Shibboleth and uApprove at University of Michigan

Slides:



Advertisements
Similar presentations
Interaction Design: Visio
Advertisements

Tivoli Service Request Manager
Business Development Suit Presented by Thomas Mathews.
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
SP Business Suite Deployment Kick-off
Recruitment Booster.
Copyright 2007, Paradigm Publishing Inc. EXCEL 2007 Chapter 6 BACKNEXTEND 6-1 LINKS TO OBJECTIVES Workbook properties Workbook properties Workbook Sharing.
Microsoft Office 2007: Introductory Computer Applications 11.
Support.Avaya.Com Richard Schuman – Service Account Manager.
Lesson 17: Configuring Security Policies
User Management DigiTool Version 3.0. User Management 2 User Architecture PatronsStaff Users DepositorsApprovers Meditor User Management Management Module.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Information for students – expression of interest in modules Welcome to the S 3 P system. This PowerPoint will give you details of how to express an interest.
Database Design IST 7-10 Presented by Miss Egan and Miss Richards.
Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.
Internet Banking Standard and Standard-Hybrid Registration Intuit Financial Services University Internet Banking Certification Training.
Advanced Tables Lesson 9. Objectives Creating a Custom Table When a table template doesn’t suit your needs, you can create a custom table in Design view.
Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.
Lesson 6: Working with Layout and Graphics
Microsoft ® Official Course Module 9 Configuring Applications.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –
Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.
LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,
Multi-Part Requests/ Parent & Child Service Items.
Triggers A Quick Reference and Summary BIT 275. Triggers SQL code permits you to access only one table for an INSERT, UPDATE, or DELETE statement. The.
QAD.NET UI – Configured Screens Stacy Elwood Green, BravePoint MWUG September 2011.
Core Publisher: Station Administrator Tools. Training 1: Site Administration Training 2: Programs Training 3: Content Tagging Training 4: Creating Posts.
 Product Variations and User Uploads  Product and Categories are not enough  Needs to extend product information  User can customize product information.
FriendFinder Location-aware social networking on mobile phones.
Module 5: Managing Content. Overview Publishing Content Executing Reports Creating Cached Instances Creating Snapshots and Report History Creating Subscriptions.
Inquiry Tracking. Inquiry Tracking :: Logon Non-Weidmuller employees use the first initial of your first name and your full last name. (i.e. bjones for.
Emdeon Office Batch Management Services This document provides detailed information on Batch Import Services and other Batch features.
Justin Scheitlin Daisey Fahringer
Using Your Own Authentication System with ArcGIS Online
NOODLETOOLS SIGN-IN Student ID #
IST 220 – Intro to Databases
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
GO! with Microsoft Office 2016
Clean Harbors Online Services – CS1045
CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi
GO! with Microsoft Access 2016
Instructor Name Instructor Title Library Name
Software Testing With Testopia
ConnectingOntario ClinicalViewer
Requesting Access to POP on Intel’s Supplier Presence Site - External Users Feb 28, 2012.
Introduction With TimeCard users can tag SharePoint events with information that converts them into time sheets. This way they can report.
GDPR & Engaging Networks
Building Configurable Forms
Setting Up and Supporting Clients Using Employee Development in ADP Workforce Now [Developer: Use this slide if you are not using audio. You can add.
iCIMS 17.3 Release: Highlights
Sharing Your Animal Records with other ZIMS Institutions
SchoolFront - Notifications Training
iCIMS 17.2 Release: Highlights
Lesson 6: Working with Layout and Graphics
April Monthly Release GDPR Configuration Preview Printable Guide
Penn State Educational Programming Record (EPR) Guide
iCIMS 17.1 Release: Highlights
Reporting An In-Depth Guide.
Cyber Recruiter: Sneak Peak
Lesson 6: Working with Layout and Graphics
Consent and Federated Identity
Lesson 6: Working with Layout and Graphics
Lesson 6: Working with Layout and Graphics
How to upgrade your RSFORM!PRO forms for GDPR compliance
Information for students – expression of interest in modules
Student Driven Digital Portfolios Introduction for Parents
Guidelines for Microsoft® Office 2013
Mobile Registration App Training Guide for OPO Staffers
and Forecasting Resources
Presentation transcript:

Shibboleth and uApprove at University of Michigan Luke Tracy – ltracy@umich.edu Ken Hammer – khammer@umich.edu

What is uApprove? Developed by SWITCHaai under BSD License Purposes: http://www.switch.ch/aai/support/tools/uApprove.html Purposes: For the user, mechanism to be informed about the release of attributes to a Service Provider (SP). For the admin of an Identity Provider (IdP) Provides a tool to implement data protection laws by requiring to obtain user consent before personal attributes are released to a SP Allows for collection of information about the release of attributes and accesses to SP (if configured to do so). Source: http://www.switch.ch/aai/support/tools/uApprove.html on June 15, 2010.

What is uApprove? From the user's point of view, uApprove is an application which presents a webpage, on which to accept or decline the Terms of Use of a Shibboleth Identity Provider upon first access to the system (optional) globally accept the release of attributes to any/all Service Providers accept the release of attributes upon first access to a given Service Provider (if the global release has not been approved) Note: User can reset attribute release consent on a separate webpage, such that he/she will be asked again, whenever attributes have to be released. Source: http://www.switch.ch/aai/support/tools/uApprove.html on June 15, 2010.

U of M Attribute Release InCommon IdP had been operating in Pilot Mode Opt-in required Temporarily provided means to approve the release of identity data To move beyond Pilot Remove barriers Make more self-describing

Governance Board Investigated how others were handling privacy concerns around attribute release Found common desire existed to be able to have individuals approve the release of attributes Saw mention of uApprove being used within SWITCH Demonstrated uApprove to IDM Governance Board Liked it, but had issues with changes to data and privacy settings after approval to release Looked into methods of detecting state changes and forcing re-approval

uApprove Determined best method was to prompt each time (until a more elegant solution was possible, maybe) Discussed with uApprove developers method for forcing prompt every time Decided together that in short term, using database triggers was optimal

Demo

User Visits Site and Selects Home University

User Logs In Using Our Single Sign On Tool

User is presented with the uApprove screen

If the user declines…

If the user approves…

uApprove configuration Can use a flat file or a mysql database for preferences Can be disabled on a per-SP basis Can configure which attributes are displayed and in what order Optional “Terms of Use” screen Multiple options for resetting preferences By default, uApprove will display all of the attributes that are being released to a particular SP, in the order they’re defined. You can customize the order, or suppress fields in the uApprove configuration (uApprove/attribute-list) - We hide attributes that we think the users would find confusing (eduPersonEntitlement, ePTID) uApprove can display a “Terms of Use” screen, which requires user consent. We turned that off. uApprove can use a flat file for preferences, or a mysql database – why does it need one? What does it track? - 4 tables – used to track when a user has accessed a site, when they last approved access, etc - normal configuration – show up on first visit for every site, or only once ever uApprove can be disabled totally on a per SP basis. uApprove offers two means of allowing users to reset their preferences – either by adding a checkbox to whatever is providing the shibboleth login screen, or by means of a directly accessed application (they’re really two paths into the same app).

Normally, uApprove looks like this… Presentation controlled by .jsp templates Template text strings stored separately to make translation easy This can be customized by deflating the .war file. Application presentation is handled by a number of templates in the form of .jsp files. We were able to apply our SSO’s skin to uApprove by altering the header and footer files. The text strings used to populate the templates are available in WEB-INF/classes. SWITCH wrote uApprove with language localization in mind.

U-M localizations Database trigger / cron job combination to effect our desired login behavior Applied our SSO “skin” to the application Changed text to better suit our audience The first time someone logs into an SP, an entry is inserted into uapprove.ProviderAccess and uapprove.AttrReleaseApproval. On subsequent logins, those tables are checked, and if entries exist, the “digital id card” is not displayed. Originally wanted to add a configuration switch that would allow us to display the attribute approval screen every time, presumably by preventing the database inserts. We contacted SWITCH with this feature request, and told they were re-architecting the software. Together, we came up with the idea of using database triggers to delete the inserted records, creating the desired effect. We based our solution on the application SWITCH provides for resetting user preferences. uapprove.ProviderAccess - this is the important one uapprove.AttrReleaseApproval Originally planned on using two triggers.. Trigger on INSERT into uapprove.ProviderAccess BEGIN DELETE FROM AttrReleaseApproval where idxAttrReleaseApproval = NEW.paIdxAttrReleaseApproval; END 2) Trigger on INSERT into uapprove.AttrReleaseApproval This didn’t work, because both events happen simultaneously. We resulted in using a single trigger in combination with a cron job that periodically deletes entries from the uapprove.ProviderAccess table.

attribute-resolver.xml <resolver:AttributeDefinition id="displayName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="displayName"> <resolver:Dependency ref="mcomm" /> <resolver:DisplayName xml:lang="en">Full Name</resolver:DisplayName> <resolver:DisplayDescription xml:lang="en"> This is your full name. </resolver:DisplayDescription> ... </resolver:AttributeDefinition> uApprove will allow you to replace shibboleth attribute names with “user friendly” strings by adding child elements to the attribute definition elements. E.g. <resolver:DisplayName xml:lang="en">Full Name</resolver:DisplayName> uApprove will also allow to provide a “hover” with further explanation, again by adding child elements to the attribute definition. E.g. <resolver:DisplayDescription xml:lang="en">This is your full name.</resolver:DisplayDescription> The same elements can be used for language localization.

resources uApprove - http://www.switch.ch/aai/support/tools/uApprove.html U-M InCommon Attribute Release Policy and Procedure - http://www.itd.umich.edu/itcsdocs/r1465/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.