This page contains service description outlining how and where service should be used, targeted users, service delivery model and service elements and topology.
RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager, with exception of CBA which remains the responsibility of business development team.
GÉANT Federation as a Service - FaaS is an easy entry point for NRENs who are developing or are in early stage of operating an WebSSO Identity federation. FaaS service is offered to organisations which operate an Identity federation - Federation Operators to facilitate efforts needed for uptake and day-to-day operations. FaaS offer enables Federation Operator (typically an NREN) to roll out Identity federation services to their constituents in a way which accommodates best current practices for operating Identity federation and connecting to eduGAIN.
FaaS target users are Federations that are developing or in early stage of production. FaaS is offered at no additional costs to GÉANT partners. Current FaaS users are:
All level of support are provided by FaaS operations team.
|Service Manager||Deputy Service Manager||L1 support||L2 support||L3 support|
Service delivery model
Service is operated by GEANT project and offered to the Identity Federation operators in a form of SaaS offering. The request for the service is sent to the FaaS contact following procedure explained at https://wiki.edugain.org/Become_FaaS_user. Upon from receiving the request and all technical parameters, FaaS operations team deploys a single-tenant service instance for the Identity Federation operator. The FaaS instance is hosted on the domain chosen and provided by the Federation operator, and it is localized so that it looks like its in constituency of the Federation operator (localized language, logo etc.). FaaS offering is delivered in a way that is transparent to the Federation members.
FaaS operations team is responsible for maintaining and administering all deployed FaaS instances. Federation Operator personnel is responsible for using its FaaS registry to manage SAML metadata and to promote usage of the registry in line with local policies and practicies, to their members. Depending on that, administrators of IdPs and SPs, could also use their federation FaaS registry to registerer SAML entities.
FaaS toolbox is built by using open source tools sourced from the academic community:
- Jagger Federation Registry is web application used for registering SAML IdP and SP metadata;
- pyFF SAML Metadata Appliance – short for python Federation Feeder is a simple, yet complete SAML metadata aggregator capable of doing HSM signing.
Metadata aggregator used in FaaS is configured to consume eduGAIN metadata and registered local federation entities metadata and to produce two metadata streams:
- Federation upstream for publishing to eduGAIN. This metadata stream contains aggregated metadata from registered local federation entities, which in federation registry application have chosen to be a member of eduGAIN;
- Federation downstream for publishing to Federation members. This metadata stream contains all of the registered local federation entities, which in federation registry application have chosen to be a member of local federation, and eduGAIN metadata.
Metadata aggregator is run:
- regularly, once a day around 01:00 am CEST;
- on any change in registered SAML metadata, where check for change is performed every 10 minutes (counting from full hour).
Each federation using FaaS is provided with its own, single-tenant, FaaS instance. FaaS operations team is maintaining a FaaS instance for each user and also QA instances. All FaaS instances are described in FaaS instances configuration parameters. VM infrastructure is provided by PSNC.
Metadata aggregator signs the metadata using HSM - Hardware Security Module provided by NORDUnet. HSM is state of the art technology used for secure signing where signing key is stored in hardware.
There are two HSM partitions for all FaaS instances. Each partition is hosted on a different HSM appliance, located at different locations in Stockholm, Sweden. On each FaaS instance HA (High availability) group is defined and metadata aggregator is set to address its requests to the HA group instead of addressing its requests to any partitions directly. This approach provides:
- High availability - if one HSM appliance fails, the remaining appliance continue to provide the service;
- Load balancing - load spans over all HSM partitions which are members of the HA group.
High level drawing of FaaS Toolbox architecture and Administrative/Technical responsibilites of FaaS, Federation Operator and IDP/SP administrators is given in the diagram below.
FaaS uses following additional resources:
- Promotional website: https://www.geant.org/Services/Trust_identity_and_security/Pages/FaaS.aspx
- Technical website: https://wiki.edugain.org/FaaS
- Monitoring service, provided by PSNC, described in FaaS OLA
- Backup service, provided by PSNC, described in FaaS OLA
- Network and firewall services, provided by PSNC, described in FaaS OLA
Cost Benefit Analysis
Provide URL to last valid CBA