ShARPE & Autograph

1. ShARPE & Autograph Managing Attribute Release in a Shibboleth Federation Peter Schendzielorz Macquarie University’s E-Learning Centre of Excellence (MELCOE) peterhs@melcoe.mq.edu.au META ACCESS MANAGEMENT SYSTEM

2. Contents • Introduction to the MAMS project • ShARPE • Shibboleth Attribute Release Policy Editor • Autograph META ACCESS MANAGEMENT SYSTEM

3. The MAMS Project Bringing inter institutional identity management to Australian higher education ... META ACCESS MANAGEMENT SYSTEM

4. Backing Australia’s Ability Department of Education Services and Training (DEST) founded Australian Research Information Infrastructure Committee (ARIIC) to guide the first round of projects: • Australian Digital Thesis (ADT) • Australian Partnership for Sustainable Repositories (APSR) • Australian Research Repositories Online to the World (ARROW) • Meta Access Management System (MAMS) FRODO (Federated Repositories of Digital Objects) META ACCESS MANAGEMENT SYSTEM

5. About MAMS • http://mams.melcoe.mq.edu.au • Responsible for managing the Australian federation • Managed by James Dalziel and Erik Vullings • Hosted at Macquarie UniversitySydney, Australia META ACCESS MANAGEMENT SYSTEM

6. About our Federation • Name: MAMS Testbed Federation • Operator: MAMS (government funded) • project hosted at Macquarie University • infrastructure hosted by AARNet • Members: Higher education mainly, expanding to Grid & research, no guest access • Why join? Mini-grants for SPs (AUD$40,000) • Cost? Nothing currently META ACCESS MANAGEMENT SYSTEM

7. About our Federation • WAYF: centralised, but customisable • Attrs: encouraging eduPerson adoption • VO: stay tuned tomorrow! • Disputes: targetedID, auditing • Scalable? Mechanisms for managing metadata META ACCESS MANAGEMENT SYSTEM

8. MAMS Testbed Federation • Dec.2005: Federation at federation.org.au • Level 1: Test purposes, Easy Install (Knoppix) CD • Level 2: Production quality, ~700,000 identities, 25% of HE Uni. • Level 3: As 2, incl. legal documents (TBD) • SP available to all: • UQ: Fez (URL) • Griffith: Wiki, Gnomic database • US: Scott Cantor’s Shibboleth Wiki • Expected soon: Science-Direct from Reed-Elsevier • SP available to some: • Murdoch & MQ: Online Librarian • QUT (for the ATN group): eGrad School META ACCESS MANAGEMENT SYSTEM

9. Manages trustbetween parties. Auditing? Architecture View Provides services to internaland external users via the web. Want to focus on core business & avoid risks of managing users’ confidential info. Manages trustbetween parties. Auditing Hosted by AARNet Service Provider Identity Provider Attribute Authority manages and asserts(to trusted SPs) user’s attributes securely. Have privacy concerns. Want transparent but secure SSO. META ACCESS MANAGEMENT SYSTEM

10. ShARPE & Autograph What personal attributes am I willing to share with others in the federation… META ACCESS MANAGEMENT SYSTEM

11. Who am I? Recall this… SP uses SAML handle to retrieve user attributes Service Provider Identity Provider META ACCESS MANAGEMENT SYSTEM

12. Attribute Release Policies When I visit an SP, how do I present myself? Reference #123456 Staff at Macquarie Uni John Smith Staff at Macquarie Uni Who am I? John Smith jsmith@mq.edu.au Staff at Macquarie Uni +61-(0)2-9850.9000 MQ META ACCESS MANAGEMENT SYSTEM

13. Reference #123456 Staff at Macquarie Uni Enables access to repository John Smith Staff at Macquarie Uni Allows me to rank material John Smith jsmith@mq.edu.au Staff at Macquarie Uni +61-(0)2-9850.9000 Allows me to add comments MQ Different cards open different doors – Attributes give access to Features – META ACCESS MANAGEMENT SYSTEM

14. Key Features • Acts as a GUI to the backend XML files • Gives control to the IdP admin • Allows IdP management of access to SPs • Provides attribute mapping • Installation instructions: http://www.federation.org.au/twiki/bin/view/Federation/ShARPEInstall META ACCESS MANAGEMENT SYSTEM

15. IdP member Privacy in the Federation Set of attributes SP1 IdP CarRental This Service Provider requires the givenName, surname and carLicense attribute for a car rental service. Database with sensitive private information e.g. birthdate, phone, email, credit card number etc. META ACCESS MANAGEMENT SYSTEM

16. IdP member Privacy in the Federation SP1 IdP CarRental Set of attributes ARP file SP2 WeatherForecast This Service Provider requires the givenName, surname and mobile attribute for a sms thunderstorm warning service. META ACCESS MANAGEMENT SYSTEM

17. Sample Site ARP File META ACCESS MANAGEMENT SYSTEM

18. Group ARP biologists SP3 physicians Physicsdatabase Set of attributes IdP members SP1 IdP CarRental SP2 WeatherForecast = site ARP META ACCESS MANAGEMENT SYSTEM = group ARPs

19. User ARP Physics- database IdP members SP1 IdP CarRental SP2 WeatherForecast Never release mobile number. = user ARPs = site ARP META ACCESS MANAGEMENT SYSTEM = group ARPs

20. Precedence Rules for ARPs • If any of the applicable ARP rules deny the release of an attribute it is not released. • Therefore the main rule is “deny overrides”. • e.g. the mobile number is released in the site ARP and blocked in the user ARP. Therefore, the user’s mobile number won’t be released. META ACCESS MANAGEMENT SYSTEM

21. ShARPE & Autograph Autograph ShARPE IdP ARP Management Identity Management IdP admin IdP member Attribute mapping META ACCESS MANAGEMENT SYSTEM

22. ShARPE IdP admin ARP Management SP attributes IdP SP ARP files = site ARP META ACCESS MANAGEMENT SYSTEM = group ARPs

23. ARP Management META ACCESS MANAGEMENT SYSTEM

24. ShARPE & Autograph Autograph ShARPE IdP ARP Management Identity Management IdP admin IdP member Attribute mapping META ACCESS MANAGEMENT SYSTEM

25. Autograph Autograph – Privacy I want to control the release of my attributes! IdP members SP attributes IdP SP ARP files = user ARP = site ARP META ACCESS MANAGEMENT SYSTEM = group ARPs

26. Privacy Management IdP members SP Autograph attributes IdP SP ARP files = user ARPs = site ARP META ACCESS MANAGEMENT SYSTEM = group ARPs

27. Different cards open different doors – Services & Service Level – META ACCESS MANAGEMENT SYSTEM

28. Different cards open different doors – Services & Service Level – META ACCESS MANAGEMENT SYSTEM

29. Adding Personal Attributes Other examples: Accessibility info (colorblind, blind) META ACCESS MANAGEMENT SYSTEM

30. DEMO Autograph in the Shibboleth cycle, releasing your preferred language to the AuthN Federated Search SP https://sp-afs.mams.org.au/afs/ META ACCESS MANAGEMENT SYSTEM

31. ShARPE & Autograph Autograph ShARPE IdP ARP Management Identity Management IdP admin IdP member Attribute mapping META ACCESS MANAGEMENT SYSTEM

32. ShARPE IdP admin Attribute Mapping IdP knows attribute with name ‘eduPersonAffiliation’ SP needs attribute ‘community’ R E S O L V E R M A P P E R attributes SP IdP META ACCESS MANAGEMENT SYSTEM

33. ShARPE – attribute mapping META ACCESS MANAGEMENT SYSTEM

34. Attribute Mapping • Useful for aligning data storage schema • Can map eduPerson attributes using other source attributes • eg givenname  eduPersonNickname • Can combine attributes • eg givenname + sn  commonName META ACCESS MANAGEMENT SYSTEM

35. Recap • Shibboleth with ShARPE manages: • Site Attribute Release Policies (ARP) • Group and User ARP • Attribute Mapping • Autograph gives privacy control to user • Different (sets of) attributes can open different doors  Service Levels META ACCESS MANAGEMENT SYSTEM

36. ShARPE & Autograph Managing Attribute Release in a Shibboleth Federation http://www.federation.org.au/twiki/bin/view/Federation/ShARPEInstall Peter Schendzielorz Macquarie University’s E-Learning Centre of Excellence (MELCOE) peterhs@melcoe.mq.edu.au META ACCESS MANAGEMENT SYSTEM