Presentation is loading. Please wait.

Presentation is loading. Please wait.

110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project.

Published byAndrew Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project."— Presentation transcript:

1 110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project Manager nwitheridge@melcoe.mq.edu.auhttp://federation.org.au/

2 210/21/2015 META ACCESS MANAGEMENT SYSTEM Problem Statement ARP Administration (ShARPE) ARP Administration (ShARPE) ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. User Privacy Control (Autograph) User Privacy Control (Autograph) There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. A ‘zero-effort’ GUI interface is required. A ‘zero-effort’ GUI interface is required.

3 310/21/2015 META ACCESS MANAGEMENT SYSTEM Evaluation Release ShARPE and Autograph (version 0.7) released for evaluation purposes ShARPE and Autograph (version 0.7) released for evaluation purposes Elicitation of ‘real world’ requirements Elicitation of ‘real world’ requirements As Shibboleth stakeholders, IdP and SP administrators and users, do these tools satisfy your requirements for ARP management? As Shibboleth stakeholders, IdP and SP administrators and users, do these tools satisfy your requirements for ARP management? Feedback requested on usefulness and usability. Feedback requested on usefulness and usability.

4 410/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Shibboleth provides for privacy control through Attribute Release Policies (ARPs) Shibboleth provides for privacy control through Attribute Release Policies (ARPs) Rules specifying which attributes may be released to a SP for IdP members in general, or for specific individuals Rules specifying which attributes may be released to a SP for IdP members in general, or for specific individuals After user authentication & opaque handle delivery to SP After user authentication & opaque handle delivery to SP Protected Service SP IdP Attribute Authority Attribute Consumer Service ARPs AAP User Attributes (1) SAML Attribute Request + handle (2) SAML Attribute Response

5 510/21/2015 META ACCESS MANAGEMENT SYSTEM Info Available To Protected App Via HTTP header Via HTTP header (standard header parameters) host = demo.federation.org.au user-agent = Mozilla/5.0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alive referer = https://openidp.mams.org.au/shibboleth-idp/SSO... cookie = … host = demo.federation.org.au user-agent = Mozilla/5.0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alive referer = https://openidp.mams.org.au/shibboleth-idp/SSO... cookie = … (Shibboleth specific parameters) Shib-Identity-Provider = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au Shib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified (User Attributes) Shib-EP-UnscopedAffiliation = Staff;Physics Shib-Person-nickname = Sue Shib-Identity-Provider = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au Shib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified (User Attributes) Shib-EP-UnscopedAffiliation = Staff;Physics Shib-Person-nickname = Sue

6 610/21/2015 META ACCESS MANAGEMENT SYSTEM Attributes – IdP context Key:Value pairs e.g. eduPersonAffiliation:Physics Key:Value pairs e.g. eduPersonAffiliation:Physics User information stored within institutional directory e.g. LDAP User information stored within institutional directory e.g. LDAP Directory schema determines available keys (attribute names) Directory schema determines available keys (attribute names) Standardised schema e.g. person, organizationalPerson, inetOrgPerson, eduPerson… Standardised schema e.g. person, organizationalPerson, inetOrgPerson, eduPerson… Custom schema - institution specific data Custom schema for elements that don't have a clear mapping to standard schemas Custom schema - institution specific data Custom schema for elements that don't have a clear mapping to standard schemas

7 710/21/2015 META ACCESS MANAGEMENT SYSTEM Attributes – SP context Received user attributes (in SAML assertion from IdP) are basis of access control Received user attributes (in SAML assertion from IdP) are basis of access control Service or service feature accessibility Service or service feature accessibility Service Levels – not necessarily hierarchical Service Levels – not necessarily hierarchical Potential for complex attribute-based access control Potential for complex attribute-based access control university, campus, role, discipline, course, year, group… university, campus, role, discipline, course, year, group… SP Attribute requirements must conform to standard schema or be mappable from IdP attribute schema SP Attribute requirements must conform to standard schema or be mappable from IdP attribute schema

8 810/21/2015 META ACCESS MANAGEMENT SYSTEM Current Shib Federations Current generation of Shib Federations Current generation of Shib Federations 1 st generation ? 1 st generation ? Simple approach to access control, attributes & attribute management Simple approach to access control, attributes & attribute management How will SPs use attributes as Federated IAM evolves ? How will SPs use attributes as Federated IAM evolves ? Greater use of user attributes for service differentiation Greater use of user attributes for service differentiation Increasing service complexity (service features) and demand for user attributes Increasing service complexity (service features) and demand for user attributes

9 910/21/2015 META ACCESS MANAGEMENT SYSTEM Emerging Federated Services Institutional Repositories and CMSs Institutional Repositories and CMSs More fine-grained protection of resources based on user attributes More fine-grained protection of resources based on user attributes Virtual Organisations & GRID Services Virtual Organisations & GRID Services Inter-organisational, national ->international collaboration Inter-organisational, national ->international collaboration Virtual Librarian (MAMS service development) Virtual Librarian (MAMS service development) Example MAMS Shibbolised Service Example MAMS Shibbolised Service Needs relatively rich set of attributes Needs relatively rich set of attributes

10 1010/21/2015 META ACCESS MANAGEMENT SYSTEM Current ARP Management SP attribute requirements agreed negotiated manually (not scalable) SP attribute requirements agreed negotiated manually (not scalable) Site and User ARPs, no Group ARPs Site and User ARPs, no Group ARPs Lack of service information for users (what attributes are required, released, for what reason) Lack of service information for users (what attributes are required, released, for what reason) Lack of interface for user ARP control Lack of interface for user ARP control User can’t access ARP files User can’t access ARP files

11 1110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth ARP Editing Tools Provide a GUI-based editor to enable Provide a GUI-based editor to enable ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPs Users to manage their ARPs Provide visibility to user of: Provide visibility to user of: attributes required by services attributes required by services attributes released to services attributes released to services Service received in return for attributes Service received in return for attributes Enable users to change their ARPs hence exercise privacy control Enable users to change their ARPs hence exercise privacy control

12 1210/21/2015 META ACCESS MANAGEMENT SYSTEM New features (In order to provide comprehensive GUI for creation of ARPs) Group ARPs Group ARPs Current Shibboleth supports site and user ARPs Current Shibboleth supports site and user ARPs Service Descriptions Service Descriptions Comprehensive information about SP’s service, service levels, attribute requirements Comprehensive information about SP’s service, service levels, attribute requirements Attribute Mapping Attribute Mapping Support for mapping between IdP and SP schemas Support for mapping between IdP and SP schemas

13 1310/21/2015 META ACCESS MANAGEMENT SYSTEM ShARPE – ARP Administrator ARP Admin ARP Admin Import Service Description (Physics research database from Sandstone Uni) Import Service Description (Physics research database from Sandstone Uni) Create site ARP (all communities get bronze access) Create site ARP (all communities get bronze access) Create group ARP (Physics community gets gold access) Create group ARP (Physics community gets gold access)

14 1410/21/2015 META ACCESS MANAGEMENT SYSTEM

15 1510/21/2015 META ACCESS MANAGEMENT SYSTEM SandstoneUniServiceDescription.xml

16 1610/21/2015 META ACCESS MANAGEMENT SYSTEM arp.site.xml

17 1710/21/2015 META ACCESS MANAGEMENT SYSTEM

18 1810/21/2015 META ACCESS MANAGEMENT SYSTEM arp.group.Physics.xml

19 1910/21/2015 META ACCESS MANAGEMENT SYSTEM Autograph – IdP Member IdP member: Susannah Halmay, Physics staff member IdP member: Susannah Halmay, Physics staff member View attributes released View attributes released Deny release of attributes required for Gold access Deny release of attributes required for Gold access

20 2010/21/2015 META ACCESS MANAGEMENT SYSTEM

21 2110/21/2015 META ACCESS MANAGEMENT SYSTEM

22 2210/21/2015 META ACCESS MANAGEMENT SYSTEM arp.user.sue.xml

23 2310/21/2015 META ACCESS MANAGEMENT SYSTEM Group ARPs How will contracts be established between an IdP and SPs ? How will contracts be established between an IdP and SPs ? Groups within institutions (IdPs) create agreements, maybe requiring subscription involving formal T&Cs and/or payment Groups within institutions (IdPs) create agreements, maybe requiring subscription involving formal T&Cs and/or payment Attribute release policy defined for the group Attribute release policy defined for the group Appropriate static values (contract number) Appropriate static values (contract number) Members attribute release policy by virtue of group membership Members attribute release policy by virtue of group membership

24 2410/21/2015 META ACCESS MANAGEMENT SYSTEM Group Information sources List of Groups & IdP member group membership information List of Groups & IdP member group membership information Institutional Directory Institutional Directory Flat files Flat files Responsibility for Group ARP Administration ? Responsibility for Group ARP Administration ? Future: Grouper & Signet Future: Grouper & Signet

25 2510/21/2015 META ACCESS MANAGEMENT SYSTEM Service Descriptions SP’s Service and Service Level descriptions and attribute requirements SP’s Service and Service Level descriptions and attribute requirements Services may provide service-levels - different functionality - based on supplied attributes Services may provide service-levels - different functionality - based on supplied attributes e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI

26 2610/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Editor

27 2710/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Editor

28 2810/21/2015 META ACCESS MANAGEMENT SYSTEM Attribute Mapping Requirement to map between IdP and SP schemas (standard/custom to standard/custom...) Requirement to map between IdP and SP schemas (standard/custom to standard/custom...) Attribute mapping functions Attribute mapping functions One-to-One Mapping One-to-One Mapping Concatenation Concatenation Static Value assignment Static Value assignment Hashing (e.g. TargetedID) Hashing (e.g. TargetedID) Examples: Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedID (e.g. hash(concat(SPname, email))) Complex: creating targetedID (e.g. hash(concat(SPname, email)))

29 2910/21/2015 META ACCESS MANAGEMENT SYSTEM Attribute Mapping GUI

30 3010/21/2015 META ACCESS MANAGEMENT SYSTEM Evaluating ShARPE & Autograph View Flash Demonstrations via View Flash Demonstrations via http://www.federation.org.au/twiki/bin/view/Federation/ShARPEhttp://www.federation.org.au/twiki/bin/view/Federation/ShARPE Experiment with Autograph using a pre- configured ‘openIdP’ Experiment with Autograph using a pre- configured ‘openIdP’ http://opensharpe.mams.org.au http://opensharpe.mams.org.au Install your own evaluation IdP including ShARPE and Autograph Install your own evaluation IdP including ShARPE and Autograph NMI Edit software release 9 NMI Edit software release 9 http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip MAMS’ Easy Installation IdP with ShARPE MAMS’ Easy Installation IdP with ShARPE http://www.federation.org.au/software/installcd/http://www.federation.org.au/software/installcd/

31 3110/21/2015 META ACCESS MANAGEMENT SYSTEM Evaluating ShARPE & Autograph (cont’d) Install on top of existing IdP Install on top of existing IdP http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip Qualifications: Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be deployed on production systems. ShARPE and Autograph without attribute mapping only writes to ARPs.

32 3210/21/2015 META ACCESS MANAGEMENT SYSTEM Thank you Questions ?

33 3310/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Architecture Shibboleth Federation components Shibboleth Federation components Service Provider Provide Services accessible via the web Want to focus on core business & avoid risks of managing users’ confidential info. WAYF Belongs to an organisation which manages her identity User Privacy concerns Identity Provider Secure identity management is a core business requirement

34 3410/21/2015 META ACCESS MANAGEMENT SYSTEM Background: Shibboleth Standards based (SAML) Standards based (SAML) Open source middleware Open source middleware Provides Web Single Sign-On (SSO) across or within institutional boundaries Provides Web Single Sign-On (SSO) across or within institutional boundaries SSO using session cookies SSO using session cookies Provides secure transfer of user attributes between user’s Identity Provider (IdP) and Service Providers (SPs) Provides secure transfer of user attributes between user’s Identity Provider (IdP) and Service Providers (SPs)

35 3510/21/2015 META ACCESS MANAGEMENT SYSTEM Group Information sources <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> file:/usr/local/shibboleth-idp/etc/arps/ <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml urn:mace:dir:attribute-def:eduPersonAffiliation <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties institutionalGroupList groupList

36 3610/21/2015 META ACCESS MANAGEMENT SYSTEM Group Information sources Example of group names in flat file Example of group names in flat file debian> cd /usr/local/shibboleth-idp/etc debian > cat sample.grouplookup.properties #Sample group lookup using PropertyFileGroupLookup #this defines institutional-wide groups institutionalGroupList=Administrator, Staff, Researcher #an example of local groups groupList=Library, Physics, Biology, Walk-in #user based attributes specifying the groups #ann.eduPersonAffiliation=Researcher #staff.eduPersonAffiliation=Staff #librarian.eduPersonAffiliation=HeadOfSchool, Staff, Librarian> debian >

37 3710/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Schema The SD XML schema includes the following @attributes and elements: The SD XML schema includes the following @attributes and elements: Service Provider identifier, name, location, description, service-independent attributes Service Provider identifier, name, location, description, service-independent attributes Service @identifier, name, description, location, reference, service-specific level- independent attributes Service @identifier, name, description, location, reference, service-specific level- independent attributes Service Level @identifier, name, description, reference, level-specific attributes Service Level @identifier, name, description, reference, level-specific attributes

38 3810/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Example urn:mace:federation.org.au:testfed:level- 1:federation.org.au urn:mace:federation.org.au:testfed:level- 1:federation.org.au Sandstone University Sandstone University https://demo.federation.org.au https://demo.federation.org.au Online Services for Physics Researchers Online Services for Physics Researchers Laser and Optical Physics Database Laser and Optical Physics Database Data Generated by Physics Researchers Data Generated by Physics Researchers https://demo.federation.org.au/SharpeJSPDemo/demo.jsp https://demo.federation.org.au/SharpeJSPDemo/demo.jsp Gold Access Gold Access Search, View, Query, Comment on Data Search, View, Query, Comment on Data … … </ServiceProvider>

Download ppt "110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project."

Similar presentations

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
18/05/2015 META ACCESS MANAGEMENT SYSTEM Virtual Organisations Accomodating Research Groups in a Shibboleth Federation Peter Schendzielorz Macquarie University’s.

18/05/2015 META ACCESS MANAGEMENT SYSTEM Virtual Organisations Accomodating Research Groups in a Shibboleth Federation Peter Schendzielorz Macquarie University’s.
Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong META ACCESS.

Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong META ACCESS.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Similar presentations

Ads by Google