Basic architecture

The 'trust' architecture for deploying OID Fed in context of reserach and education federations and eduGAIN is assumed to have Trust Anchors, Intermediates and Leafs (OR/RP) and Trust Mark owners and issuers as defined in the OpenID Federation Terminology

National Federations

National federations act both as Intermediates as well as Trust Anchors at the same time. Some Leaf entities may choose to only use the local, national federation as their trust context, in which case the national federation acts as the Trust Anchor. Others may want to make use of eduGAIN for cross-national transactions, in which case eduGAIN will be a Trust Anchor as well. The national federations offer a list of all the Leafs and Intermediates they have registered via the subordinates endpoint. This endpoint may also be used for discovery purposes.

Each National Federation provides a resolver to help their own subordinates to resolve trust chains. A national federation may provide one or more Trust Mark issuers, either for their own Trust Marks, or for Trust Marks owned by other parties like e.g. REFEDs. A mandatory Trust Mark Issuer which must be present in the national federation TA entity configuration is the eduGAIN Trust Mark issuer

To register at a national federation, an out of band mechanism is used. Once registration is complete the national federation issues a national federation membership Trust Mark to the entity. Once the Trust Mark is part of the leafs entity configuration the national federation can automatically load and validate the Leaf into the subordinate registration. Diagram 1 provides an overview of this flow.

PlantUML diagram

Diagram 1: Leaf registration at NREN federation (source: https://gitlab.software.geant.org/edugain/oidfed-docs/-/blob/main/Federation_Registry.puml)

To support the technical enrolment of the entity into the Trust Anchor, an API was developed in support of the above registration flow, which was implemented into the [Gabriels TA].
Diagram 2 shows the enrolment flow.

PlantUML diagram

Diagram 2: Enrolment endpoint (Source: https://gitlab.software.geant.org/edugain/oidfed-docs/-/blob/main/Enrollment_Endpoint.puml)

eduGAIN Interfederation

The eduGAIN interfederation operates a Trust Anchor and registers the national federations as Intermediates. eduGAIN interfederation has no Leafs. The TA developed as part of the testbed by Roland Hedberg will be used and operated by the eduGAIN Pilot team. Registration of participating Intermediates is manual.

eduGAIN will provide at least one and may offer possibly more Trust Mark issuers. The eduGAIN Trust Mark issuer is used to allow Leaf entities of national federation Intermediates to participate in eduGAIN. The Leafs request the eduGAIN Trust Mark from the eduGAIN Trust Mark issuer. Note the Leafs do not become direct subordinates of the eduGAIN Trust Anchor. To validate compliance, the eduGAIN Trust Mark issuer will validate the presence and validity of the national federation membership Trust Mark. The eduGAIN Trust Mark is short lived, e.g. 1 day. As such, all entities that deal with resolving Trust Chains should take this into account when implementing caching.
eduGAIN may revoke its Trust Mark for specific Leaf based on eduGAIN policy.

The eduGAIN interfederation does not provide a resolver. If national federation Leafs want to 


Leafs


Trust Marks

  • An Erasmus+ Trust Mark may be used to signal participation of entities in the Erasmus+ programme. For this pilot, the Erasmus+ Trust Mark Owner, and the Erasmus+ Trusmak Issuer are both external to eduGAIN. eduGAIN will however list the Trust Mark issuer as a trusted party in its TA entity configuration. As Erasmus+ is a pan-European initiative by default, we assume there is no need for a Trust Mark issuer on a national level.
  • In support of a REFEDs SIRTFI Trust Mark, each national federation will support a REFEDs SIRTFI Trust Mark issuer in TA entity configuration


eduGAIN Components

  1. We assume 1 eduGAIn and 5 national feds

    - TA -> Roland testbed -  We setup the intermedats manually
    - Intermediate - Gabriels codebase includign the registration API
    - TM issuers
    - TMs
        - eduGAIN - Only national intermediates
        - National Fed Level Trustmark - Discovery, easier to resolve as compared to trust chain
        - REFEDs SirtFi - must be on national level.
        - VO membership - Independent TM
    - RPs -> Go implementation
    - OPs?
        - SSP (Marko) - Would a proxy also work with the SP side in a SAML fed?
        - Shib OP
        - Rolands OP
        - Can we proxy based on existng SAML IdPs? yes via SSP or SaToSa. - Ask Roland for readyness
        
    You may bring your own, but you are on your own, we will not support

    Do we also inject existing fed members (based on SAML metadata ) into the national federations?
    - Yes but in a different setup

    - Resolver: Most important for RPs as this will simplify RP life.



  • No labels