80 likes | 171 Views
Shibboleth Trust Model. Shibboleth/SAML Communities (aka Tribes) Club Shib Club Shib Application form. Shibboleth/SAML Communities (aka Tribes).
E N D
Shibboleth Trust Model • Shibboleth/SAML Communities (aka Tribes) • Club Shib • Club Shib Application form
Shibboleth/SAML Communities(aka Tribes) • A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using the SAML/Shibboleth protocols. • In doing so they implicitly or explicitly agree to abide by common sets of rules. • The rules and functions associated with a tribe include: • A registry to process applications and administer operations • A set of best practices on associated technical issues, typically involving security and attribute management • A set of agreements or best practices on policies and business rules governing the exchange and use of attributes. • The syntax and semantics of the set of attributes that are regularly exchanged. • A WAYF service to direct users to tribal security domains
Club Shib • The coolest tribe… also the first and only to date • Members can be organizations that are origins (IdSP’s), targets (student loan services, content providers) or both (universities, museums, etc.) • Associated functions • Registry service to be operated by I2/ Educause? But open to all.. • Best practices on authn/id’s • Best practices on the management of exchanged attributes • Attribute sets (eduPerson and eduOrg) as the exchange attributes • WAYF done via Wayfarer service
Club Shib Registry service • Receives and processes applications • Operates Wayfarer (tm Jeff Hodges) • origin sites are listed • target sites can use • Insures uniqueness of key identifiers among tribal members • Houses PKI components of Shib • institutional signing keys • bridging if important
Club Shib Application Form • Complete origin/target Shibboleth tech info as required • Agree to be tech tribal-RFC compliant • Agree to be policy tribal-RFC compliant • Implement eduPerson and eduOrg? • Plug origins (campuses) into Wayfarer • Signed by DNS person
Tech Tribal-RFC • Must/should have non-clear text local authentication, no group accounts, etc... • eduPerson and eduOrg • Is this Tech RFC a set of examples drawn from the members or a summarized best practices? • http://middleware.internet2.edu/internet2-mi-best-practices-00.html?
Policy Tribal-RFC • Must destroy info after use; no aggregation or re-use • Should have a policy on directory management • Must document reassignment/reuse policies of ePPN • Origins will provide “member of the community” attribute to other club members; other attributes to be exchanged negotiated on a per security domain basis. • Is this Tech RFC a set of examples drawn from the members or a summarized best practices?
eduOrg possible attributes • URL of campus authentication practices • URL of campus policy on the reuse of ePPN and other identifiers • List of current semester course numbers