110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project.

Slides:



Advertisements
Similar presentations
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Advertisements

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
18/05/2015 META ACCESS MANAGEMENT SYSTEM Virtual Organisations Accomodating Research Groups in a Shibboleth Federation Peter Schendzielorz Macquarie University’s.
Shibboleth Attribute Release Policy Editing Tools ShARPE CAMP Shib June 2006 Bruc Lee Liong META ACCESS.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Australian Access Federation and other Middleware Initiatives Presented at TF-EMC2, Prague 4 Sep 2007 Patty McMillan, The University of Queensland.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
What is Web Site Administration Tool ? WAT Allow you to Configure Web Site With Simple Interface –Manage Users –Manage Roles –Manage Access Rules.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Shibboleth A Technical Overview
Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.
Campuses New to Shibboleth: WebSSO Barry Johnson
Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
1 Copyright © 2008, Oracle. All rights reserved. Repository Basics.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
LIGO Identity and Access Management
ESA Single Sign On (SSO) and Federated Identity Management
Overview and Development Plans
Federated Digital Rights Management
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project Manager

210/21/2015 META ACCESS MANAGEMENT SYSTEM Problem Statement ARP Administration (ShARPE) ARP Administration (ShARPE) ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. User Privacy Control (Autograph) User Privacy Control (Autograph) There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. A ‘zero-effort’ GUI interface is required. A ‘zero-effort’ GUI interface is required.

310/21/2015 META ACCESS MANAGEMENT SYSTEM Evaluation Release ShARPE and Autograph (version 0.7) released for evaluation purposes ShARPE and Autograph (version 0.7) released for evaluation purposes Elicitation of ‘real world’ requirements Elicitation of ‘real world’ requirements As Shibboleth stakeholders, IdP and SP administrators and users, do these tools satisfy your requirements for ARP management? As Shibboleth stakeholders, IdP and SP administrators and users, do these tools satisfy your requirements for ARP management? Feedback requested on usefulness and usability. Feedback requested on usefulness and usability.

410/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Attribute Release Policy Shibboleth provides for privacy control through Attribute Release Policies (ARPs) Shibboleth provides for privacy control through Attribute Release Policies (ARPs) Rules specifying which attributes may be released to a SP for IdP members in general, or for specific individuals Rules specifying which attributes may be released to a SP for IdP members in general, or for specific individuals After user authentication & opaque handle delivery to SP After user authentication & opaque handle delivery to SP Protected Service SP IdP Attribute Authority Attribute Consumer Service ARPs AAP User Attributes (1) SAML Attribute Request + handle (2) SAML Attribute Response

510/21/2015 META ACCESS MANAGEMENT SYSTEM Info Available To Protected App Via HTTP header Via HTTP header (standard header parameters) host = demo.federation.org.au user-agent = Mozilla/5.0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alive referer = cookie = … host = demo.federation.org.au user-agent = Mozilla/5.0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alive referer = cookie = … (Shibboleth specific parameters) Shib-Identity-Provider = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au Shib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified (User Attributes) Shib-EP-UnscopedAffiliation = Staff;Physics Shib-Person-nickname = Sue Shib-Identity-Provider = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au Shib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified (User Attributes) Shib-EP-UnscopedAffiliation = Staff;Physics Shib-Person-nickname = Sue

610/21/2015 META ACCESS MANAGEMENT SYSTEM Attributes – IdP context Key:Value pairs e.g. eduPersonAffiliation:Physics Key:Value pairs e.g. eduPersonAffiliation:Physics User information stored within institutional directory e.g. LDAP User information stored within institutional directory e.g. LDAP Directory schema determines available keys (attribute names) Directory schema determines available keys (attribute names) Standardised schema e.g. person, organizationalPerson, inetOrgPerson, eduPerson… Standardised schema e.g. person, organizationalPerson, inetOrgPerson, eduPerson… Custom schema - institution specific data Custom schema for elements that don't have a clear mapping to standard schemas Custom schema - institution specific data Custom schema for elements that don't have a clear mapping to standard schemas

710/21/2015 META ACCESS MANAGEMENT SYSTEM Attributes – SP context Received user attributes (in SAML assertion from IdP) are basis of access control Received user attributes (in SAML assertion from IdP) are basis of access control Service or service feature accessibility Service or service feature accessibility Service Levels – not necessarily hierarchical Service Levels – not necessarily hierarchical Potential for complex attribute-based access control Potential for complex attribute-based access control university, campus, role, discipline, course, year, group… university, campus, role, discipline, course, year, group… SP Attribute requirements must conform to standard schema or be mappable from IdP attribute schema SP Attribute requirements must conform to standard schema or be mappable from IdP attribute schema

810/21/2015 META ACCESS MANAGEMENT SYSTEM Current Shib Federations Current generation of Shib Federations Current generation of Shib Federations 1 st generation ? 1 st generation ? Simple approach to access control, attributes & attribute management Simple approach to access control, attributes & attribute management How will SPs use attributes as Federated IAM evolves ? How will SPs use attributes as Federated IAM evolves ? Greater use of user attributes for service differentiation Greater use of user attributes for service differentiation Increasing service complexity (service features) and demand for user attributes Increasing service complexity (service features) and demand for user attributes

910/21/2015 META ACCESS MANAGEMENT SYSTEM Emerging Federated Services Institutional Repositories and CMSs Institutional Repositories and CMSs More fine-grained protection of resources based on user attributes More fine-grained protection of resources based on user attributes Virtual Organisations & GRID Services Virtual Organisations & GRID Services Inter-organisational, national ->international collaboration Inter-organisational, national ->international collaboration Virtual Librarian (MAMS service development) Virtual Librarian (MAMS service development) Example MAMS Shibbolised Service Example MAMS Shibbolised Service Needs relatively rich set of attributes Needs relatively rich set of attributes

1010/21/2015 META ACCESS MANAGEMENT SYSTEM Current ARP Management SP attribute requirements agreed negotiated manually (not scalable) SP attribute requirements agreed negotiated manually (not scalable) Site and User ARPs, no Group ARPs Site and User ARPs, no Group ARPs Lack of service information for users (what attributes are required, released, for what reason) Lack of service information for users (what attributes are required, released, for what reason) Lack of interface for user ARP control Lack of interface for user ARP control User can’t access ARP files User can’t access ARP files

1110/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth ARP Editing Tools Provide a GUI-based editor to enable Provide a GUI-based editor to enable ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPs Users to manage their ARPs Provide visibility to user of: Provide visibility to user of: attributes required by services attributes required by services attributes released to services attributes released to services Service received in return for attributes Service received in return for attributes Enable users to change their ARPs hence exercise privacy control Enable users to change their ARPs hence exercise privacy control

1210/21/2015 META ACCESS MANAGEMENT SYSTEM New features (In order to provide comprehensive GUI for creation of ARPs) Group ARPs Group ARPs Current Shibboleth supports site and user ARPs Current Shibboleth supports site and user ARPs Service Descriptions Service Descriptions Comprehensive information about SP’s service, service levels, attribute requirements Comprehensive information about SP’s service, service levels, attribute requirements Attribute Mapping Attribute Mapping Support for mapping between IdP and SP schemas Support for mapping between IdP and SP schemas

1310/21/2015 META ACCESS MANAGEMENT SYSTEM ShARPE – ARP Administrator ARP Admin ARP Admin Import Service Description (Physics research database from Sandstone Uni) Import Service Description (Physics research database from Sandstone Uni) Create site ARP (all communities get bronze access) Create site ARP (all communities get bronze access) Create group ARP (Physics community gets gold access) Create group ARP (Physics community gets gold access)

1410/21/2015 META ACCESS MANAGEMENT SYSTEM

1510/21/2015 META ACCESS MANAGEMENT SYSTEM SandstoneUniServiceDescription.xml

1610/21/2015 META ACCESS MANAGEMENT SYSTEM arp.site.xml

1710/21/2015 META ACCESS MANAGEMENT SYSTEM

1810/21/2015 META ACCESS MANAGEMENT SYSTEM arp.group.Physics.xml

1910/21/2015 META ACCESS MANAGEMENT SYSTEM Autograph – IdP Member IdP member: Susannah Halmay, Physics staff member IdP member: Susannah Halmay, Physics staff member View attributes released View attributes released Deny release of attributes required for Gold access Deny release of attributes required for Gold access

2010/21/2015 META ACCESS MANAGEMENT SYSTEM

2110/21/2015 META ACCESS MANAGEMENT SYSTEM

2210/21/2015 META ACCESS MANAGEMENT SYSTEM arp.user.sue.xml

2310/21/2015 META ACCESS MANAGEMENT SYSTEM Group ARPs How will contracts be established between an IdP and SPs ? How will contracts be established between an IdP and SPs ? Groups within institutions (IdPs) create agreements, maybe requiring subscription involving formal T&Cs and/or payment Groups within institutions (IdPs) create agreements, maybe requiring subscription involving formal T&Cs and/or payment Attribute release policy defined for the group Attribute release policy defined for the group Appropriate static values (contract number) Appropriate static values (contract number) Members attribute release policy by virtue of group membership Members attribute release policy by virtue of group membership

2410/21/2015 META ACCESS MANAGEMENT SYSTEM Group Information sources List of Groups & IdP member group membership information List of Groups & IdP member group membership information Institutional Directory Institutional Directory Flat files Flat files Responsibility for Group ARP Administration ? Responsibility for Group ARP Administration ? Future: Grouper & Signet Future: Grouper & Signet

2510/21/2015 META ACCESS MANAGEMENT SYSTEM Service Descriptions SP’s Service and Service Level descriptions and attribute requirements SP’s Service and Service Level descriptions and attribute requirements Services may provide service-levels - different functionality - based on supplied attributes Services may provide service-levels - different functionality - based on supplied attributes e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI

2610/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Editor

2710/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Editor

2810/21/2015 META ACCESS MANAGEMENT SYSTEM Attribute Mapping Requirement to map between IdP and SP schemas (standard/custom to standard/custom...) Requirement to map between IdP and SP schemas (standard/custom to standard/custom...) Attribute mapping functions Attribute mapping functions One-to-One Mapping One-to-One Mapping Concatenation Concatenation Static Value assignment Static Value assignment Hashing (e.g. TargetedID) Hashing (e.g. TargetedID) Examples: Examples: Simple: ‘ ’ to ‘mail’, or ‘gender’ to ‘sex’ Simple: ‘ ’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedID (e.g. hash(concat(SPname, ))) Complex: creating targetedID (e.g. hash(concat(SPname, )))

2910/21/2015 META ACCESS MANAGEMENT SYSTEM Attribute Mapping GUI

3010/21/2015 META ACCESS MANAGEMENT SYSTEM Evaluating ShARPE & Autograph View Flash Demonstrations via View Flash Demonstrations via Experiment with Autograph using a pre- configured ‘openIdP’ Experiment with Autograph using a pre- configured ‘openIdP’ Install your own evaluation IdP including ShARPE and Autograph Install your own evaluation IdP including ShARPE and Autograph NMI Edit software release 9 NMI Edit software release 9 MAMS’ Easy Installation IdP with ShARPE MAMS’ Easy Installation IdP with ShARPE

3110/21/2015 META ACCESS MANAGEMENT SYSTEM Evaluating ShARPE & Autograph (cont’d) Install on top of existing IdP Install on top of existing IdP Qualifications: Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be deployed on production systems. ShARPE and Autograph without attribute mapping only writes to ARPs.

3210/21/2015 META ACCESS MANAGEMENT SYSTEM Thank you Questions ?

3310/21/2015 META ACCESS MANAGEMENT SYSTEM Shibboleth Architecture Shibboleth Federation components Shibboleth Federation components Service Provider Provide Services accessible via the web Want to focus on core business & avoid risks of managing users’ confidential info. WAYF Belongs to an organisation which manages her identity User Privacy concerns Identity Provider Secure identity management is a core business requirement

3410/21/2015 META ACCESS MANAGEMENT SYSTEM Background: Shibboleth Standards based (SAML) Standards based (SAML) Open source middleware Open source middleware Provides Web Single Sign-On (SSO) across or within institutional boundaries Provides Web Single Sign-On (SSO) across or within institutional boundaries SSO using session cookies SSO using session cookies Provides secure transfer of user attributes between user’s Identity Provider (IdP) and Service Providers (SPs) Provides secure transfer of user attributes between user’s Identity Provider (IdP) and Service Providers (SPs)

3510/21/2015 META ACCESS MANAGEMENT SYSTEM Group Information sources <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> file:/usr/local/shibboleth-idp/etc/arps/ <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml urn:mace:dir:attribute-def:eduPersonAffiliation <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties institutionalGroupList groupList

3610/21/2015 META ACCESS MANAGEMENT SYSTEM Group Information sources Example of group names in flat file Example of group names in flat file debian> cd /usr/local/shibboleth-idp/etc debian > cat sample.grouplookup.properties #Sample group lookup using PropertyFileGroupLookup #this defines institutional-wide groups institutionalGroupList=Administrator, Staff, Researcher #an example of local groups groupList=Library, Physics, Biology, Walk-in #user based attributes specifying the groups #ann.eduPersonAffiliation=Researcher #staff.eduPersonAffiliation=Staff #librarian.eduPersonAffiliation=HeadOfSchool, Staff, Librarian> debian >

3710/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Schema The SD XML schema includes the and elements: The SD XML schema includes the and elements: Service Provider identifier, name, location, description, service-independent attributes Service Provider identifier, name, location, description, service-independent attributes name, description, location, reference, service-specific level- independent attributes name, description, location, reference, service-specific level- independent attributes Service name, description, reference, level-specific attributes Service name, description, reference, level-specific attributes

3810/21/2015 META ACCESS MANAGEMENT SYSTEM Service Description Example urn:mace:federation.org.au:testfed:level- 1:federation.org.au urn:mace:federation.org.au:testfed:level- 1:federation.org.au Sandstone University Sandstone University Online Services for Physics Researchers Online Services for Physics Researchers Laser and Optical Physics Database Laser and Optical Physics Database Data Generated by Physics Researchers Data Generated by Physics Researchers Gold Access Gold Access Search, View, Query, Comment on Data Search, View, Query, Comment on Data … … </ServiceProvider>

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.