SlideShare une entreprise Scribd logo

CAF Workshop BCNet2014

Chris Phillips
Chris Phillips

The document summarizes a workshop on federation tools hosted by CANARIE. It includes an agenda for the workshop covering topics like using the IdP installer and federation management tools. It also provides introductions and outlines the goals of improving understanding of the IdP installer, highlighting key deployment considerations, and socializing the direction of federation management tools. Additional sections provide overviews of the IdP installer and federation management tools to provide context for the workshop.

InternetTechnologieBusiness
1  sur  27
Télécharger pour lire hors ligne
www.canarie.cawww.canarie.ca CAF Workshop on Federation Tools IDP Installer and Federation Management Tools Chris Phillips | April 2014 | CANARIE | Vancouver
www.canarie.ca Agenda 8:00-8:30 – Coffee & Registration 8:30-8:45 – Introductions and Workshop Overview 8:45-10:15 – Using the IdP Installer, Sample Installation, Walkthrough 10:15-10:30 - Break 10:30-11:15 – CAF Tools walkthrough 11:15-12:15 – Federation Management Tools 12:15 – 12:30 – Q&A, Closing remarks
www.canarie.cawww.canarie.cawww.canarie.ca In theory, there is no difference between theory and practice. But, in practice, there is.
www.canarie.ca Introductions
www.canarie.ca Outcomes for today •  Improved understanding of the IdP Installer •  Highlight key deployment considerations •  Know where to go for CAF resources •  Socialize Federation management tools direction https://www.flickr.com/photos/reway2007/3137608759 reway2007
www.canarie.ca Setting Today’s Context
www.canarie.cawww.canarie.ca Roaming wireless •  International wireless roaming •  Ability to automatically sign on using your home credential •  Reduces barriers to mobile users •  Worldwide and expanding coverage: •  Canada: 78 sites •  60 countries worldwide •  Federated Single Sign On for services •  Web and non web sign on •  Authentication •  Authorization •  Attribute release •  Across different security domains Federated identity •  International wireless roaming •  Ability to automatically sign on using your home credential •  Reduces barriers to mobile users •  Worldwide and expanding coverage: •  Canada: 48 sites •  60 countries worldwide •  eduGAIN as primary, exploring other direct relationships •  Bridge to international community •  Enables CAF participants to: •  Accept identities inbound from outside Canada to Canadian services •  Use Canadian identities in services outside Canada Interfederation •  3.4M logins March 2014 •  2x traffic growth in 1yr •  78 sites - 500,000 1,000,000 1,500,000 2,000,000 Successful Logins International Canada •  33 Service Providers •  25 Identity Providers 937,000 986,765 1,011,793 1,020,387 880,000 900,000 920,000 940,000 960,000 980,000 1,000,000 1,020,000 1,040,000 Total CAF enabled users – SAML & eduroam •  Int’l NREN CEO Forum placed eduGAIN as a key effort •  CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
www.canarie.ca Identity Providers Service Providers Universities Colleges Research inst. Cloud providers Specialized R&E Apps Libraries Commercial SP Research teams Regional CommunityCommunity Group Gateway Partners BCNET Provincial governments Organizing bodies Applicants Parents Temporary staff Professor Student Researcher Researcher App Developer IDM Expert Group Admin CAF Ecosystem
www.canarie.cawww.canarie.cawww.canarie.ca CAF Roadmap Federation Infrastructure & Governance Knowledge Base + more tools! Federation Community Manager CAF Marketplace Operating Policies VALUE   Training  &  Technical  Support   Marke9ng  Material   Today  FY  2015  FY16   IDP Installer
www.canarie.ca IDP Installer
www.canarie.ca IdP Installer •  What is it? –  VM image + html configuration forms •  What does it do? –  Auto installs and configures IdP server components –  Easier connection to CAF servers –  Supports eduroam and Shibboleth •  Benefits –  Fewer steps –  Hides technical complexity from user Identity Appliance" Shibboleth
 Identity
 Provider" freeRADIUS" Apache Tomcat" Java" Operating System (centOS)"
www.canarie.ca IdP Installer Consolidating & Reducing Effort
www.canarie.cawww.canarie.cawww.canarie.ca Installation Overview Download installer Plan & Prepare installation Do Installation Post installation tailoring Local acceptance testing Contact CANARIE to complete registration 1.  Download Installer 1.  From http://bit.ly/caftools 2.  Plan & Prepare your installation 1.  Review System Requirements to prepare your environment. 2.  Prepare your network 3.  Prepare your environment (settings for Directory, Certificates, etc) 4.  Review and choose a preferred deployment approach 5.  Review your federation specific post install steps 3.  Do the installation 1.  Create a configuration from your federations' configuration builder 2.  Save configuration as 'config' in this directory on your server 3.  Run the script ./deploy_idp.sh 4.  Answer any inline questions (use self signed cert? password creation for keystores) 4.  Perform Post installation Tailoring 1.  Based on items previously identified, finalize the installation 2.  Identity steps needed to be repeated in production 5.  Locally Test Installation 6.  Repeat installation steps for production installation as needed [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
www.canarie.ca Planning: Deployment Model – Test & Prod
www.canarie.ca Planning: SSID strategy – augment or replace? Recommendation: Consider consolidating to eduroam •  Why: –  Less to configure for end users: •  setup once, use everywhere à why do one that only works for you? •  Less to manage as wifi infrastructure operator à reduces helpdesk support –  Eduroam can be VLAN’d based on authentication •  Local users VLAN’d to ‘local IP space’ and remote to remote1,2 –  Configuration Assistant Tool (CAT) performs configuration •  To resolve ‘how do I get on?’ for users, offer eduroam_help SSID –  Behaves as captive portal and only able to reach eduroam configuration information (cat.eduroam.org) and your specific information –  Working with UFV through IdP Installer with the –  Some Canadian sites already using just eduroam as singular SSID [1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus [2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/
www.canarie.cawww.canarie.cawww.canarie.ca Planning: Certificates FedSSO / SAML2 Eduroam / 802.1x 16 •  2 certificates §  End user facing(port 443) for SSO userid/password •  commercial root’ed certificate to avoid browser pain §  IdP/SP Certificate for metadata •  Self signed, 2048 bit SHA2 •  Autogenerated on install •  Usually long lived (10yrs) §  Possession & comparison of certs present in metadata crux of trust •  2 TLS pieces: CA + server cert. §  Laptops and mobile devices asked to trust both CA and server certificate §  If CA= commercial root, slightly less pain on MSFT clients (avoids popup of ‘trust this root?) §  eduroam CAT installer critical to help streamline installation & trust regardless of cert type. Recommendation: Use your usual commercial cert for end user facing port 443 Let tools do what they should do for long lived self signed Recommendation: Simply put: YMMV & up to you to tailor the experience Quick video example:eduroam CAT w/ comm. cert & w/ non commercial certificate. IDP Installer automatically uses self-signed everything & is a base for build outs.
www.canarie.ca Certificates & HeartBleed •  Heartbleed risk present on hosts susceptible to OpenSSL handshake –  FedSSO/SAML •  Metadata signing was not at risk since that key is never used in handshake & OpenSSL version was safe. •  Handful of SAML entities did have to do key roll over (regenerate and replace keys) •  Risk was possible exposure of private key and therefore emulation or decryption of traffic could have been done –  extremely remote and require extraordinary attack, but risk present nonetheless à must regenerate private key and metadata cert and do roll over. –  Eduroam •  Eduroam trust built on shared secrets therefore not susceptible in server to server trusts. •  HOWEVER, the RADIUS server certificate suffered same style attack vector but between RADIUS server and clients (mobile devices) –  Key compromise and therefore decrypt traffic if such was done –  risk extremely remote but present. The few sites patched and made necessary changes. •  Global eduroam had validator within hours of announcement and scanned many sites, including Canadian ones very early on. •  Within 72hrs all Heartbleed risk was eliminated from the affected few sites in FedSSO and eduroam in Canada. –  Would self signed or commercial have made a difference? No. Risk was same regardless of root. A private key is a private key and both would need to have been regenerated. –  Many thanks to admins who were very responsive to the issue!
www.canarie.ca IdP Installer Test Shib walkthrough
www.canarie.ca Break
www.canarie.ca CAF Tools Walkthrough •  Eduroam weathermap –  http://weathermap.canarie.ca/caf/eduroam •  Eduroam CAT –  https://cat.eduroam.org/ •  eduGAIN –  https://www.edugain.org/ •  FedSSO Discovery Guidance –  https://discovery.refeds.org •  CAF FAQ system –  http://tts.canarie.ca/otrs/public.pl •  Collaboration.canarie.ca –  http://collaboration.canarie.ca •  CAF Guest IdP & 'external identities' (aka social2SAML) –  http://id.canarie.ca –  External identity demo with SAML sharepoint sign on All available at: http://bit.ly/caftools
www.canarie.ca CAF Guidance on Attribute Release •  Current CAF policy àmandatory release of eduPersonTargetedID •  Example of the importance of attribute release •  What the community at large is doing –  In Canada à Examining various profiles for attribute ‘bundles’ •  Collaboration profile •  Canadian Researcher profile •  Canadian Student profile •  K-12 specific attributes –  Internationally –  Entity categories in metadata, rules in IdPs for release –  K-12 conversations in US. •  SAML metadata representation
www.canarie.ca Federation Management Tools
www.canarie.ca
www.canarie.ca Federation Community Manager Features •  UI-based provisioning of privacy and security policies (e.g. ARPs) •  Self-serve user interface for Partner, IDP and SP admins •  Consolidated view of all community groups, IDPs and SPs in CAF •  Auto-generates meta data Benefits •  Reduces development time à faster implementation •  Reduces errors and facilitates debugging Status •  Seeking pilot participants
www.canarie.cawww.canarie.cawww.canarie.ca Collaboration via CAF & Community Groups CAF Identity Providers Regional CommunityCommunity Group (CG) Shared Services CAF Service Providers •  Services available to IDPs within the community group •  Define operating polices (e.g. attribute release) specific to CG •  Gives IDPs access to national and international CAF SPs
www.canarie.cawww.canarie.cawww.canarie.ca Community Group Responsibilities PrivacyHelp Desk Community Groups Admin Hosted IDP Operations Local Outreach Central Operations Technical Support Technical Community Trust Assertion Governance National Outreach Tool Development Opera- tions International Representation CAF Participant Agreements Implementation Guidance Community Agreements Institutions CAF Partners CAF
www.canarie.ca Closing Remarks / Q&A

Recommandé

Razorfish university slide_share
Razorfish university slide_shareRazorfish university slide_share
Razorfish university slide_shareReva McPollom
 
Sainul abaid
Sainul abaidSainul abaid
Sainul abaidsainulsainu007
 
Cloud for agile_sw_projects-final
Cloud for agile_sw_projects-finalCloud for agile_sw_projects-final
Cloud for agile_sw_projects-finalAlain Delafosse
 
Acwp Aerohive configuration guide.
Acwp Aerohive configuration guide. Acwp Aerohive configuration guide.
Acwp Aerohive configuration guide. armaan7139
 
Acwa AEROHIVE CONFIGURATION GIUDE.
Acwa AEROHIVE CONFIGURATION GIUDE. Acwa AEROHIVE CONFIGURATION GIUDE.
Acwa AEROHIVE CONFIGURATION GIUDE. armaan7139
 
A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...
A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...
A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...Sascha Wenninger
 
Aerohive Configuration guide.
Aerohive Configuration guide. Aerohive Configuration guide.
Aerohive Configuration guide. armaan7139
 
Tweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFX
Tweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFXTweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFX
Tweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFXBruno Borges
 

Recommandé

Razorfish university slide_share
Razorfish university slide_shareRazorfish university slide_share
Razorfish university slide_shareReva McPollom
 
Sainul abaid
Sainul abaidSainul abaid
Sainul abaidsainulsainu007
 
Cloud for agile_sw_projects-final
Cloud for agile_sw_projects-finalCloud for agile_sw_projects-final
Cloud for agile_sw_projects-finalAlain Delafosse
 
Acwp Aerohive configuration guide.
Acwp Aerohive configuration guide. Acwp Aerohive configuration guide.
Acwp Aerohive configuration guide. armaan7139
 
Acwa AEROHIVE CONFIGURATION GIUDE.
Acwa AEROHIVE CONFIGURATION GIUDE. Acwa AEROHIVE CONFIGURATION GIUDE.
Acwa AEROHIVE CONFIGURATION GIUDE. armaan7139
 
A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...
A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...
A Look at the Performance of SAP UI Technologies - UXP212 at SAP TechEd && d-...Sascha Wenninger
 
Aerohive Configuration guide.
Aerohive Configuration guide. Aerohive Configuration guide.
Aerohive Configuration guide. armaan7139
 
Tweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFX
Tweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFXTweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFX
Tweet for Beer - Beertap Powered by Java Goes IoT, Cloud, and JavaFXBruno Borges
 
TNC2014 Think Globally act locally: Simplifying Federated technologies
TNC2014 Think Globally act locally: Simplifying Federated technologiesTNC2014 Think Globally act locally: Simplifying Federated technologies
TNC2014 Think Globally act locally: Simplifying Federated technologiesChris Phillips
 
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013Chris Phillips
 
Eduroam: A current view of the worldwide service
Eduroam: A current view of the worldwide serviceEduroam: A current view of the worldwide service
Eduroam: A current view of the worldwide serviceChris Phillips
 
Cloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsCloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsGuillaume Berche
 
Building a Cloud Native Platform with WSO2 Private PaaS
Building a Cloud Native Platform with WSO2 Private PaaSBuilding a Cloud Native Platform with WSO2 Private PaaS
Building a Cloud Native Platform with WSO2 Private PaaSWSO2
 
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...Ed Sattar
 
B2 - Integrating on-premises workloads with AWS
B2 - Integrating on-premises workloads with AWSB2 - Integrating on-premises workloads with AWS
B2 - Integrating on-premises workloads with AWSAmazon Web Services
 
Partner webinar featuring CatDV
Partner webinar featuring CatDVPartner webinar featuring CatDV
Partner webinar featuring CatDVFileCatalyst
 
London DevOps Meetup - PaaS as a platform for devops
London DevOps Meetup - PaaS as a platform for devopsLondon DevOps Meetup - PaaS as a platform for devops
London DevOps Meetup - PaaS as a platform for devopsJeremy Brown
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Alternative Dispatcher Layer Overview
Alternative Dispatcher Layer OverviewAlternative Dispatcher Layer Overview
Alternative Dispatcher Layer OverviewSquare Cloud
 
Netherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQLNetherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQLMark Swarbrick
 
Does Big Data Spell Big Costs- Impetus Webinar
Does Big Data Spell Big Costs- Impetus WebinarDoes Big Data Spell Big Costs- Impetus Webinar
Does Big Data Spell Big Costs- Impetus WebinarImpetus Technologies
 
USG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysUSG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysEric Sembrat
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
Raghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu Ravi
 
Improving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutImproving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutVMware Tanzu
 
How to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
How to Leverage SAFe 5.0 for Your Enterprise Cloud StrategyHow to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
How to Leverage SAFe 5.0 for Your Enterprise Cloud StrategyCprime
 
Storage profile Raghu
Storage profile RaghuStorage profile Raghu
Storage profile RaghuRaghuveer Munipalli
 
Managing Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with PuppetManaging Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with Puppetglynnfoster
 
All Things eduroam
All Things eduroamAll Things eduroam
All Things eduroamChris Phillips
 
National Federation Perspectives & Insights
National Federation Perspectives & InsightsNational Federation Perspectives & Insights
National Federation Perspectives & InsightsChris Phillips
 

Contenu connexe

Similaire à CAF Workshop BCNet2014

TNC2014 Think Globally act locally: Simplifying Federated technologies
TNC2014 Think Globally act locally: Simplifying Federated technologiesTNC2014 Think Globally act locally: Simplifying Federated technologies
TNC2014 Think Globally act locally: Simplifying Federated technologiesChris Phillips
 
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013Chris Phillips
 
Eduroam: A current view of the worldwide service
Eduroam: A current view of the worldwide serviceEduroam: A current view of the worldwide service
Eduroam: A current view of the worldwide serviceChris Phillips
 
Cloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsCloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsGuillaume Berche
 
Building a Cloud Native Platform with WSO2 Private PaaS
Building a Cloud Native Platform with WSO2 Private PaaSBuilding a Cloud Native Platform with WSO2 Private PaaS
Building a Cloud Native Platform with WSO2 Private PaaSWSO2
 
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...Ed Sattar
 
B2 - Integrating on-premises workloads with AWS
B2 - Integrating on-premises workloads with AWSB2 - Integrating on-premises workloads with AWS
B2 - Integrating on-premises workloads with AWSAmazon Web Services
 
Partner webinar featuring CatDV
Partner webinar featuring CatDVPartner webinar featuring CatDV
Partner webinar featuring CatDVFileCatalyst
 
London DevOps Meetup - PaaS as a platform for devops
London DevOps Meetup - PaaS as a platform for devopsLondon DevOps Meetup - PaaS as a platform for devops
London DevOps Meetup - PaaS as a platform for devopsJeremy Brown
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Alternative Dispatcher Layer Overview
Alternative Dispatcher Layer OverviewAlternative Dispatcher Layer Overview
Alternative Dispatcher Layer OverviewSquare Cloud
 
Netherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQLNetherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQLMark Swarbrick
 
Does Big Data Spell Big Costs- Impetus Webinar
Does Big Data Spell Big Costs- Impetus WebinarDoes Big Data Spell Big Costs- Impetus Webinar
Does Big Data Spell Big Costs- Impetus WebinarImpetus Technologies
 
USG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysUSG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysEric Sembrat
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014Kelly Grizzle
 
Raghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu Ravi
 
Improving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutImproving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutVMware Tanzu
 
How to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
How to Leverage SAFe 5.0 for Your Enterprise Cloud StrategyHow to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
How to Leverage SAFe 5.0 for Your Enterprise Cloud StrategyCprime
 
Managing Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with PuppetManaging Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with Puppetglynnfoster
 

Similaire à CAF Workshop BCNet2014 (20)

TNC2014 Think Globally act locally: Simplifying Federated technologies
TNC2014 Think Globally act locally: Simplifying Federated technologiesTNC2014 Think Globally act locally: Simplifying Federated technologies
TNC2014 Think Globally act locally: Simplifying Federated technologies
 
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
CANARIE Canadian Access Federation Update @ Internet2 Identity Week 2013
 
Eduroam: A current view of the worldwide service
Eduroam: A current view of the worldwide serviceEduroam: A current view of the worldwide service
Eduroam: A current view of the worldwide service
 
Cloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and BenefitsCloud and agile software projects: Overview and Benefits
Cloud and agile software projects: Overview and Benefits
 
Building a Cloud Native Platform with WSO2 Private PaaS
Building a Cloud Native Platform with WSO2 Private PaaSBuilding a Cloud Native Platform with WSO2 Private PaaS
Building a Cloud Native Platform with WSO2 Private PaaS
 
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
Cloud Based Cognitive Learning & IT Project Performance Platform (CLIPP Platf...
 
B2 - Integrating on-premises workloads with AWS
B2 - Integrating on-premises workloads with AWSB2 - Integrating on-premises workloads with AWS
B2 - Integrating on-premises workloads with AWS
 
Partner webinar featuring CatDV
Partner webinar featuring CatDVPartner webinar featuring CatDV
Partner webinar featuring CatDV
 
London DevOps Meetup - PaaS as a platform for devops
London DevOps Meetup - PaaS as a platform for devopsLondon DevOps Meetup - PaaS as a platform for devops
London DevOps Meetup - PaaS as a platform for devops
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Alternative Dispatcher Layer Overview
Alternative Dispatcher Layer OverviewAlternative Dispatcher Layer Overview
Alternative Dispatcher Layer Overview
 
Netherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQLNetherlands Tech Tour 05 - Strategic Operationalization of MySQL
Netherlands Tech Tour 05 - Strategic Operationalization of MySQL
 
Does Big Data Spell Big Costs- Impetus Webinar
Does Big Data Spell Big Costs- Impetus WebinarDoes Big Data Spell Big Costs- Impetus Webinar
Does Big Data Spell Big Costs- Impetus Webinar
 
USG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysUSG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 Days
 
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
SCIM: Why It’s More Important, and More Simple, Than You Think - CIS 2014
 
Raghu VM_Cloud Resume
Raghu VM_Cloud ResumeRaghu VM_Cloud Resume
Raghu VM_Cloud Resume
 
Improving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutImproving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware Takeout
 
How to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
How to Leverage SAFe 5.0 for Your Enterprise Cloud StrategyHow to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
How to Leverage SAFe 5.0 for Your Enterprise Cloud Strategy
 
Storage profile Raghu
Storage profile RaghuStorage profile Raghu
Storage profile Raghu
 
Managing Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with PuppetManaging Oracle Solaris Systems with Puppet
Managing Oracle Solaris Systems with Puppet
 

Plus de Chris Phillips

National Federation Perspectives & Insights
National Federation Perspectives & InsightsNational Federation Perspectives & Insights
National Federation Perspectives & InsightsChris Phillips
 
Scim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsScim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsChris Phillips
 
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web SignonChris Phillips
 
Canarie CAF-eduroam Technical Workshop
Canarie CAF-eduroam Technical WorkshopCanarie CAF-eduroam Technical Workshop
Canarie CAF-eduroam Technical WorkshopChris Phillips
 
Canarie CAF- Shibboleth Workshop Topics
Canarie CAF- Shibboleth Workshop TopicsCanarie CAF- Shibboleth Workshop Topics
Canarie CAF- Shibboleth Workshop TopicsChris Phillips
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanChris Phillips
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanChris Phillips
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethChris Phillips
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestChris Phillips
 

Plus de Chris Phillips (11)

All Things eduroam
All Things eduroamAll Things eduroam
All Things eduroam
 
National Federation Perspectives & Insights
National Federation Perspectives & InsightsNational Federation Perspectives & Insights
National Federation Perspectives & Insights
 
Scim2012 q1update chrisphillips
Scim2012 q1update chrisphillipsScim2012 q1update chrisphillips
Scim2012 q1update chrisphillips
 
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting RefreshChris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
Chris Phillips SCIM Mace-Dir Internet2 Fall Member Meeting Refresh
 
Canarie Federated Non Web Signon
Canarie Federated Non Web SignonCanarie Federated Non Web Signon
Canarie Federated Non Web Signon
 
Canarie CAF-eduroam Technical Workshop
Canarie CAF-eduroam Technical WorkshopCanarie CAF-eduroam Technical Workshop
Canarie CAF-eduroam Technical Workshop
 
Canarie CAF- Shibboleth Workshop Topics
Canarie CAF- Shibboleth Workshop TopicsCanarie CAF- Shibboleth Workshop Topics
Canarie CAF- Shibboleth Workshop Topics
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming Strawman
 
Moonshot Brainstorming Strawman
Moonshot Brainstorming StrawmanMoonshot Brainstorming Strawman
Moonshot Brainstorming Strawman
 
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and ShibbolethCANARIE - What Do I Need to Connect with eduroam and Shibboleth
CANARIE - What Do I Need to Connect with eduroam and Shibboleth
 
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interestCANARIE Eduroam and Shibboleth Lessons & Areas of interest
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
 

Dernier

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 

Dernier (11)

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 

CAF Workshop BCNet2014

  • 1. www.canarie.cawww.canarie.ca CAF Workshop on Federation Tools IDP Installer and Federation Management Tools Chris Phillips | April 2014 | CANARIE | Vancouver
  • 2. www.canarie.ca Agenda 8:00-8:30 – Coffee & Registration 8:30-8:45 – Introductions and Workshop Overview 8:45-10:15 – Using the IdP Installer, Sample Installation, Walkthrough 10:15-10:30 - Break 10:30-11:15 – CAF Tools walkthrough 11:15-12:15 – Federation Management Tools 12:15 – 12:30 – Q&A, Closing remarks
  • 3. www.canarie.cawww.canarie.cawww.canarie.ca In theory, there is no difference between theory and practice. But, in practice, there is.
  • 5. www.canarie.ca Outcomes for today •  Improved understanding of the IdP Installer •  Highlight key deployment considerations •  Know where to go for CAF resources •  Socialize Federation management tools direction https://www.flickr.com/photos/reway2007/3137608759 reway2007
  • 7. www.canarie.cawww.canarie.ca Roaming wireless •  International wireless roaming •  Ability to automatically sign on using your home credential •  Reduces barriers to mobile users •  Worldwide and expanding coverage: •  Canada: 78 sites •  60 countries worldwide •  Federated Single Sign On for services •  Web and non web sign on •  Authentication •  Authorization •  Attribute release •  Across different security domains Federated identity •  International wireless roaming •  Ability to automatically sign on using your home credential •  Reduces barriers to mobile users •  Worldwide and expanding coverage: •  Canada: 48 sites •  60 countries worldwide •  eduGAIN as primary, exploring other direct relationships •  Bridge to international community •  Enables CAF participants to: •  Accept identities inbound from outside Canada to Canadian services •  Use Canadian identities in services outside Canada Interfederation •  3.4M logins March 2014 •  2x traffic growth in 1yr •  78 sites - 500,000 1,000,000 1,500,000 2,000,000 Successful Logins International Canada •  33 Service Providers •  25 Identity Providers 937,000 986,765 1,011,793 1,020,387 880,000 900,000 920,000 940,000 960,000 980,000 1,000,000 1,020,000 1,040,000 Total CAF enabled users – SAML & eduroam •  Int’l NREN CEO Forum placed eduGAIN as a key effort •  CAF was early adopter - joined last year when there were 8, and eduGAIN now has 20 countries
  • 8. www.canarie.ca Identity Providers Service Providers Universities Colleges Research inst. Cloud providers Specialized R&E Apps Libraries Commercial SP Research teams Regional CommunityCommunity Group Gateway Partners BCNET Provincial governments Organizing bodies Applicants Parents Temporary staff Professor Student Researcher Researcher App Developer IDM Expert Group Admin CAF Ecosystem
  • 9. www.canarie.cawww.canarie.cawww.canarie.ca CAF Roadmap Federation Infrastructure & Governance Knowledge Base + more tools! Federation Community Manager CAF Marketplace Operating Policies VALUE   Training  &  Technical  Support   Marke9ng  Material   Today  FY  2015  FY16   IDP Installer
  • 11. www.canarie.ca IdP Installer •  What is it? –  VM image + html configuration forms •  What does it do? –  Auto installs and configures IdP server components –  Easier connection to CAF servers –  Supports eduroam and Shibboleth •  Benefits –  Fewer steps –  Hides technical complexity from user Identity Appliance" Shibboleth
 Identity
 Provider" freeRADIUS" Apache Tomcat" Java" Operating System (centOS)"
  • 13. www.canarie.cawww.canarie.cawww.canarie.ca Installation Overview Download installer Plan & Prepare installation Do Installation Post installation tailoring Local acceptance testing Contact CANARIE to complete registration 1.  Download Installer 1.  From http://bit.ly/caftools 2.  Plan & Prepare your installation 1.  Review System Requirements to prepare your environment. 2.  Prepare your network 3.  Prepare your environment (settings for Directory, Certificates, etc) 4.  Review and choose a preferred deployment approach 5.  Review your federation specific post install steps 3.  Do the installation 1.  Create a configuration from your federations' configuration builder 2.  Save configuration as 'config' in this directory on your server 3.  Run the script ./deploy_idp.sh 4.  Answer any inline questions (use self signed cert? password creation for keystores) 4.  Perform Post installation Tailoring 1.  Based on items previously identified, finalize the installation 2.  Identity steps needed to be repeated in production 5.  Locally Test Installation 6.  Repeat installation steps for production installation as needed [1] From installer document in distribution: https://collaboration.canarie.ca/elgg/groups/profile/847/idp-installer
  • 15. www.canarie.ca Planning: SSID strategy – augment or replace? Recommendation: Consider consolidating to eduroam •  Why: –  Less to configure for end users: •  setup once, use everywhere à why do one that only works for you? •  Less to manage as wifi infrastructure operator à reduces helpdesk support –  Eduroam can be VLAN’d based on authentication •  Local users VLAN’d to ‘local IP space’ and remote to remote1,2 –  Configuration Assistant Tool (CAT) performs configuration •  To resolve ‘how do I get on?’ for users, offer eduroam_help SSID –  Behaves as captive portal and only able to reach eduroam configuration information (cat.eduroam.org) and your specific information –  Working with UFV through IdP Installer with the –  Some Canadian sites already using just eduroam as singular SSID [1] https://confluence.terena.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus [2] http://medit.med.ubc.ca/initiatives/eduroam-by-ubc/
  • 16. www.canarie.cawww.canarie.cawww.canarie.ca Planning: Certificates FedSSO / SAML2 Eduroam / 802.1x 16 •  2 certificates §  End user facing(port 443) for SSO userid/password •  commercial root’ed certificate to avoid browser pain §  IdP/SP Certificate for metadata •  Self signed, 2048 bit SHA2 •  Autogenerated on install •  Usually long lived (10yrs) §  Possession & comparison of certs present in metadata crux of trust •  2 TLS pieces: CA + server cert. §  Laptops and mobile devices asked to trust both CA and server certificate §  If CA= commercial root, slightly less pain on MSFT clients (avoids popup of ‘trust this root?) §  eduroam CAT installer critical to help streamline installation & trust regardless of cert type. Recommendation: Use your usual commercial cert for end user facing port 443 Let tools do what they should do for long lived self signed Recommendation: Simply put: YMMV & up to you to tailor the experience Quick video example:eduroam CAT w/ comm. cert & w/ non commercial certificate. IDP Installer automatically uses self-signed everything & is a base for build outs.
  • 17. www.canarie.ca Certificates & HeartBleed •  Heartbleed risk present on hosts susceptible to OpenSSL handshake –  FedSSO/SAML •  Metadata signing was not at risk since that key is never used in handshake & OpenSSL version was safe. •  Handful of SAML entities did have to do key roll over (regenerate and replace keys) •  Risk was possible exposure of private key and therefore emulation or decryption of traffic could have been done –  extremely remote and require extraordinary attack, but risk present nonetheless à must regenerate private key and metadata cert and do roll over. –  Eduroam •  Eduroam trust built on shared secrets therefore not susceptible in server to server trusts. •  HOWEVER, the RADIUS server certificate suffered same style attack vector but between RADIUS server and clients (mobile devices) –  Key compromise and therefore decrypt traffic if such was done –  risk extremely remote but present. The few sites patched and made necessary changes. •  Global eduroam had validator within hours of announcement and scanned many sites, including Canadian ones very early on. •  Within 72hrs all Heartbleed risk was eliminated from the affected few sites in FedSSO and eduroam in Canada. –  Would self signed or commercial have made a difference? No. Risk was same regardless of root. A private key is a private key and both would need to have been regenerated. –  Many thanks to admins who were very responsive to the issue!
  • 20. www.canarie.ca CAF Tools Walkthrough •  Eduroam weathermap –  http://weathermap.canarie.ca/caf/eduroam •  Eduroam CAT –  https://cat.eduroam.org/ •  eduGAIN –  https://www.edugain.org/ •  FedSSO Discovery Guidance –  https://discovery.refeds.org •  CAF FAQ system –  http://tts.canarie.ca/otrs/public.pl •  Collaboration.canarie.ca –  http://collaboration.canarie.ca •  CAF Guest IdP & 'external identities' (aka social2SAML) –  http://id.canarie.ca –  External identity demo with SAML sharepoint sign on All available at: http://bit.ly/caftools
  • 21. www.canarie.ca CAF Guidance on Attribute Release •  Current CAF policy àmandatory release of eduPersonTargetedID •  Example of the importance of attribute release •  What the community at large is doing –  In Canada à Examining various profiles for attribute ‘bundles’ •  Collaboration profile •  Canadian Researcher profile •  Canadian Student profile •  K-12 specific attributes –  Internationally –  Entity categories in metadata, rules in IdPs for release –  K-12 conversations in US. •  SAML metadata representation
  • 24. www.canarie.ca Federation Community Manager Features •  UI-based provisioning of privacy and security policies (e.g. ARPs) •  Self-serve user interface for Partner, IDP and SP admins •  Consolidated view of all community groups, IDPs and SPs in CAF •  Auto-generates meta data Benefits •  Reduces development time à faster implementation •  Reduces errors and facilitates debugging Status •  Seeking pilot participants
  • 25. www.canarie.cawww.canarie.cawww.canarie.ca Collaboration via CAF & Community Groups CAF Identity Providers Regional CommunityCommunity Group (CG) Shared Services CAF Service Providers •  Services available to IDPs within the community group •  Define operating polices (e.g. attribute release) specific to CG •  Gives IDPs access to national and international CAF SPs
  • 26. www.canarie.cawww.canarie.cawww.canarie.ca Community Group Responsibilities PrivacyHelp Desk Community Groups Admin Hosted IDP Operations Local Outreach Central Operations Technical Support Technical Community Trust Assertion Governance National Outreach Tool Development Opera- tions International Representation CAF Participant Agreements Implementation Guidance Community Agreements Institutions CAF Partners CAF