Speaker
Dr
Mihaly Heder
(MTA SZTAKI)
Description
One of the key challenges of Today’s e-Infrastructures is to allow borderless interworking of researchers, applications and research facilities. There have been a huge progress in this area in the last decade. Today federated access is a well-known concept and all major academic infrastructure projects include it in their agenda. However, this increasing adoption made it clear that adjustments have to be made in the federated infrastructure.
In our presentation we introduce and demonstrate HEXAA, an External Attribute Provider (EAP). EAP is a new role in the federated system. An EAP provides attributes to the SP-s, just like an IdP, but is separated administratively from the home organization, hence “external”. EAPs can be operated by any communities, like research consortiums, interest groups. They can be operated on NREN level, and most importantly inter-federation level at eduGAIN.
In technical terms, HEXAA is a SAML Attribute Authority, which can be requested by Shibboleth, simpleSAMLphp and other SAML 2.0 compatible software upon accessing a resource. After a session has been established between the IdP and SP, the SP software will look for additional attributes in HEXAA. Therefore, there is no need to force IdPs or local SP databases to store attributes that are necessary only for specific services.
The attributes are managed in HEXAA GUI. The attributes can be authoritative, such as group or role membership, and these are facilitated by the Virtual Organization manager feature of HEXAA. Other attributes belong to the user profile, such as addresses, preferences, or any other information that is not released by the IdP, despite they can be key for successful service provisioning. All features of HEXAA can be accessed through its REST API, too.
An important aspect of HEXAA software is that it implements privacy by design. From the very first phase of the project the developer team included a legal expert, so that the software is able to conform to the widest range of regulatory environments, with special attention to the current European Directive and the upcoming European Data Protection Regulation.
In eduid.hu, the Hungarian Federation we have a federation-level HEXAA service. We have been using OpenNebula cloud with earlier and current version of HEXAA, also we have integrated it with the WS-PGRAGE/guse science gateway framework. HEXAA is therefore usable with any Liferay application as well. Drupal, Icinga, NFSEN, pydio (ajaxplorer), wikis and other applications are also integrated. HEXAA is a free and open source software, implemented in php using Symfony.
In the presentation the HEXAA architecture and the major design decisions will also be discussed and it will be shown how the system is integrated with SAML SP-s.
Primary author
Dr
Mihaly Heder
(MTA SZTAKI)
Co-author
Dr
Istvan Tetenyi
(MTA SZTAKI)
