Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Attribute and the ecosystem

Published byElijah Lucas Modified over 5 years ago

Similar presentations

Presentation on theme: "The Attribute and the ecosystem"— Presentation transcript:

1 The Attribute and the ecosystem

2 Topics Basics Common Schema Complexity and Extensibility
LOA of attributes Privacy Naming Complexity and Extensibility Tagging Complexity vs Metadata IdP releasing vs SP asking Query languages Dealing with Aggregation

3 Killer Attributes (and the applications that love them)
Human readable identifiers address, eppn, display name, etc Opaque identifiers ePTID Affiliation Citizenship Over legal age

4 Community or collaboration asserted
Types of attributes Institutional Organizational Reassertion of Official attributes Temporal – geolocation, etc. Community or collaboration asserted Formal – Virtual organizations, groups Informal – reputation systems, FoF Self-asserted

5 Common Schema NIEM – National Information Exchange Model – eduPerson - Accessability schema - and

6 Eve Maler’s Attribute Assurance Matrix

7 Naming Oids vs URNs vs URLs vs URI’s vs Registering name spaces

8 Which attributes are PII?
Privacy Which attributes are PII? ePTID – opaque, non-correlating, but 1-1 IP address Which jurisdiction applies? IdP? SP? Nationality of user? Which require consent and for what purpose?

9 Authorization – Problem Statement
In a federated landscape, with scale in mind, groups more than identities control access But attributes may express, in addition or instead, a user's relationship with the authenticating organization, membership in groups, or possession of roles or entitlements that signify permission to access application resources. In such cases, authorization may be delegated or distributed to the authenticating organization, or even across additional organizations. This is a relatively common pattern when the authorization policy is simple (typically all or nothing) and applies to large numbers of users at multiple organizations. It is less common as policies become more complex and fine-grained.

10 Groups Local Groups User Identification
Provisioning (and Deprovisioning) Representation isMemberOf eduPersonEntitlement Groups with Federated Members Federated Groups Privacy Implications Visibility of members to other members Sharing groups across services

11 Of Entitlements and Attributes
In entitlements, SP community passes business logic to IdP’s, who compute authorization and pass entitlement To scale, must have common license terms SP’s need to be willing to expose business logic In attributes, IdP’s pass attributes to SP for authorization Raises privacy issues To scale, must have shared community attributes

12 Some key issues Which schema
Knowing which IdP to ask for which attributes, especially as we get into aggregation How to ask, e.g. over 18 Making values extensible, so that they can be tagged, like validation, date, terms of use

13 Attribute Release SP Asking vs. IdP Releasing
Specifying requirements (queries, metadata, policy files, web pages, etc.) Consent

14 Attribute aggregation
At the IdP Already doing internal aggregation Can arrange bulk feeds – e.g. IEEE member At the SP Already in the Shib code At an intermediate point Portals and gateways do this now Can greatly simplify trust

15 Use cases are legion and confusing
“Over legal age” Use cases are legion and confusing Legal age of the web site country Legal age of the IdP country Legal age of the identity holder’s country Authoritative sources and delegation Query languages

16 Complexity and Extensibility
Tagging within attribute vs use of metadata vs context Extensibility The ability to add new controlled values How much flat attribute proliferation can be managed through a structured data space? DRM of metadata

17 Principles of the Tao 属性之道
Least privilege/minimal release Using data “closest” to source of authority Late and dynamic bindings where possible Dynamic identity data increases in value the shorter the exposure.  If identity data is cached away from the source there is increased likelihood of staleness and over-exposure which can lead to privacy and data accuracy concerns.

18 Beyond the first horizon
LOA of attributes Specifying semantic rules Shifting from attribute values as text strings to rich signed data Terms of use Time limits etc

Download ppt "The Attribute and the ecosystem"

Similar presentations

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
National libraries and identity in the Semantic Web Gordon Dunsire BNE, Madrid, 14 Dec 2011.

National libraries and identity in the Semantic Web Gordon Dunsire BNE, Madrid, 14 Dec 2011.
OCLC Online Computer Library Center A Global OpenURL Resolver Registry Phil Norman OCLC Dlsr4lib Workshop March 23 rd, 2006 Arlington VA.

OCLC Online Computer Library Center A Global OpenURL Resolver Registry Phil Norman OCLC Dlsr4lib Workshop March 23 rd, 2006 Arlington VA.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
XP New Perspectives on XML Tutorial 4 1 XML Schema Tutorial – Carey ISBN 0-619- 10187-3 Working with Namespaces and Schemas.

XP New Perspectives on XML Tutorial 4 1 XML Schema Tutorial – Carey ISBN Working with Namespaces and Schemas.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Similar presentations

Ads by Google