The Edugate federation has been in operation in Ireland for two years. As your nearest neighbouring federation, we have looked on with envy as the gardens of the UK federation matured, but we have been busy growing on our side of the fence too and we will present some of the tools that can be borrowed from our shed and show our finest exhibits that are ready for cross-pollination.

1. Edugate
Glenn Wearen
HEAnet.

2. Introduction
HEAnet
Ireland’s Research and Education Network
Edugate
Irelands Federated Access Management
system for Higher Education

3. Edugate
• 31+ Higher Education Institutions (IdP’s)
• All Universities
• All Institutes of Technology
• No private colleges
• 42+ Member Service Providers (SP’s)
• 12 Publishers
• 6 HEAnet shared services
• 5 Student Discount
• 29+ Non-member Service Providers
• 50k logins per day

6. Edugate Model
Distributed (Mesh) federation
• Identity Providers
100% Shibboleth, deployed on-campus.
• Service Providers
80% Shibboleth
10% SimpleSAMLphp
Others (Tivoli FIM, ADFS, WIF2)
Centralised management
• Web GUI to manage attribute release policy and bilateral trusts
• Statistics collection (Raptor & Cactii)
• Monitoring (IdP up/down, clock sync)

7. Edugate Rules
Policy based on UK Federation
• addition of ‘Attribute Declarations’
• Serivce Providers must declare and justify what
attributes they require or desire on joining
• Identity Provider must publish its release policy
• Federation, Specific, Custom & Default
• exclusion of ‘Interfederation’
• Rewrite of rules required for eduGAIN and UK MDX

8. Edugate Rules
Policy based on UK Federation
• Provide logs in the event of dispute, including
raw SAML statements
• No auditing of identity data
• Minimum uptime per-entity required
(9 months out of 12)

9. Edugate Technical Specification
Schema
• eduPersonTargetedID
• eduPersonPrincipalName
• eduPersonEntitlement
• givenName, surname
• email
• organizationName
• eduPersonScopedAffiliation**

10. Edugate Technical Specification
Protocol
• SAML2 only (SAML2int specifically)
• Some publishers only recently adding SAML2 support
(but WAYF/DiscoveryService often overlooked)
• Absence of AttributeQuery (backchannel) lowers the
burden for Edugate operations team and institutional
administrators, but excludes advanced use cases

11. Edugate Operations
• Deploy and configure identity provider
• Including ‘best practicies’
• PersistentID
• Customised login page
• uApprove consent
• Integration guidance and advice for Service
Providers (who are new to SAML)
• Deploy and configure for HEAnet web hosting
customers
• Workshops

12. Edugate Tools
Edugate Resource Registry
Produces Metadata and Shibboleth Attribute
Release Policy
Raptor & Cactii
Central federation statistics
Nagios
Central federation monitoring

13. Edugate Resource Registry
https://edugate.heanet.ie/rr3

36. Resource Registry
Opensource’d on
http://github.com/Edugate/ResourceRegistry
Deployed in two more federations
Manage your campus federation.

37. Edugate Statistics & Monitoring
Cactii
Polls each Shibboleth IdP URL for statistics

39. Specific IdP

40. Aggregate

41. Raptor
Trialed since June 2012
Production deployment December
• What is the most widely used Edugate service?
• What service does my institution use most?
• Can I stop releasing attriubutes to service X?
• Identifies unexpected patterns.

43. Raptor

45. Nagios
Ping up/down
SSL Certificate check
Shibboleth OK message
define command{
command_name check_https_shibidp command_line
$USER1$/check_http -S -H $HOSTADDRESS$ -u /idp/profile/Status -e
'HTTP/1.1 200' -s "ok »
}

46. Weathermap

47. Interfederation / MDX
UK MetaData eXchange (in progress)
Use-cases
• All Ireland Research Projects
• Gaelic language projects
• UK & Ireland etaillers (student discount)
• Publishers (‘Select your region - UK & Ireland’)
• More use-cases? Expression of Interest.

48. Thank you
HEAnet Middleware team
support@edugate.ie www.edugate.ie @EdugateIE