Cases & Voices

The experience of configuring its own identity provider, connected to its Active Directory and without the need for additional installing, opened the doors of the federated services to the Costa Rican academic network and its users, an experience of access to services without entry barriers and greater ease and convenience of use.

RedCONARE was founded in 2009 by the National Council of Rectors (CONARE) of Costa RICA, in order to join RedCLARA and provide the Costa Rican scientific community with the means to access and take advantage of advanced networks and scientific collaboration with the rest of the world .

Along with the interconnection of the National University of Costa Rica (UCR), the Technological University of Costa Rica (TEC), the University of Costa Rica (UCR), the State Distance University (UNED), and the National Technical University (UTN ), and their connection through RedCLARA to the academic networks of the world, RedCONARE provides collaboration services to their members, such as eduroam, Colaboratorio and data transfer for research. But when it comes to providing access to the most advanced online services to encourage scientific collaboration and enhance the progress and development of scientific-academic and technological research, having an Identity Provider (IdP) that proves that each user is Who should be and provide access to the various resources, is crucial. And this necessarily requires the participation of an Identity Federation. It is here that the “tica” National Research and Education Network identified the challenges that it had to face without delay:

• Provide access, through FIEL (RedCLARA identity federation), to the federated services of the Academic Networks by creating their own IdP.
• Maintain a unique authentication, based on Azure Active Directory (Azure AD: business identity service that provides single sign-on and multi-factor authentication).
• And do both quickly and without increasing the number of systems that operate internally.

RedCONARE has invested in the consolidation of identity management and access to services through the Microsoft Azure AD service, and although it has given good results, the need to maintain its IdP based on this authentication system, was growing stronger every day. And CONARE and RedCONARE recognized that the access to the services offered through the Identity Federations was key to support collaboration, and Azure AD support for SAML integration (Security Assertion Markup Language) does not provide the technical capacity necessary to participate directly as an IdP.

Thus, looking for a solution that will close the Azure AD gap and the Identity Federations RedCONARE found the solution using the Bridge IdP.

In this point we must make a stop to remember that Identity Federations can be accessed through RedCLARA in the following modalities:

1. Installation of the institution itself, usually in its own infrastructure.
2. Installation of the IdP -whether installing it in your own institution or accessing it through the cloud- with the support, experience and expertise of RedCLARA and its technological partner (and member) CEDIA (Ecuadorian academic network).
3. The institution may also decide to keep its IdP in the cloud, in SaaS mode (software as a service). In this case, the solution is Bridge IdP (which is the one RedCONARE chose), which is a RedCLARA and Cirrus Identity (as a technology partner) service.

Bridge IdP is a cloud-hosted solution that saves customers the time and effort required to maintain a SAML identity provider compatible with identity federations. RedCLARA and Cirrus Identity, one of the two technological partners with whom this bridge service is provided, have several years of experience with the federations (FIEL, eduGAIN) and SAML technical knowledge, thus they manage to help institutions by putting institutions first integrations in operation quickly.

Implementation

"Our IdP is now linked to Azure, which is connected to our new Active Directory, which will soon be our official authentication server," says Karla Quesada, a RedCONARE network technician, who emphasizes that "the integration with the Bridge IdP was simple and straightforward. Now we can integrate some of the applications we have to the federation. "

For the Azure AD administrator, there is a simple configuration in the service portal that defines new web applications. This depends on the licensing level and only a few parameters provided by RedCLARA are required to execute it, a process that takes approximately 30 minutes.

After the Azure AD configuration was completed - RedCLARA and Cirrus Identity provide complete and step-by-step documentation for it - the RedCONARE IdP was able to register the Bridge IdP as the organization's identity provider.

Thus, once the RedCONARE IdP metadata was published in FIEL (RedCLARA Identity Federation), RedCONARE staff could use the access like any other member of the federation.

A basic license for Azure AD enables administrators to use familiar Azure Portal tools to manage their participation in Identity Federations. In the case of CONARE, the premier Azure Active Directory license allowed customization of user attributes that are delivered to the SAML assertion, and access control for authorized users to federated services using Active Directory groups.

 

Invisible to users

And yes, this is very technical, but it has the virtue of being something invisible to users, who only see how it improves their experience of access to services, without having to enter their username and password at any time.

The key is that for end users the integration is independent. An individual can start the day by logging in to Office365, on their traditional home screen (in this case the one provided by RedCONARE), this opens the user's browser, and, while this session is active, the user can access other federated applications without having to log in again and again.

A few minutes after the login, unfettered access to federated applications is opened, many of them accessible through the Colaboratorio that CONARE has implemented with the collaboration of RedCLARA.

The only difference with federated applications is the occasional need to choose the institution providing the service from a list, but this will in no case lead the user to re-fill the text fields where the username and password are entered, because that work was already done by the IdP and the federation.

The result? The IdP Bridge is helping to fulfill RedCONARE's mission: “Provide the national scientific community with the means to access and take advantage of advanced networks and scientific collaboration with the rest of the world”.

 

Screen that users see when accesing.	Configuration screen.

 

About RedCONARE:

RedCONARE was created in 2009 by the Council of Rectors, in order to join the Latin American Cooperation of Advanced Networks, RedCLARA, and provide the national scientific community with the means to access and take advantage of advanced networks and scientific collaboration with the rest of the world.

For the execution of this project, the Council of Rectors assigned the responsibility for executive coordination to the National Center of High Technology (CeNAT), a CONARE project that seeks to link academia, industry and government in scientific research initiatives, technological development and innovation. Additionally, technical coordination was placed in the hands of the Center for Information and Communication Technologies (CETIC) of CONARE.

 

More information at:

servicios@redclara.net 

https://www.facebook.com/RedCONARE

@redconare

https://www.redclara.net/index.php/es/servicios-rc/federaciones-de-identidad