at’s the Fake Service Provider

Achievements

#3 Integrated with our new monitoring service

Achievements

#4 Reports

Achievements

#5 Email monthly reports & service alerts

Summary

– User centric federatio users and browser be use s a d b o se be says an IdP is working really does really does. – Technology independ

• ur running infrastructu

about the underlying supports several protoc – Want more info? Ther – Want more info? Ther during the last TNC in P

• n monitoring: we simulate

ehaviour, so if the monitor e a

• u , so

e

• g, then we can guarantee it

ent: though it is adapted to ure, it doesn’t know anything technology, and in fact cols mixed altogether. re’s an abstract presented re s an abstract presented Prague.

Thanks for listening!

Thanks f

http://www.r sir@re

for listening!

rediris.es/sir ediris.es