Trust and Internet Identity Meeting Europe
5-6 Feb 2018: Workshops and Tutorials
7-8 Feb 2018: Unconference

TIIME 2018: Wayf's Go Stuff

(Mads Petersen)

Mads: This is an interactive repeat of the presentation that I did on Tuesday. Andrew asked me to repeat it. Wayfs go stuff is go saml libraries that is written in Go which will in two months’ time replace WAYF’s hub infrastructure- currently running on SSP/Corto. The idea was to show what the Go stuff is but we can look at why we do it. The business requirements, why a new platform and why in go and a little bit in the libraries.

WAYF is the Danish HE identity federation. Started out as a protocol independent because we could get anyone to use SAML, it’s like they had a trauma from it. We had requirements of doing consent to have a program that could go into the flow of things and a Samsung SP and the rest is history and everybody got the Samsung SP easily not even universities but also high schools. 150 IDPs using the same SP. Some IDPs you can’t talk to. You can’t put it together to some SPs. We supply them with metadata but they have to do a full mesh interaction with the federation.

Rainer: This couldn’t be connected? M: We would need an SP for all backend SPs. When you login you should trust what our IDPs do. R: so a policy conflict? M: we couldn’t find an IDP in edugain that would release this data. It has some advantages is that onboarding is easy, it becomes irrelevant beucase we are all SAML now. WAYF started with CAS IDPs, the disadvantages are the double discovery, they know that they have to select a fighter (?) when they select SP. Why do we have to choose WAYF someone asked? So we wanted to show that the institutions. Some of the larger publishers can’t handle that here is one entity. Going from hub SP to mesh SP is difficult. We came up with a new idea, a WAYF hybrid, we want to be a hub for some and a mesh for some. Make it up to individual entities, they can join us if we were a hub or a mesh federation. We want to make it easy for our SPs to make it possible for them to be in edugain to check a checkbox. This is a new one how mesh looks like. The other thing we chose is this one (with blue and yellow triangles) The interface between our IDPs and us is the same. The SPs know one IDP. They won’t feel a change when we make it. All of SPs have a proxy that has metadata that we will publish. Most of them are the parties using another technology. The new thing is that we have the same thing for all of our SPs. Same interface but they can be published into edugain if they want to. Now every IDP can talk to our SP if they want to. If you want to be a standalone SP you can do it, or a standalone IDP. This is just a normal mesh if you look at it.

R: Your existing hub couldn’t do that? Peter: It wouldn’t prevent you for doing that. M: it’s hub mesh and hub. P: Assuming i am an SP I am not exposed to edugain. Would introducing this change the entities of the SPs? M: No. In this case we chose to have another prefix. We chose to not change the entity ID they are the same. P: They were globally unique and addressable.

M: one problem we became aware of that is the normally the scoping from the far right to far left but if you can’t log into this from IDP it doesn’t make sense anymore. I don’t know if they check them but our backends have to be able to not shake the scope and rely on us. All we would have to have a very long list of scopes. Listing all is the same as listing noon.

P:There are two aspects the scope one is you want to prevent another IDP asserts in my scope so since everything is going through the hub it should be authorative for all scopes in the world. SO you lose scope. M: We would do a scope check though. It’s not the security but its technical. P: that’s the thing you mean when you go inside and outside the hub you can’t make the SP change and what they are doing. That might be a problem for specific SPs. This is the problem for preconfigured attributes. There is an addon thing that does the scope checking. M:This is a new thing that they are able to do this. That is a kind of condition to be able to either put everything in the metadata. It would be a very long list of scopes.

M: This is pyElevent and we ended up doing this in Go, we have to get from PHP it would be impossible on an API level. We had to do it on a higher level. All of the stack PHP Samsung PHP they all took the key and wrapped and passed them as pip. We had to change the whole stack anyway. P: There is also the driver to access the ssm so you don’t only lead the pkcs but also the driver. M: There is one pkcs level abut also the library.

Our was to be able to get around these PHP problems. We wanted to have a local service. When we saw that this go py11 continue. Py11 was as complicated so we looked around and found Go that has a nice pkcs library. We made go11. Once you have an http interface and you get it back signed as json all kinds of use cases pop up that have nothing to do with PHP. Signing from docker containers and if you have temporary containers. To have access to the net HSM. Anything can sign it and move the access to http level. IP Addresses oauth, http we got a lot of experience with and to put it everywhere. The genius of the idea.

Go is a statically typed AOT language. Invented by Google. A replacement for C++, they analysed that they had 500x. It has event performance combined with additional blocking. By performance where you have one process that have events from input on the network. That’s why I need an access fast and http proxies are fast. They have a model that does the same thing, apache. You are not going to monopolize this. It saves a lot of context switching so its fast and go uses that. It has a nice standard library so we don’t use any external libraries. Very skinny interfaces, an abstract class in other languages but very shallow and skinny in go and MDQ interface we use to get to metadata and you get something we call Xp with metadata for the entity. You can put a simple curl behind it and point to a wheel and you are up and running. Very nice provisioning for tests. And no external dependencies in binary it runs on the bare always.

The mythical man-month we have tried to make a program for yourself this costs one unit and if you make it into a unit its 3x as much and into a product also 3x as much, ad if youmake it into a programming system product it costs 10x as much. It’s very specific to wayf. We have to obey the standards and we have this nice SAML V2.0 profile “Implementation Profile for Federation Interoperability Version 1.0”. One of them is upstream anomaly to fan out all SPs and other one is called logout where we don’t expect and logouts. It’s a small codebase, 3000 lines of library, 1100 app lines and 2500 lines of test. Which is just 20% of Satosa. We have a more maintainable codebase. We have a third party go library for pkcs 11 and goSQLLine lirary. Goxml which is taking care of the low level xml things, encryption signature, passing, everything. Gosaml that is the saml level lib, one plugin to see if it’s a response or request and it gives back metadata for the sender and receiver. IMDQ is what we call the local mdq library what we use for testing. You want to search in the whole SP database for the whole things. We need something other than MDQ testing. We have godiscovery which is our discovery.

About the design decisions. See design decisions on the presentation. This is the only interface we have above gosml, SQLite as metadata container you want to use fts for discovery. We needed an SQLite. In the setup we have one SQLite which has all metadata plus all what is needed to make some nice searches for IDPs. We discussed putting thedata into the binary. But we are not there yet. WE like to put complexity into the metadata but not int the code. The handling is not in the server, we change the metadata to what we call operational metadata. Consent of putting into the flow. Post the response to it.

This metadata is about 25 MB, it takes 0.5ms to update it and every eduGAIN entity is in there. We will never again see metadata not found. We will see the service that you are trying to access is not in WAYF.

Next steps are going to test test and test. We will ask every SP and IDP to test and we will do it ourselves. Hackmanit they are the behind the be whoever you want to be article about signature adjacent in XML. If we manage we will split a WAYF hybrid and a specific code on top of it. We might start using one of the native ones. We have some memory issues. Go is a memory managed language and XML is not. SO we have to be very careful of releasing the right one.

There are a lot of good reasons not to use PHP but how many of these go libraries really go code and how many are wrapped C code? M: We don’t know what is it written but it’s probably in C, libxml2 is C++ the yellows are go libraries and blue are those go libraries that we have written. Metadata that is able to do SQLite but of course you can make your own interface and MDQ. We use that because we don’t want to have external dependencies in the testing environment.