MCE Federation Configuration
MCE can support interactions between users and rooms that belong to different organizations via the Federation feature. This feature allows users from different organizations to join groups and exchange messages with each other, while still adhering to the security policies put in place by COI, classification and group membership rules.
Please refer to the Federated User Identity Registration section for more information on how user identity works in federated scenarios.
Certificate requirements
The federation feature requires a certificate to authenticate the federated connection between two MindLink server deployments belonging to different organizations.
This federation certificate should be enrolled with the following criteria:
- The root certificate authority should be trusted by all federated partners
- The certificate should have both the Server authentication and Client authentication extensions
- The Subject name of the certificate name should be the Common name type and the value should be the computer name.
- The Alternative name of the certificate should be the DNS type and the value should be the desired friendly domain name for your organization.
- This friendly domain is intended to provide a more user-friendly way of identifying and interacting with rooms and users that belong to another organization.
Ports and firewall configuration
The federation feature allows an organization to operate as an owner, consumer or both within a federated relationship. As an owner organization, you allow inbound connections to your MindLink server, whereas as a consumer you only make outbound connections.
The federation feature uses the gRPC protocol to exchange data, this is a HTTP/2-based protocol and therefore the underlying network will need to support HTTP/2 traffic.
As a consumer:
- No specific port or firewall setup is required.
As an owner:
- A port and firewall allow rule should be added to permit the inbound connections of federated partners. This federation port number is configurable in the Management Center.
General installation and configuration guide
The configuration of MCE Federation relies upon the advanced configuration section of the Management Center. This section does not perform validation, and it's important to get the configuration right.
Below we list the advanced configuration keys required for a Federated deployment, we'll then continue with a step by step guide on configuring each of these keys.
MindLink is committed to simplifying the configuration process for our users. We are actively developing dedicated configuration pages for the Federation feature, complemented by user-friendly guidance. These enhancements are planned for our upcoming releases.
| Key | Value | Description |
|---|---|---|
| global.services.module | Mce, Federation | Enables the Mce and Federation services respectively. This is a prerequisite for owners and consumers. |
| debug.mce.federation.certificatethumbprint | The thumbprint of the certificate used to authenticate the federated connection between other organizations, required for owners and consumers. | |
| debug.mce.federation.servicelistenurls | https://domain:port | The listen URL for inbound federation connections. Required when setting up as an owner. |
| debug.mce.federation.federatedpartneraddressesoutbound | https://domain:port | A comma-delimited list of outbound federation connections. Required when setting up as a consumer. |
| debug.mce.federation.federatedpartnerscommonnamesoutbound | domain.tld | A comma-delimited list of the common names for the federated partners you are federating with outbound. These values should match the common name field of their certificates. The ordering of this list should match the ordering of the federated partners in the debug.mce.federation.federatedpartneraddressesoutbound field. |
| debug.mce.federation.federatedpartnerscommonnamesinbound | domain.tld | A comma-delimited list of the common names for the federated partners you are allowing to federate inbound. These values should match the common name field of their certificates. |
| debug.mce.federation.externalidentifierattributename | attributeName | The name of the attribute that corresponds to the Distinguished Name value of your users. |
| debug.mce.federation.externalidentifierattributeissuer | attributeIssuer | The issuer of the attribute that corresponds to the Distinguished Name value of your users. |
Configuration guide
- Configure the MindLink service modules:
Set the 'global.services.module' key value to include both 'Mce' and 'Federation'. - Acquire a Federation certificate:
See section 'Certificate requirements' for requirements. - Configure the Federation certificate thumbprint:
Set the 'debug.mce.federation.certificatethumbprint' key value to the thumbprint of the Federation certificate acquired in the previous step. - Configure the Federation service listen URLs:
NOTE: This is only required if you require the deployment to act as an owner for at least one organisation.
Set the 'debug.mce.federation.servicelistenurls' key value to a URL that will route your federated partners to your deployment. - Configure the outbound federated partner addresses:
NOTE: This is only required if you require the deployment to act as a consumer for at least one other organisation.
Set the 'debug.mce.federation.federatedpartneraddressesoutbound' key value to the federation service listen URLs of the owner organisation you wish to federate with. These will be the values your federated partners configured in step four. - Configure the outbound federated partner common names:
NOTE: This is only required if you require the deployment to act as a consumer for at least one other organisation. - Configure the inbound federated partner common names:
NOTE: This is only required if you require the deployment to act as an owner for at least one organisation. - Configure the external identifier attribute issuer and attribute name:
'debug.mce.federation.externalidentifierattributeissuer' should represent the identity of the attribute issuer service you wish to use for federation (such as 'CP' for Cassport). 'debug.mce.federation.externalidentifierattributename' should represent the attribute that corresponds to the Distinguished Name value of your users (such as 'digitalIdentifier'). Please refer to the Federated User Identity Registration section for more information on how user identity works in federated scenarios.
The following images demonstrate two variations of a federated connection to a single external deployment. The first demonstrates reciprocal federation where both organisations act as federated owners and consumers, the second demonstrates non-reciprocal federation where federation is only permitted in one direction. All debug keys demonstrated below are comma-delimited lists, enabling the configuration of multiple federated connections and topologies.
Figure 1 - Reciprocal Federation
Figure 2 - Non-reciprocal Federation