Federation monitoring Jaime Prez < jaime.perez@ j p @ - PowerPoint PPT Presentation

TF-NOC meeting Brussels, October 2011 Federation monitoring Jaime Pérez < jaime.perez@ j p @ rediris.es> Virginia Martín-Rubio < virgini ia.martinrubio@rediris.es>

What is an identity fed deration? A set of infrastructures , policies and agreements between several institutions to share authentication and aut thorization information. Two types of membership Two types of membership p: p: – Identity Providers – Service Providers In a hub & spoke fede In a hub & spoke fede eration, there’s also some eration, there s also some central infrastructure including discovery and logout services. logout services The main advantage: loca ation independent access .

How does it work? In hub & spoke federation ns like SIR (RedIRIS Identity Service) the usual flow w looks like this: 1 1. The user tries to acc The user tries to acc cess an application. It looks cess an application It looks for a valid local sessio on. If there’s none, redirects the user to the central th t th t l federation infrastructure. f d ti i f t t Service Provider

How does it work? 2. The user is presente ed a Discovery Service or WAYF (Where Are Yo ( ou From?), and selects his ) home institution from m the list. Di Discovery y Service S i

How does it work? Discovery Service : Discovery Service : • Automatically select IdP or region by IP address • Filter by region and / or name • Comprehensive interface p • Mobile and non-javascript versions Mobile and non javascript versions s s

How does it work? 3. Once selected, the us , ser is redirected to his home institution, where he c an authenticate by: • • Username and passwo Username and passwo ord ord • Digital Certificate • El Electronic eID card i ID d Institution login

How does it work? 4. The institution verifies 4 The institution verifies the data and returns to the the data, and returns to the central infrastructure, making an assertion with i f information about the ti b t th user. Instit Instit ution ution

How does it work? 5. The 5 The federation federation inf inf frastructure frastructure receives receives the the assertion and filters s attributes according to policies. Then returns li i Th t s the (modified) assertion to th ( difi d) ti t the Service Provider. Federation In nfrastructure

How does it work? 6. Finally, 6 Finally the the Service Service e e Provider Provider receives receives the the assertion and evaluat tes the attributes to decide whether if the user h th if th is authorized or not to i th i d t t access the resource. Service Provider Succ cess?

How does it work?

Use cases – Library resources s : magazines, online documentation, Wiley, documentation Wiley , IEEE, ScienceDirect… IEEE ScienceDirect – Hardware/software : d discounts and offers for the academic community y guaranteed through the federation. – Cloud services : acce ess to e-mail or storage in the cloud. the cloud – Other resources : ou ur own wikis, blogs, service panel, network applica ations…

And what’s the proble em? The central federatio on infrastructure became critical . If it stops wo iti l If it t orking, users cannot access ki t online publications, n nor their institutional e-mail, nor many other resour rces. Therefore, we need the Therefore, we need the e ability to monitor it and e ability to monitor it and diagnose problems th hat might affect the service. An example: from Aug t A l f A t to Sept we experienced an t S t i d increment of more t than a half million logins . And that’s because jus st one university!

Goals 1. The ability to monitor y r the status of the Identity and/or Service Prov viders of our production federation federation. 2. User centric: provider r’s status must be seen as from the point of view f th i t f i w of the users . f th 3. Deploy a complete monitoring platform that allows us to manag ge alerts, reports, graphs, statistics, and more. statistics, and more.

Requisites 1.It must be compatible p with our running monitoring g g infrastructure, based on n Nagios : • Automated tests execu Automated tests execu uted on demand uted on demand • Follow the Nagios plug gins API 2.It 2 I must be b i d indepen ndent d of f the h underlying d l i technology : • SIR federation is a mix xture of protocols • Users don’t know abo out technology, they just use it gy, y j

Challenge #1: find the e appropriate tools – We started looking for t the most suitable tools to fit the requirements the requirements. • Some software to allow automation of the user’s ( and his/her web browser ) behaviour . – We made our choice to We made our choice to be Apache JMeter . be Apache JMeter . • Mainly used as a ben nchmarking tool, it’s perfect to simulate web brow t i l t b b wsers . • It lacks support of Javascript, but provides mechanisms to simula ate it.

Apache JMeter

Automating JMeter 1. First we developed a test plan that simulates a l login through our fed i th h f d d deration , authenticates and ti th ti t d returns back to a spec cially crafted SP.

Automating JMeter 2. Then we set up a ded dicated machine to run the t test plan on it by mea t l it b ns of the JMeter command f th JM t d line interface .

Automating JMeter 3. We also considered using a farm of JMeter servers that receive th th t i th h he test plans and run them: t t l d th better performance a nd scalability .

Automating JMeter – Since it is desirable to have just one test plan for all monitored IdPs, we d designed it with macros and variables that we cha ange in runtime to fit the specific details of each p IdP. That is: • Username • Password Password • The names of the input fields s of the login form • A cookie to bypass the WAY A cookie to bypass the WAY YF and go straight to the IdP YF and go straight to the IdP.

Challenge #2: nagios integration – Once we were able to te est individually each IdP, we needed a way to run th eeded a ay o u t he tests and get the results e tests a d ge e esu s in a specific Nagios for rmat . – We developed a she W d l d h ell script that receives as ll i t th t i command line paramete ers the variables mentioned before, modifies the t test plan in runtime, runs JMeter with it and evaluates the output to translate to Nagios service status/performance data. data.

Challenge #2: nagios integration – It is flexible enough to o allow us to evaluate the sett settings of an IdP . For gs o a d o r instance, looking for some s a ce, oo g o so e mandatory attributes a and triggering a warning if any of them is missing: any of them is missing: • adding logic to the Fak ke Service Provider – It also allows us to pe erform security tests , like making sure a fake us g er is unable to successfully authenticate to the IdP: • testing twice with real testing t ice ith real and fake and fake users sers

Achievements #1 Private Nagios interface 24 IdPs already being monitored and increasing

Achievements #2 Manual testing of an IdP: tha at’s the Fake Service Provider itself!

Achievements #3 Integrated with our new monitoring service

Achievements #4 Reports

Achievements #5 Email monthly reports & service alerts

Summary – User centric federatio on monitoring: we simulate use s a d b o se users and browser be be ehaviour , so if the monitor e a ou , so e o o says an IdP is working g, then we can guarantee it really does. really does – Technology independ ent : though it is adapted to our running infrastructu ure, it doesn’t know anything about the underlying technology, and in fact supports several protoc cols mixed altogether. – Want more info? Ther – Want more info? Ther re s an abstract presented re’s an abstract presented during the last TNC in P Prague.

Thanks for listening! Thanks f for listening! http://www.r rediris.es/sir sir@re ediris.es