The FaaS toolbox is built using Free/Libre/OpenSource software, with the two main components having been created by the academic community:
Federation Operator personnel and administrators of IdPs and SPs can register SAML entities into the federation registry application via a web UI. The web UI enables registration of SAML entities as simple as pasting the entity's metadata in a text box. The application then transforms raw SAML metadata into a rich UI that gives options to add or change a variety of additional data such as: metadata user interface elements, entity categories, etc. In this process, the Federation Operator personnel has the role to overlook and approve the registration (or make changes on behalf of the entity owners, if needed or requested).
After an entity has been registered it can become a member of both the local federation and eduGAIN. The administrator of the IdP/SP needs to add the entity as a "member" of local federation or eduGAIN in the registry application and the federation operator needs to approve it. Once the memebership is approved the entity will appear in the respective generated metadata streams.
The metadata aggregator used within FaaS is configured to consume eduGAIN metadata and registered local federation entities metadata and to produce two metadata streams:
For creating the federation upstream and downstream metadata, the metadata aggregator is run:
The metadata aggregator signs the metadata using an HSM - Hardware Security Module provided by NORDUnet. An HSM is a state of the art technology used for secure signing where the signing key is stored in hardware and not exposed to the operating system or application doing the signing.
There are two HSM partitions for all FaaS instances. Each partition is hosted on a different HSM appliance, located at different locations in Stockholm, Sweden. On each FaaS instance HA (High availability) group is defined and metadata aggregator is set to address its requests to the HA group instead of addressing its requests to any partitions directly. This approach provides:
A high level drawing of the FaaS toolbox architecture and administrative/technical responsibilites of the FaaS team, the Federation Operator and IDP/SP administrators is given in the diagram below.