Context Navigation

Changes between Version 12 and Version 13 of ServiceProviderFederation/Discovery

Timestamp:: 11/19/15 11:57:56 (9 years ago)
Author:: Sander Maijers
Comment:: Overhaul

Legend:

: Unmodified
: Added
: Removed
: Modified

ServiceProviderFederation/Discovery

-                      v12
+                      v13
 = CLARIN Central Discovery Service =
 The CLARIN central discovery service is based on !DiscoJuice (version 1.0), see: http://discojuice.org/.
+The CLARIN central Discovery Service (DS) is based on !DiscoJuice (version 1.0), see: http://discojuice.org/.
 The goal is to provide an easy to use discovery service for all CLARIN service providers. By using the same discovery service users do not have to re-login or re-select their IDP when switching between service providers. A drawback of the central discovery service is the fact that it introduce a single point of failure (SPOF). Currently we are looking into ways to make this central discovery service high availability.
+The goal is to provide an easy to use entry point for all CLARIN Service Provider Federation (SPF) Service Providers (SPs), which allows users to select an institutional Identity Provider (IdP) to log in to. By using the same Discovery Service users do not have to re-login or re-select their IdP when switching between SPs. A drawback of the central DS is the fact that it is a single point of failure. We are still looking into the best way to make the central DS highly available.
 = Status =
+The CLARIN central discojuice "Where Are You From" (WAYF) service is currently operating as a beta service.
+Currently used at the catalog.clarin.eu SP, see e.g. the Component Registry:
+https://catalog.clarin.eu/ds/ComponentRegistry/ (click on login)
+Currently used at the catalog.clarin.eu SPs, like the component registry:
+http://catalog.clarin.eu/ds/ComponentRegistry/ (click on login)
+= To configure
 = Roadmap =
+=== For Shibboleth Service Provider
+* We plan to release version 1 of the CLARIN central discojuice WAYF service around Christmas 2011.
+* Look into high availability options.
+* Upgrade to !DiscoJuice 2.0
+In order to use the central Discovery Service, your Shibboleth Service Provider's configuration must have the right session initiator configuration. You can change this in the `shibboleth2.xml` configuration file. The `Location` attribute specifies the login endpoint you can use to append to your handler URLs (`/Shibboleth.sso` by default) to start a SAML session. The `URL` attribute of the session initiator of type `SAMLDS` should point to the !DiscoJuice installation you want to use.
+= Configuration =
+Please add to `shibboleth2.xml`:
+How to use discojuice as your shibboleth WAYF?
+{{{
+  <!-- Use CLARIN central Discovery Service -->
+  <SSO discoveryProtocol="SAMLDS" discoveryURL="https://discovery.clarin.eu/discojuice">
+    SAML2
+  </SSO>
+}}}
+'''(A restart of `shibd` and a reload of your web server and is required afterwards.)'''
+. Get access to a discojuice WAYF:
+  a. Host discojuice yourself (see http://discojuice.org for installation instructions).
+  b. Use an external hosted discojuice WAYF service (http://catalog.clarin.eu/discojuice/idp.html provided by CLARIN).
+. Configure a login endpoint in your SP configuration to use the discojuice WAYF service ( either 1a or 1b ), see the next section for more details.
+. Use this new login endpoint
+=== !DiscoJuice login endpoint ===
+In order to use discojuice as the WAYF service, a session initiator needs to be configured in the SPs 'shibboleth2.xml' configuration file. The 'Location' attribute specifies the login endpoint you can use to append to your handler url (/Shibboleth.sso by default) to start a shibboleth session. The 'URL' attribute of the session initiator of type 'SAMLDS' should point to the discojuice installation you want to use.
+A restart of the SP is required after changing the 'shibboleth2.xml' configuration file.
+Example using the CLARIN provided discojuice WAYF:
+If you're using Shibboleth SP < version 2.4.x you must use the following, more verbose, snippet:
 {{{
 <SessionInitiator type="Chaining" Location="/DiscoJuice" id="DiscoJuice" relayState="cookie">
      <SessionInitiator type="SAML2" defaultACSIndex="1" acsByIndex="false" template="bindingTemplate.html"/>
      <SessionInitiator type="Shib1" defaultACSIndex="5"/>
      <SessionInitiator type="SAMLDS" URL="http://catalog.clarin.eu/discojuice/idp.html"/>
+     <SessionInitiator type="SAMLDS" URL="https://discovery.clarin.eu/discojuice"/>
  </SessionInitiator>
 }}}
+If you're using Shibboleth 2.4.x you can use the following, less verbose, snippet:
+{{{
+  <!-- use CLARIN central discovery service (DiscoJuice) -->
+  <SSO discoveryProtocol="SAMLDS" discoveryURL="http://catalog.clarin.eu/discojuice/idp.html">
+    SAML2 SAML1
+  </SSO>
+}}}
+=== For other Service Provider implementations (technical details)
+Make sure to restart shibd and the Apache webserver for changes to come into effect!
+The CLARIN central Discovery Service is not Shibboleth-specific, but complies with the [http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf SAML Identity Provider Discovery Service Protocol].
+= Availability =
+Your Service Provider should also follow this protocol. This means simply that you HTTP-redirect the user to the central Discovery Service.
+== Old situation ==
+In practice we use the following HTTP request parameters:
+. `entityID`: The unique identifier of the SP the end user is (or will be) interacting with, following successful authentication by an IdP.
+. `return`: The SAML endpoint to return the user to after selecting an IdP. Since the central Discovery Service is not yet using the `idpdisc:DiscoveryResponse` element you have to put in the SAML metadata about your SP you distribute to the CLARIN SPF, this parameter is required (as described in the [https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf Identity Provider Discovery Service Protocol and Profile]).
+[[Image(http://trac.clarin.eu/raw-attachment/wiki/ServiceProviderFederation/Discovery/disco-old.png, 600px)]]
+An example when login in to the Component Registry [2]:
+https://discovery.clarin.eu/discojuice?entityID=https%3A%2F%2Fsp.catalog.clarin.eu&return=https%3A%2F%2Fcatalog.clarin.eu%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A602dd8144643cda1b50b0c5998caca437dffc418c6d9b184c6538faa996f49e4
 In the old situation the tomcat-clarin was running as a single instance behind apache. The path /mw/* is mounted in apache by mod_jk and all requests here are forwarded to the tomcat-clarin via the AJP13 protocol. The idp location “/discojuice/idp.html” is rewritten to “/mw/…” to provide a stable entry point for users of the service and remain flexible in the backend. This setup does not provide any redundancy and maintenance has to be performed in the running production service.
+As you can see there are no SAML statements included in the requests to or responses from the discovery service, just plain HTTP redirects.
 == New situation ==
+== Maintenance Policy
+[[Image(http://trac.clarin.eu/raw-attachment/wiki/ServiceProviderFederation/Discovery/disco-new.png, 600px)]]
+To overcome the effects of maintenance on the running production service we propose the following setup (with options for more enhancements in the future).
+In this setup two tomcat instances (tomcat-clarin1 and tomcat-clarin2) are mounted in apache with mod_jk as /mw1/* and /mw2/*.  With the apache rewrite rule we can choose which of the two instance is active and this allows us to perform maintenance and testing on the other instance without disruption of the live instance. When maintenance is completed the rewrite rule is changed to point to the updated instance which then becomes live and we can easily update the other instance.
+== Future possibilities ==
+The proposed setup can easily be improved by a number of steps:
+ * Split the apache in tomcat instances over different (virtual) machines. Providing a working service if one of the tomcat machines would crash.
+ * Make the apache instance redundant and configure a H/A solution (e.g. heartbeat + virtual IP) where the backup instance can take over if the live instance crashes.
+ * Configure load balancing from apache to the tomcat-instances.
+ * Configure load balancing in front of the apache instances (e.g. use ultramonkey ).
+Although these steps will increasingly provide high availability of the service we want to start simple and discuss what options are necessary to provide later on.
+Maintenance Policy
+Next to the technical changes we would like to propose two policies to improve communication about maintenance.
+. Maintenance on the WAYF and IDP services will be announced 1 week in advance on the (dev)mailing list.
+. Maintenance on the WAYF and IdP services will be announced 1 week in advance on the (dev)mailing list.
 . We will plan maintenance in such a way that the day after a system administrator is available (unless something unexpected happens, e.g. breaking a leg or something).
-. Moreover in the case of a failure of the discojuice service we want to test the possibility to provide a rewrite of the production login endpoint to a backup (old-style) WAYF we host as well.