Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong META ACCESS.

Published byJosephine Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong META ACCESS."— Presentation transcript:

1 Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong bliong@melcoe.mq.edu.au http://federation.org.au META ACCESS MANAGEMENT SYSTEM

2 Topics ShARPE & Autograph GUI ShARPE & Autograph GUI SP Description Metadata SP Description Metadata Group ARP Group ARP Attribute Mapping Attribute Mapping Policy Filter Chain Policy Filter Chain META ACCESS MANAGEMENT SYSTEM

3 Part of MAMS IAM Suite (I really AM Sweet) META ACCESS MANAGEMENT SYSTEM ShARPE Autograph IdPadmin IdPmember IdP ARPManage-ment Attributemapping PrivacyManage-ment

4 Context META ACCESS MANAGEMENT SYSTEM IdP admin ShARPE attributes IdP SP ARP Autograph = group ARPs = site ARP = user ARP

5 Shibboleth ARP Editor (ShARPE) Provide a GUI-based editor to enable Provide a GUI-based editor to enable ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPs Users to manage their ARPs Provide visibility to user of: Provide visibility to user of: attributes required by services attributes required by services attributes released to services attributes released to services Service received in return for attributes Service received in return for attributes Enable users to change their ARPs hence exercise privacy control Enable users to change their ARPs hence exercise privacy control Helpdesk Helpdesk META ACCESS MANAGEMENT SYSTEM

6 New features ARP management GUI ARP management GUI Group ARPs Group ARPs Current Shibboleth supports site and user ARPs Current Shibboleth supports site and user ARPs Service Descriptions Service Descriptions Comprehensive information about SP’s service, service levels, attribute requirements Comprehensive information about SP’s service, service levels, attribute requirements Attribute Mapping Attribute Mapping Support for mapping between IdP and SP schemas Support for mapping between IdP and SP schemas Policy-filter-chain extension Policy-filter-chain extension META ACCESS MANAGEMENT SYSTEM

7 ShARPE – ARP Administrator ARP Admin ARP Admin Import Service Description (Physics research database from Sandstone Uni) – if never imported before Import Service Description (Physics research database from Sandstone Uni) – if never imported before Create site ARP (all communities get bronze access) Create site ARP (all communities get bronze access) Create group ARP (Physics community gets gold access) Create group ARP (Physics community gets gold access) META ACCESS MANAGEMENT SYSTEM

8 Service Descriptions SP’s Service and Service Level descriptions and attribute requirements SP’s Service and Service Level descriptions and attribute requirements Services may provide service-levels - different functionality - based on supplied attributes Services may provide service-levels - different functionality - based on supplied attributes e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI META ACCESS MANAGEMENT SYSTEM

9 SandstoneUniServiceDescription.xml META ACCESS MANAGEMENT SYSTEM

10 Service Description Editor META ACCESS MANAGEMENT SYSTEM

11 Service Description Editor (cont) META ACCESS MANAGEMENT SYSTEM

12

13 arp.site.xml META ACCESS MANAGEMENT SYSTEM

14

15 arp.group.Physics.xml META ACCESS MANAGEMENT SYSTEM

16 Autograph

17 META ACCESS MANAGEMENT SYSTEM Autograph

18 arp.user.sue.xml META ACCESS MANAGEMENT SYSTEM

19 Group ARP Reason: diff dept admins want to manage their own users Reason: diff dept admins want to manage their own users No modification to original Shib code No modification to original Shib code Extending from Shib ARP structure Extending from Shib ARP structure Uses simplified flatten group (i.e. no hierarchical groups) Uses simplified flatten group (i.e. no hierarchical groups) Group information provided by a set of plugins: AttributeResolver (LDAP/DB/etc), file, etc Group information provided by a set of plugins: AttributeResolver (LDAP/DB/etc), file, etc Simplified API to allow extensions Simplified API to allow extensions Released Attributes = processing (site ARP + group ARPs + user ARP) Released Attributes = processing (site ARP + group ARPs + user ARP) http://federation.org.au/twiki/bin/view/Federation/G roupLookup http://federation.org.au/twiki/bin/view/Federation/G roupLookup META ACCESS MANAGEMENT SYSTEM

20 Activating Group ARP <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> file:/usr/local/shibboleth-idp/etc/arps/ <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml urn:mace:dir:attribute-def:eduPersonAffiliation <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties institutionalGroupList groupList META ACCESS MANAGEMENT SYSTEM

21 Example of Group Info (FlatFile) sample.grouplookup.properties sample.grouplookup.properties using PropertyFileGroupLookup # this defines institutional-wide groups institutionalGroupList = Administrator, Staff, Researcher # an example of local groups groupList = Library, Physics, Biology, Walk-in # user based attributes specifying the groups using ‘memberOf’ # ann.memberOf = Researcher # john.memberOf = Staff # joe.memberOf = HeadOfSchool, Staff, Librarian META ACCESS MANAGEMENT SYSTEM

22 Attribute Mapping Not all organizations use the same schemas for attributes, mapping is needed Not all organizations use the same schemas for attributes, mapping is needed Attribute mapping functions Attribute mapping functions One-to-One Mapping One-to-One Mapping Concatenation Concatenation Static Value assignment Static Value assignment Hashing (e.g. TargetedID) Hashing (e.g. TargetedID) Examples: Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedID (e.g. hash(concat(SPname, email))) Complex: creating targetedID (e.g. hash(concat(SPname, email))) META ACCESS MANAGEMENT SYSTEM

23 Attribute Mapping GUI META ACCESS MANAGEMENT SYSTEM

24 What’s offered by AttributeResolver Rename (mail  email) Rename (mail  email) Value mapping (“alumn”  “alumn”, “alumni”) Value mapping (“alumn”  “alumn”, “alumni”) Regex (changing to upper case) Regex (changing to upper case) Formatted output Formatted output Composite ( A, B  “A B”). Limited to same number of rows attributes Composite ( A, B  “A B”). Limited to same number of rows attributes Some others: StaticConnector, ScriptletAttributeDefinition,… Some others: StaticConnector, ScriptletAttributeDefinition,… All, with exception of rename are *newly* introduced in 1.3c All, with exception of rename are *newly* introduced in 1.3c META ACCESS MANAGEMENT SYSTEM

25 Shib implementation Scattered implementation but simple as revolve around resolver plugins Scattered implementation but simple as revolve around resolver plugins No chaining (A  B  C, hence A = C) No chaining (A  B  C, hence A = C) Some implementations are limited to certain conditions (i.e. cannot concat different length attributes) Some implementations are limited to certain conditions (i.e. cannot concat different length attributes) Same map applicable to all SPs, no differentiations or per SP mapping Same map applicable to all SPs, no differentiations or per SP mapping META ACCESS MANAGEMENT SYSTEM

26 MAMS Attribute Mapping implementation Attributes with different rows concatenation ability Attributes with different rows concatenation ability One entry point for all mapping entries  one mapping engine (CustomAttributeDefinition) One entry point for all mapping entries  one mapping engine (CustomAttributeDefinition) Different maps loaded for different SPs Different maps loaded for different SPs SP1 has mail  email SP1 has mail  email SP2 has fname + sn + ‘@nowhere.com’  e-mail SP2 has fname + sn + ‘@nowhere.com’  e-mail SP3 has … SP3 has … General mapping can be provided (i.e. default mapping from eduPerson2MySchema applicable to all SPs) General mapping can be provided (i.e. default mapping from eduPerson2MySchema applicable to all SPs) META ACCESS MANAGEMENT SYSTEM

27 Attribute Mapping for SPa: X = X + Y 1. 1. Rename existing entry of X to X’ on resolver 2. 2. Create map entry on resolver for X that depends on X’ and Y 3. 3. Put X = X’ + Y on SPa’s map 4. 4. Put X = X’ on default.mapper (for other SPs) META ACCESS MANAGEMENT SYSTEM

28 Processing attribute X 1. Requests come to resolve X for SPa 2. X is registered to be handled by mapper 3. Crosswalk for SPa loaded a) If no crosswalk found, default.mapper loaded 4. All X’s dependencies provided to Crosswalk 5. Map function try to resolve X META ACCESS MANAGEMENT SYSTEM

29 Activating Attribute Mapping Done automatically by ShARPE when enabled <CustomAttributeDefinition id=“X” class=“au.edu.mq.melcoe.mams.sharpe.shib.aa.attrresolv. provider.CrosswalkAttributeDefinition”> META ACCESS MANAGEMENT SYSTEM

30 Map file entry for SPa X idp:X + Y META ACCESS MANAGEMENT SYSTEM

31 Future Works Privacy settings for coarse-grain release policy Privacy settings for coarse-grain release policy Hierarchical groups to implement ‘room in room’ concept (if enough requests) Hierarchical groups to implement ‘room in room’ concept (if enough requests) Integrations with Grouper & Signet for local management (currently planned for GroupManager and PrivilegeManager) Integrations with Grouper & Signet for local management (currently planned for GroupManager and PrivilegeManager) Push Shib for ability to register new attributes to resolver for Attribute Mapping Push Shib for ability to register new attributes to resolver for Attribute Mapping META ACCESS MANAGEMENT SYSTEM

32 Questions? Email: bliong@melcoe.mq.edu.au ShARPE @ http://federation.org.au/ShARPEhttp://federation.org.au/ShARPE MAMS @ http://mams.melcoe.mq.edu.auhttp://mams.melcoe.mq.edu.au Experiment http://opensharpe.federation.org.auhttp://opensharpe.federation.org.au Sharpe-users mailing list http://federation.org.au/cgi-bin/mailman/listinfo http://federation.org.au/cgi-bin/mailman/listinfo MAMS’ Easy Installation IdP with ShARPE http://federation.org.au/software/installcd http://federation.org.au/software/installcd META ACCESS MANAGEMENT SYSTEM

33 Extra Slides META ACCESS MANAGEMENT SYSTEM

34 Shib ARP Management SP attribute requirements agreed negotiated manually (not scalable) Site and User ARPs, no Group ARPs Lack of service information for users (what attributes are required, released, for what reason) Lack of interface for user ARP control User can’t access ARP files META ACCESS MANAGEMENT SYSTEM

35 Design Group ARP META ACCESS MANAGEMENT SYSTEM

36 Design Attribute Mapping META ACCESS MANAGEMENT SYSTEM

37 Policy Filter Chaining Allowing policies (ARP) to be passed through chain of filters prior its final process on ArpEngine Allow selective processing of policies i.e. when user has attribute X set to Y, do not process group policy Z Used by Autograph to “find what attributes affected by all policies without inclusion of user ARP” or similar use cases http://federation.org.au/twiki/bin/view/Federatio n/PolicyFilter META ACCESS MANAGEMENT SYSTEM

38 Policy Filter Different types of Policy Filter, extendible design Filter on different types of ARP Filter on simple access control for the ARP (create, read, update, delete) create is slightly difficult to enforce Combination of filters and chaining META ACCESS MANAGEMENT SYSTEM

39 Design PolicyFilter META ACCESS MANAGEMENT SYSTEM

40 PolicyFilter Processing For each activity identified as create, read, update, delete on the policy For each activity identified as create, read, update, delete on the policy Calls registered PolicyFilters Calls registered PolicyFilters Arp’ = PolicyFilter(Arp) Arp’ = PolicyFilter(Arp) The resultant policy is given back to the system The resultant policy is given back to the system All active policies to be used by the system are processed prior being used All active policies to be used by the system are processed prior being used META ACCESS MANAGEMENT SYSTEM

41 Activating PolicyFilter sitePolicy sitePolicy userPolicy userPolicy … META ACCESS MANAGEMENT SYSTEM

Download ppt "Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong META ACCESS."

Similar presentations

Managing Users. Overview for School Admin Users Define Users Users Module Add Users Importing Users and Groups Manually adding users Search for Users.

Managing Users. Overview for School Admin Users Define Users Users Module Add Users Importing Users and Groups Manually adding users Search for Users.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
© 2008 RightNow Technologies, Inc. Title Best Practices for Maintaining Your RightNow Knowledge Base Penni Kolpin Knowledge Engineer.

© 2008 RightNow Technologies, Inc. Title Best Practices for Maintaining Your RightNow Knowledge Base Penni Kolpin Knowledge Engineer.
MP IP Strategy 2005-06-22 Stateye-GUI Provided by Edotronik Munich, May 05, 2006.

MP IP Strategy Stateye-GUI Provided by Edotronik Munich, May 05, 2006.
Dr Gordon Russell, Napier University Unit 5.3 - Data Dictionary 1 Data Dictionary Unit 5.3.

Dr Gordon Russell, Napier University Unit Data Dictionary 1 Data Dictionary Unit 5.3.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.

Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.
Connecting Diverse Web Search Facilities Udi Manber, Peter Bigot Department of Computer Science University of Arizona Aida Gikouria - M471 University of.

Connecting Diverse Web Search Facilities Udi Manber, Peter Bigot Department of Computer Science University of Arizona Aida Gikouria - M471 University of.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
EMu and Fotoware: Integrating the EMu Collections Management Program with Image Management Software - Dr. Lance Wilkie, EMu Unit, Australian Museum.

EMu and Fotoware: Integrating the EMu Collections Management Program with Image Management Software - Dr. Lance Wilkie, EMu Unit, Australian Museum.
Web Content Management Systems. Lecture Contents Web Content Management Systems Non-technical users manage content Workflow management system Different.

Web Content Management Systems. Lecture Contents Web Content Management Systems Non-technical users manage content Workflow management system Different.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –

Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
Dataface API Essentials Steve Hannah Web Lite Solutions Corp.

Dataface API Essentials Steve Hannah Web Lite Solutions Corp.
Active Security Infrastructure Stuart Kenny Trinity College Dublin.

Active Security Infrastructure Stuart Kenny Trinity College Dublin.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
ACCESS CHAPTER 1. OBJECTIVES Tables Queries Forms Reports Primary and Foreign Keys Relationship.

ACCESS CHAPTER 1. OBJECTIVES Tables Queries Forms Reports Primary and Foreign Keys Relationship.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google