Table of Contents

Proxy IdP architecture

Description of individual Proxy IDP components

The Proxy IdP component is operated on the machines of CESNET virtualization platform. As a critical component, it is operated in High Availability mode:

  1. The cluster consists of three, mutually representative, geographically separated machines with login [1-3].cesnet.cz.
  2. Individual machines are regularly updated and backed up.
  3. Each of the machines is monitored by the Nagios system processed by the Metacentrum.
    • The result of the main check(If signing in to SAML and OIDC service is possible) is available in CESNET nagios too.
  4. The current status of the Proxy IdP component is available here.

Proxy architecture schema

The Proxy IdP component consists of internal and external parts:

Internal parts:

  1. SimpleSAMLphp
  2. MitreID
  3. MariaDB Galera Cluster

External parts:

  1. Perun
    1. LDAP Interface
    2. RPC Interface
  2. Cesnet LDAP

SimpleSAMLphp

Component that provides user authentication for services supported by SAML2 protocol. For more information see SimpleSamlphp page.

MitreID

A component that provides authentication for services using the OpenID Connect protocol. User authentication is handled using SimpleSAMLphp.

For more information see MitreID page.

MariaDB Galera Cluster

Internal database. For more information see MariaDB Galera Cluster page.

Perun

Perun provides Proxy IdP management for users, groups and services. For more information see Perun page.

LDAP and RPC are used for communication (LDAP is preferred).

LDAP interface

PROS

  • It does not depend on the running of the Perun system.
  • Multiple instances - in case of a failure, it is possible to retrieve data from an LDAP replica.
  • Faster retrieval of more complex data structures.

CONS

  • Delayed data propagation to LDAP (ideally almost zero).
  • It does not contain the same data structure as RPC interface.
  • Available only for READ operations

RPC interface

PROS

  • Contains all data without delay.
  • Available for READ and WRITE operations

CONS

  • It depends on the running of the Perun system.
  • Only one instance - in case of failure, no data can be obtained.
  • Acquiring more complex data structures takes longer.

At the time of the Perun system outage, the Proxy IdP component works to a limited extent:

  • The process of signing up existing users to existing services can take a long time.
  • Services may not receive all attributes or may contain older values:
    • isCesnetEligibleLastSeen - in the event of a Perun outage, it is not possible to calculate and update the value of the isCesnetEligibleLastSeen attribute, and the last known value will be passed.
  • Impossibility to pass filters to WAYF, which are stored in the Perun system.
  • Inability to register new users and services.

CESNET LDAP

The Proxy IdP connection to CESNET LDAP is used to obtain the data needed to calculate the isCesnetEligible attribute.

When the CESNET LDAP component fails, the value of the isCesnetEligible attribute will not be updated, and the last known value will be passed.