Proxy IdP architecture

Owned by Jana Přepechalová
Last updated: Jun 21, 2022 by Pavel Vyskočil
2 min read

Description of individual Proxy IDP components

The Proxy IdP component is operated on the machines of CESNET virtualization platform. As a critical component, it is operated in High Availability mode:

  1. The cluster consists of three, mutually representative, geographically separated machines.

  2. Individual machines are regularly updated and backed up.

  3. Each of the machines is monitored by the Nagios system processed by the Metacentrum.

  4. The current status of the Proxy IdP component is available here.

 

 

The Proxy IdP component consists of internal and external parts:

Internal parts:

  1. SimpleSAMLphp

  2. MitreID

  3. MariaDB Galera Cluster

External parts:

  1. Perun

    1. LDAP Interface

    2. RPC Interface

SimpleSAMLphp

Component that provides user authentication for services supported by SAML2 protocol. For more information see SimpleSamlphp page.

MitreID

A component that provides authentication for services using the OpenID Connect protocol. User authentication is handled using SimpleSAMLphp.

For more information see MitreID page.

MariaDB Galera Cluster

Internal database. For more information see MariaDB Galera Cluster page.

Perun

Perun provides Proxy IdP management for users, groups and services. For more information see Perun page.

LDAP and RPC are used for communication (LDAP is preferred).

LDAP interface

PROS

CONS

PROS

CONS

It does not depend on the running of the Perun system.

Delayed data propagation to LDAP (ideally almost zero).

Multiple instances - in case of a failure, it is possible to retrieve data from an LDAP replica.

It does not contain the same data structure as RPC interface.

Faster retrieval of more complex data structures.

Available only for READ operations

RPC interface

PROS

CONS

PROS

CONS

Contains all data without delay.

It depends on the running of the Perun system.

Available for READ and WRITE operations.

Only one instance - in case of failure, no data can be obtained.

 

Acquiring more complex data structures takes longer.

 

At the time of the Perun system outage, the Proxy IdP component works to a limited extent:

  • The process of signing up existing users to existing services can take a long time.

  • Impossibility to pass filters to WAYF, which are stored in the Perun system.

  • Inability to register new users and services.

Support: perun@cesnet.cz