Technische Übersicht zu Shibboleth 2. Shibboleth-Workshop, Freiburg, 23.03.2006
Shibboleth Development and Support Services SAML Protected Resources The theory and practice of...
-
Upload
tyler-saunders -
Category
Documents
-
view
217 -
download
0
Transcript of Shibboleth Development and Support Services SAML Protected Resources The theory and practice of...
![Page 1: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/1.jpg)
Shibboleth Development and Support Services
SAML Protected Resources
The theory and practice of
granularity and
management data
Ed Dee
EDINA
![Page 2: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/2.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 2
EDINA
• Service provider
– Digimap, Film & Sound Online, etc…
• Identity provider
– Various
• Federated Access
– SDSS Federation
– UKAMF: Metadata Management & Tech. Support
![Page 3: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/3.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 3
Where lies the guilt
• Service providers
• Identity providers
• UK Access Management
Federation
• User Community
Granularity and lack of management data from SAML protected resources
• 50%
• 30%
• 10%
• 10%
![Page 4: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/4.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 4
SAML
• Security Assertion Markup Language
• Standard for Exchanging authentication and authorisation information
• Identity Provider • Service Provider
![Page 5: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/5.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 5
The Questions
Pussy cat pussy cat where have you been?“I’ve been down to London to visit at the Queen.”Pussy cat pussy cat what did you there“I frightened a little mouse under her chair.”
![Page 6: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/6.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 6
Shibboleth flow diagram
![Page 7: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/7.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 7
Technical stuff
Identity
Provider
Service
Provider
Resource
FederationMetadata
User
SAMLDialogue
AttributeDatabase
AuthorisationDatabase
FederationMetadata
![Page 8: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/8.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 8
SAML Dialogue
• Uninteresting (to us):
– Initiation/Termination
– Security
• Interesting (to us):
– Scope information
Institution/Service ‘who are you’
– Attributes
User-specific information
![Page 9: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/9.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 9
Q1: Pussy cat pussy cat where have you been?
• From the IdP:
– What resource are being used
– Who is using them
• Shibb 2x IdPs only
– Not outsourced IdPs
– Not non-Shibb IdPs
– Not Shibb 1.3 IdPs
eosl date 30 June 2010
![Page 10: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/10.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 10
Q1: Pussy cat pussy cat where have you been?
• Shibb 2 IdP Audit log Who (ePPN)
When (time stamp)
What (relying party id) • https://spaces.internet2.edu/display/SHIB2/IdPLogging
Analysis
Application
FederationMetadata
AttributeDatabase
AuditLog(s)
AccessReports
![Page 11: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/11.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 11
Tools
• Project Raptor
– Software toolkit for reporting e-resource usage statistics
– Shibboleth 2 IdPs & EZproxy
– http://iam.cf.ac.uk/trac/RAPTOR
– JISC + Cardiff University + Kidderminster College
– V1.0 due Feb 2011
![Page 12: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/12.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 12
Q2: Pussy cat pussy cat what did you there?
• Cannot come from IdP
• Must come from SP
– What does SP know about user
Service
Provider
ResourceUser
Identity
ProviderAttribute
DatabaseAttributes
![Page 13: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/13.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 13
Attributes: EduPerson Object Class
– Core Targeted ID
Principal name
[Scoped] Affiliation
Entitlement
– Other Nick name
Org [Unit] DN
http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html
![Page 14: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/14.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 14
Granularity: Core Attributes
– [Scoped] Affiliation
Scope
Member | {Staff | Student | Employee | Affiliate |
Alum | library-walk-in}
– Entitlement
Service - User Specific conditions
• urn:mace:dir:entitlement:common-lib-terms
![Page 15: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/15.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 15
On Passing Attributes
Photo: Library of Virginia / Flikr
![Page 16: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/16.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 16
EDINA Digimap
– [Scoped] Affiliation
– Targeted ID
– Principal Name
– Title
– Givenname
– Sn [surname]
– O [organisation]
– Ou [organisational unit]
http://www.ukfederation.org.uk/content/Documents/AttributeUsage
![Page 17: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/17.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 17
Reality
Identity
Provider
Service
Provider
Attribute Release Policy
![Page 18: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/18.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 18
Reality
• Most IdPs give out only:– [Scoped] Affiliation
Organisational affiliation (ePSA)• SP cannot determine department etc.
• ePSA often just [email protected]
– Targeted Id Service-specific, opaque ID (ePTI)
• SP cannot determine user
• SP cannot correlate usage between services.
• Many IdPs cannot handle entitlement
![Page 19: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/19.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 19
“No one really asks us much for
ARP changes”IdP administrator
![Page 20: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/20.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 20
Why?
• IdPs
– Fear of Data Protection legislation
– No inclination; No capabilities
– No SPs ask for it
• SPs
– Not available from IdPs
– No use for data
![Page 21: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/21.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 21
Stable Deadlock
Too hard to ask,so SPs don’t
IdPs get no requests, think all is well
![Page 22: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/22.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 22
What Do SPs Do
• Personalisation
– Registration system
– Registration database
• Usage Statistics
– Merge logs and registration details
• EDINA Digimap
– Users / Status / Department
![Page 23: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/23.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 23
Attribute Release Progression
Basic
Attributes
Extended
Attributes
Personal
Attributes
![Page 24: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/24.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 24
Towards agreement
• Forums
– Small scale
– Application-area specific
– Agree what is desirable
– Agree what is possible
– Experiment, agree, deploy, not theorise:
• No Top-down Dictate
![Page 25: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/25.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 25
NESLi2
• JISC Statistics Portal
– Cranfield, Birmingham City University, MIMAS
– Database/Journal/article level reporting
– Oct 2009 – Dec 2010
– "one-stop shop"
could go to view and download their own usage reports from NESLi2 publishers
– http://www.jusp.mimas.ac.uk/
![Page 26: Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.](https://reader036.fdocuments.net/reader036/viewer/2022081515/5515fb64550346a2308b496e/html5/thumbnails/26.jpg)
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 26
Granularity & Management Data
• Technically Capabilities exist
• “Natural restful inertia” - problem large
– UKAMF
800+ members
• 440 + SPs
• 630 + IdPs
• User Driven
• Tackle from the bottom up