100 likes | 219 Views
Shibboleth Trust Model. Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the origin attribute authority at the club level, for target and origin at the target resource level
E N D
Shibboleth Trust Model • Shibboleth/SAML Communities (aka Federated Administrations) • Club Shib • Club Shib Application process • Policy decision points • at the origin attribute authority • at the club level, for target and origin • at the target resource level • Typical campus target management strategies
Shibboleth/SAML Communities(aka Clubs) • A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using the SAML/Shibboleth protocols. • In doing so they implicitly or explicitly agree to abide by a common set of by-laws. • The rules and functions associated with a community include: • A registry to process applications and distribute club • A URI that provides information on local authentication and authorization practices • A set of agreements or best practices within the group on policies and business rules governing the exchange and use of attributes. • The set of attributes that are regularly exchanged (syntax and semantics). • A mechanism (WAYF) to identify a user’s security domains
Club Shib • A co-op for higher education and its information providers • Members can be organizations that are origins (IdSP’s), targets (student loan services, content providers) or both (universities, museums, etc.) • Associated functions • Registry service to be operated by I2, and open to all.. • eduOrg pointer to campus account management practices • Conventions on the management of exchanged attributes • Attribute sets (eduPerson and eduOrg) to use to exchange attributes • WAYF done via Wayfarer service
Club Shib In-laws • Operational requirements • system PKI certificate profiles • install handle server at hs.yourschool.edu • etc • Trust conventions • targets don’t misuse attributes • origins answer faithfully • origins post their account management policies
Club Shib Registry service • Receives and processes applications • Operates Wayfarer (tm Jeff Hodges) • origin sites are listed • target sites can use • Insures uniqueness of key identifiers among community members • Houses PKI components of Shib • institutional signing keys • bridging if important
Club Shib Application Process • Complete origin/target Shibboleth tech info as required • Implement eduPerson and eduOrg? • Plug origins (campuses) into Wayfarer
Campus Account Practices • Account affiliations /authorizations are set appropriately • Initial identification/password assignment process for accounts • Authentication mechanisms for account use • Policy on the reuse of account names (ePPN) • Business logic for key attributes, as the need surfaces • “member of community” • primary affiliation
Target Policy Decision Points • the Club level (basic firewall level) • at the target resource level • at the origin attribute authority
Campus Management Strategies • Technical • SHAR for general Club Shib access • SHAR for more restricted sites (exclude origins with overly broad or sloppy practices) • Cluster sites with similar restrictions in a web tree • Policy • Account management • Directory and attribute management • Setting the defaults • Operating an attribute authority
Multiple Clubs and their consequence • Communities form clubs – Meteor, NDSL, Liberty • by-laws and membership committees • Within a club, members decide per-site policies that are consistent with the overall club policies and procedures • Balancing where and what to manage • Strength of I/A a repeated theme within and among clubs • User interface issues • attribute management • levels of authentication – logging in and out • A virtual Border Gateway Protocol (BGP)