Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAI with simpleSAMLphp

Published byCassandra Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "AAI with simpleSAMLphp"— Presentation transcript:

1 AAI with simpleSAMLphp
Marina Vermezović Academic Network of Serbia -AMRES EIFL,

2 Content AAI and Federated Identity simpleSAMLphp Federation structures
AMRES AAI deployment Akademska mreža Srbije

3 Let’s make a start point
If you want to: You need to: How do you do this: Akademska mreža Srbije

4 Let’s make a start point
If you want to: offer web services – e-books, e-magazines You need to: How do you do this: Akademska mreža Srbije

5 Let’s make a start point
If you want to: offer web services – e-books, e-magazines You need to: Control access to those web services Make services user personalized How do you do this: Akademska mreža Srbije

6 Let’s make a start point
If you want to: offer web services – e-books, e-magazines You need to: Control access to those web services Make services user personalized How do you do this: Authentication - who is your user? Authorization - what she can do? AAI - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije

7 Without AAI Faculty A Library B Service Providers wireless
videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije

8 Without AAI Faculty A Library B Service Providers Auth wireless
videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije

9 Without AAI Faculty A Library B Service Providers Auth wireless Autz
videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije

10 Without AAI Faculty A Library B Service Providers Auth wireless Autz
videoconference Autz e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije

11 Without AAI Faculty A Library B Service Providers Auth wireless Autz
videoconference Autz Auth e-learning Autz Auth Student portal Autz Library B Service Providers Auth wireless Autz Auth e-books Autz Akademska mreža Srbije

12 With AAI Faculty A Library Service Providers wireless videoconference
e-learning Student portal Library Service Providers wireless e-books Akademska mreža Srbije

13 With AAI Faculty A Library Service Providers wireless videoconference
Identity provider e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije

14 With AAI Faculty A Library Service Providers wireless videoconference
Identity provider Auth e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije

15 With AAI Faculty A Library Service Providers wireless videoconference
Identity provider Auth e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije

16 With AAI Faculty A Library Service Providers Autz wireless Autz
videoconference Identity provider Auth Autz e-learning Identity Management Autz Student portal Library Service Providers Autz wireless Autz e-books Akademska mreža Srbije

17 AAI Architecture and Roles
Federation operator Identity Provider Service Provider Akademska mreža Srbije

18 AAI Architecture and Roles
Federation operator Identity Provider Service Provider Identity Management Authentication Release of user Attributes Preserving user privacy Akademska mreža Srbije

19 AAI Architecture and Roles
Federation operator Identity Provider Service Provider Identity Management Authentication Release of user Attributes Preserving user privacy Controls Access to resource Authorization Personalized user service Akademska mreža Srbije

20 AAI Architecture and Roles
Defines technologies used Admits IdPs and SPs to federation –provides metadata Can provide some of federation services centrally: Discovery Service Metadata management SSO, SLO, consent, Attribute Handling Federation operator Identity Provider Service Provider Identity Management Authentication Release of user Attributes Preserving user privacy Controls Access to resource Authorization Personalized user service Akademska mreža Srbije

21 AAI Architecture and Roles
Defines technologies used Admits IdPs and SPs to federation –provides metadata Can provide some of federation services centrally: Discovery Service Metadata management SSO, SLO, consent, Attribute Handling CIRCLE OF TRUST Federation operator Identity Provider Service Provider Identity Management Authentication Release of user Attributes Preserving user privacy Controls Access to resource Authorization Personalized user service Akademska mreža Srbije

22 Decide for technology and software
De-facto standard in Academic identity federations: SAML Software: Shibboleth Created by Internet2 (U.S.) IdP: Java, needs Tomcat SP: C++, Apache module SimpleSAMLphp Created by UNINETT (Norway) Both IdP and SP, written in PHP In the rest of presentation explaned.. Akademska mreža Srbije

23 SimpleSAMLphp What are key-point simpleSAMLphp functionalities ?
Let’s see what simpleSAMLphp can do from an example of user accessing web service.. Akademska mreža Srbije

24 SP point of view.. – protect Access
Allows access to resource only to legitimate users Akademska mreža Srbije

25 SP point of view.. – IdP Discovery
Before redirecting user to its IdP, SP needs to discover what is a user’s IdP With simpleSAMLphp you can: Implement centralized discovery service by Federation Operator Akademska mreža Srbije

26 SP point of view.. – IdP Discovery
Before redirecting user to its IdP, SP needs to discover what is a user’s IdP With simpleSAMLphp you can: Implement centralized discovery service by Federation Operator Implement built-in discovery service on SP side; works by displaying IdP entries from metadata Akademska mreža Srbije

27 Idp point of view.. - Authentication
User is redirected to IdP site, where she is asked to enter u/p Thus process of authentication is started Akademska mreža Srbije

28 Idp point of view.. - Authentication
When IdP gets u/p, IdP must authenticate user against some database Authentication methods that come with simpleSAMLphp distribution: LDAP SQL RADIUS List of username/password Open ID, Facebook, Tweeter, MySpace, LinkedIn,.. If you don’t find your authentication source on the list, you can make custom authentication module Akademska mreža Srbije

29 Idp point of view.. - Identity Management
Regardless in which database user Identities are stored, it is important that data about user is correct IdM : set of procedures and rules which define: Who has the right to own digital identity When is digital identity assigned to a person How is digital identity maintained How is the digital identity used How is the digital identity terminated Must comply with national personal data protection law EU Data Protection Directive Akademska mreža Srbije

30 Idp point of view.. - Attribute Release
After user is authenticated, IdP can release some attributes about user to SP But some principles are important ! General rules: release only attributes which SP really needs release attributes upon pre-agreed syntax (schemas) With simpleSAMLphp, IdP can : Filter out a subset of available attributes that are sent to a SP Modify name or values of attributes Add new attributes Generate new attributes that are composed of others Akademska mreža Srbije

31 Idp point of view.. - Consent
Before Attribute Release, IdP can ask user about consent for releasing user ‘s data This is very important from the perspective of national and international laws about protection of users data EU Data Protection Directive: Consent—data should not be disclosed without the data subject’s consent; You can choose to offer user to save his/hers choice , and to allow user to reset previous saved consent choices Akademska mreža Srbije

32 Idp point of view.. - Consent
Consent module is available in simpleSAMLphp Akademska mreža Srbije

33 SP point of view .. - Attribute processing
Attributes help SP to: Make authorization decisions Students/employees have different permissions Akademska mreža Srbije

34 SP point of view .. - Attribute processing
Attributes help SP to: Make authorization decisions Students/employees have different permissions Make personalized services to users SP needs persistent user Id so he can save users preferences Akademska mreža Srbije

35 SP point of view .. - Attribute processing
Attributes help SP to: Make authorization decisions Students/employees have different permissions Make personalized services to users SP needs persistent user Id so he can save users preferences User gets some additional service SP needs users address to send notifications Akademska mreža Srbije

36 Decide for Federation architecture
3 possibilities: Full mesh Centralized Hub and spoke Choosing one is very important because it heavily depends on state institutions are in.. Akademska mreža Srbije

37 Full mesh Federation operator Discovery service Federation metadata
Institution A Identity Provider Auth Atr. Filt. Consent Institution B Service Provider SSO,SLO Discovery Service Identity Management Autz

38 Full mesh Federation operator Discovery service Federation metadata
Institution A Identity Provider Auth Atr. Filt. Consent Institution B Service Provider SSO,SLO Discovery Service Identity Management Autz Institution C Institution D Identity Provider Service Provider Auth Discovery Service Atr. Filt. Autz Consent SSO,SLO Identity Management Akademska mreža Srbije

39 Hub and spoke Identity Provider Auth Discovery Service
Institution A Identity Provider Auth Institution B Service Provider Discovery Service Federation operator Identity Management Autz Discovery service Federation metadata Atr. Filt. Consent SSO,SLO

40 Hub and spoke Identity Provider Auth Discovery Service
Institution A Identity Provider Auth Institution B Service Provider Discovery Service Federation operator Identity Management Autz Discovery service Federation metadata Institution D Institution C Service Provider Atr. Filt. Discovery Service Identity Provider Auth Consent Autz SSO,SLO Identity Management

41 Centralized Federation operator Institution B Discovery service
Federation metadata Service Provider Discovery Service Institution A Identity Management Autz Identity Provider Auth Atr. Filt. Consent SSO,SLO Akademska mreža Srbije

42 Centralized Federation operator Institution B Discovery service
Federation metadata Service Provider Discovery Service Institution A Identity Management Autz Identity Provider Auth Atr. Filt. Consent Institution D Service Provider Institution C Discovery Service Identity Management SSO,SLO Autz Akademska mreža Srbije

43 AMRES AAI What was our start point: We decided for:
Institution administrators have less knowledge Institutions have different databases => no centralized federation No institution has its own SSO We decided for: simpleSAMLphp Full-mesh with making it as much as possible lightweight: metadata management tool, attribute release recommendations, ... Akademska mreža Srbije

44 AMRES AAI We have set-up test environment Next steps:
Make hands-on workshop with few chosen institutions which will continue in PILOT AAI Get experiences in PILOT, evaluate chosen solution, make some changes if needed Start PRODUCTION, continue with workshops Get /deploy new user services which would attract institutions Akademska mreža Srbije

45 Thank you for your attention
Questions ? or write to Akademska mreža Srbije

Download ppt "AAI with simpleSAMLphp"

Similar presentations

Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.

Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
LDAP user database Marina Vermezović Academic Network of Serbia Skopje 15.09.2011.

LDAP user database Marina Vermezović Academic Network of Serbia Skopje
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service https://aai.csc.fi/

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service
Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,

Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –

Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –
CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science

CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science

Similar presentations

Ads by Google