This page contains service description outlining how and where service should be used, targeted users, service delivery model and service elements and topology.

RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager, with exception of CBA which remains the responsibility of business development team.

Service description

GÉANT Federation as a Service - FaaS is an easy entry point for NRENs who are developing or are in early stage of operating an WebSSO Identity federation. FaaS service is offered to organisations which operate an Identity federation - Federation Operators to facilitate efforts needed for uptake and day-to-day operations. FaaS offer enables Federation Operator (typically an NREN) to roll out Identity federation services to their constituents in a way which accommodates best current practices for operating Identity federation and connecting to eduGAIN. 

Users

FaaS target users are Federations that are developing or in early stage of production. FaaS is offered at no additional costs to GÉANT partners. Current FaaS users are:

Contacts

All level of support are provided by FaaS operations team. 

Service ManagerDeputy Service ManagerL1 supportL2 supportL3 support
 Dariusz Janny - faas@lists.geant.org faas@lists.geant.org faas@lists.geant.org

Service delivery model

Service is operated by GEANT project and offered to the Identity Federation operators in a form of SaaS offering. The request for the service is sent to the FaaS contact following procedure explained at https://wiki.edugain.org/Become_FaaS_user. Upon from receiving the request and all technical parameters, FaaS operations team deploys a single-tenant service instance for the Identity Federation operator. The FaaS instance is hosted on the domain chosen and provided by the Federation operator, and it is localized so that it looks like its in constituency of the Federation operator (localized language, logo etc.). FaaS offering is delivered in a way that is transparent to the Federation members. 

FaaS operations team is responsible for maintaining and administering all deployed FaaS instances. Federation Operator personnel is responsible for using its FaaS registry to manage SAML metadata and to promote usage of the registry in line with local policies and practicies, to their members. Depending on that, administrators of IdPs and SPs, could also use their federation FaaS registry to registerer SAML entities.

Service Elements

Technology infrastructure

FaaS toolbox is built by using open source tools sourced from the academic community:

Metadata aggregator used in FaaS is configured to consume eduGAIN metadata and registered local federation entities metadata and to produce two metadata streams: 

Metadata aggregator is run: 

Each federation using FaaS is provided with its own, single-tenant, FaaS instance. FaaS operations team is maintaining a FaaS instance for each user and also QA instances. All FaaS instances are described in FaaS instances configuration parameters. VM infrastructure is provided by PSNC. 

Metadata aggregator signs the metadata using HSM - Hardware Security Module provided by NORDUnet. HSM is state of the art technology used for secure signing where signing key is stored in hardware. 

There are two HSM partitions for all FaaS instances. Each partition is hosted on a different HSM appliance, located at different locations in Stockholm, Sweden. On each FaaS instance HA (High availability) group is defined and metadata aggregator is set to address its requests to the HA group instead of addressing its requests to any partitions directly. This approach provides:

High level drawing of FaaS Toolbox architecture and Administrative/Technical responsibilites of FaaS, Federation Operator and IDP/SP administrators is given in the diagram below.


Supporting infrastructure

FaaS uses following additional resources: 

Cost Benefit Analysis

Provide URL to last valid CBA