iFIRExMAN Training Programme

Overview

This repository provides step-by-step guides on setting up Identity Federation core services, Shibboleth IdP-as-a-Service, and eduroam IdP-as-a-Service:

• Kubernetes cluster.

• MariaDB Database.

• Federation core services.

• SSO/Attribute Release Test Service.

• Shibboleth Identity Provider (IdP)-as-a-Service.

• eduroam Identity Provider (IdP)-as-a-Service.

Architecture

Infrastructure

• The infrastructure is based on a typical Kubernetes cluster setup where you need to prepare several master and worker nodes.

• Optionally, you can also prepare a node that serves as a management (or login) node used to setup and manage your Kubernetes cluster and IdP-as-a-Services.

• These nodes do not necessarily need a public IP address. Instead, a private IP address is sufficient.

• 1:1 NAT will be used for incoming traffic from the internet.

• Seven (7) virtual machines are required for the infrastructure:

  • RKE-MGMT (Management Node)
  • 1 VM (4 vCPUs, 8GB RAM, 25GB Storage, Rocky Linux 8.6)
  • RKE-MASTER (Master Node)
  • 3 VM (4 vCPUs, 8GB RAM, 25GB Storage, Rocky Linux 8.6)
  • RKE-WORKER (Worker Node)
  • 3 VM (>=8 vCPUs, >=16GB RAM, 50GB Storage, 100GB Data (separate virtual disk), Rocky Linux 8.6)

• The Rocky Linux should be installed minimally (without GUI) on all nodes.

• The storage for the OS and Data (in the case of RKE-WORKER) should be on separate virtual disks.

• Root access to all nodes are required.

Networking

• Referring to the iFIRExMAN Architecture diagram, x.x.x denotes the private IP subnet, while y.y.y denotes the public IP subnet.

• A static private IP address is required for each node.

• You need to prepare 2 public IP and 2 private IP addresses and establish a 1:1 NAT between them.

• Access to ports 80 and 443 for both the public IP addresses are required.

• Several sub-domain names are required and should be pointed to the first public and private IP addresses at your external and internal DNS servers. These sub-domain names are:

  • fedmanager.ifirexman.edu
  • ds.ifirexman.edu
  • mdq.ifirexman.edu
  • ssotest.ifirexman.edu

• Replace ifirexman.edu with your own domain name.

• If you are currently already operating an Identity Federation, you may skip creating sub-domain names for fedmanager and ds as you shall use the existing ones. However, you will still need to setup the mdq and ssotest sub-domain name.