Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006 © SWITCH Group Management Tool Lukas Haemmerle

Similar presentations


Presentation on theme: "2006 © SWITCH Group Management Tool Lukas Haemmerle"— Presentation transcript:

1 2006 © SWITCH Group Management Tool Lukas Haemmerle

2 2006 © SWITCH 2 Situation  Web application/files/functions that must be protected  Access/authorization shall be based on user groups  Overhead for group administration shall be small  Shibboleth/Other solution available  Users have an AAI account Real life example: The slides/photos of this meeting shall only be accessible by all people who attended the meeting.

3 2006 © SWITCH 3 Case 1: Users share common attributes HomeOrg = IdP X| IdP Y| IdP Z Affiliation = Student StudyBranch = Medicine Access Rule

4 2006 © SWITCH 4 Case 2: No common user attributes How can these users be authorized?

5 2006 © SWITCH 5 Solution 1: Create a common attribute Add an entitlement attribute for specific users Require entitlement urn:mace:rediris.es:entitlement:wiki:jra5  Easy solution for a difficult problem  Additional work for user directory administrator  Difficult to efficiently manage many entitlement values  Only IdP admin can manage access + - Access Rule

6 2006 © SWITCH 6 Solution 2.a: Use uniqueIDs or 1.Get unique IDs or AAI addresses of users. 2.Create access rules like: require uniqueID […] require […]  Straight-forward solution  SP administrator must know unique ID/ address  Difficult to efficiently manage for many users/apps  Only SP admin can manage access + - Access Rule

7 2006 © SWITCH 7 Solution 2.b: Use SWITCH GMT 0.9  Open Source software (BSD license)  Easy to install  Light-weight PHP application  Human readable text files to store group data Features  Manage multiple groups for multiple applications  Three user/admin roles with different privileges  Transfer privileges to other users  Invite new users to join group via  User can request to join a group (self-registration)  Generate authorization files (Apache.htaccess)  API for use on remote hosts

8 2006 © SWITCH 8 Administration interface  Every role has different options and views  Red groups are system groups

9 2006 © SWITCH 9 Group settings

10 2006 © SWITCH 10 Manage a group

11 2006 © SWITCH 11 Adding users to a group  Add registered users to one or more groups with a certain role

12 2006 © SWITCH 12 Inviting new users  Invitation token (link) is sent to provided addresses  Tokens can be revoked

13 2006 © SWITCH 13 Request to join a group

14 2006 © SWITCH 14 Generate authorization files  Multiple authorization files can be generated per group  Files are updated automatically on changes

15 2006 © SWITCH 15 Authorization files

16 2006 © SWITCH 16 Interface for remote hosts PHP/PERL functions: isInGroup($uniqueID, $gName) getGroupModifyURL($gName) getUserGroups($uniqueID) getStatus() getError() Secure queries:  Over SSL  Encrypted with shared key  Limited to allowed hosts

17 2006 © SWITCH 17 Summary and outlook Summary  Convenient management of “virtual” groups  Roles can be transferred  Users can request to join a group with self-registration  Authorize users on remote servers  Libraries available for PHP and Perl Preliminary outlook for GMT 1.0  Generation of Shibboleth XML authorization files  Additional API functions with SOAP/REST  Probably new name (e.g. “grot”, “groupy”, …)

18 2006 © SWITCH 18 Questions Q & A


Download ppt "2006 © SWITCH Group Management Tool Lukas Haemmerle"

Similar presentations


Ads by Google