Proxy IdP architecture
Description of individual Proxy IDP components
The Proxy IdP component is operated on the machines of CESNET virtualization platform.
As a critical component, it is operated in High Availability mode:
The cluster consists of three, mutually representative, geographically separated machines with login [1-3].cesnet.cz.
Individual machines are regularly updated and backed up.
Each of the machines is monitored by the Nagios system processed by the Metacentrum.
The result of the main check(If signing in to SAML and OIDC service is possible) is available in
CESNET nagios too.
The current status of the Proxy IdP component is available
here.
The Proxy IdP component consists of internal and external parts:
Internal parts:
SimpleSAMLphp
MitreID
MariaDB Galera Cluster
External parts:
Perun
LDAP Interface
RPC Interface
Cesnet LDAP
SimpleSAMLphp
Component that provides user authentication for services supported by SAML2 protocol. For more information see SimpleSamlphp page.
MitreID
A component that provides authentication for services using the OpenID Connect protocol. User authentication is handled using SimpleSAMLphp.
For more information see MitreID page.
MariaDB Galera Cluster
Perun
Perun provides Proxy IdP management for users, groups and services. For more information see Perun page.
LDAP and RPC are used for communication (LDAP is preferred).
LDAP interface
PROS
It does not depend on the running of the Perun system.
Multiple instances - in case of a failure, it is possible to retrieve data from an LDAP replica.
Faster retrieval of more complex data structures.
CONS
Delayed data propagation to LDAP (ideally almost zero).
It does not contain the same data structure as RPC interface.
Available only for READ operations
RPC interface
CONS
It depends on the running of the Perun system.
Only one instance - in case of failure, no data can be obtained.
Acquiring more complex data structures takes longer.
At the time of the Perun system outage, the Proxy IdP component works to a limited extent:
The process of signing up existing users to existing services can take a long time.
Services may not receive all attributes or may contain older values:
Impossibility to pass filters to WAYF, which are stored in the Perun system.
Inability to register new users and services.
CESNET LDAP
The Proxy IdP connection to CESNET LDAP is used to obtain the data needed to calculate the isCesnetEligible attribute.
When the CESNET LDAP component fails, the value of the isCesnetEligible attribute will not be updated, and the last known value will be passed.