Implementing FAM

Implementing FAM Coulsdon College

The Background Very Small Further Education College 1300 Students Accessing 8ish online resources

Why Federated Access Management ? “An opportunity to bring Athens authentication under the curriculum IT” COST Hardware: minimal - a virtual server Time: but we were going to have to do something radical anyway! Expertise:We had it! and a netskills course Black box in the corner Amount of support and documentation available – at least on linux. https://spaces.internet2.edu/display/SHIB/WebHome

The Setup Suse Linux Enterprise Server 10.1 Tomcat 5.0 Apache 2.2.3 (including mod_proxy_ajp)‏ Shibboleth (1.3.3)‏

Next Steps .. Join UK Federation Setup SSL virtual host with standard self generated certificates [or skip a stage and use the testshib certificates] Setup LDAP authentication in apache Proxy Pass in apache config ProxyPass /shibboleth-idp/ ajp://localhost:8009/shibboleth-idp/ Open ports 443 and 8443 in the firewall.

Shibboleth Download Shibboleth Copy the endorsed directory to tomcats endorsed directory Run ant from the install directory and fill in the paths Restart Tomcat

IDP Configuration 3 files: • Idp.xml – describes your idp • Resolver.xml – generates attributes • Arp.site.xml – Attribute Resolver Policy –decides which to release.

IDP.XML <IdPConfig xmlns="urn:mace:shibboleth:idp:config:1.0" xmlns:cred="urn:mace:shibboleth:credentials:1.0" xmlns:name="urn:mace:shibboleth:namemapper:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:idp:config:1.0 ../schemas/shibboleth-idpconfig-1.0.xsd" AAUrl="https://idp.coulsdon.ac.uk/shibboleth-idp/testshib/AA" resolverConfig="file:/opt/shibboleth-idp/etc/resolver.ldap.xml" defaultRelyingParty="urn:mace:shibboleth:testshib" providerId="https://idp.coulsdon.ac.uk/shibboleth/testshib/idp"

UK Federation Core Attributes Attributes are required by SPs for Authorisation decisions To facilitate interaction between IdPs and SPs, UK Federation has defined set of 4 Core Attributes (from eduPerson Schema): eduPersonScopedAffiliation [student@coulsdon.ac.uk] The user’s relationship with the organisation eduPersonTargetedID [Pseudonym for personalisation] Persistent user pseudonym, distinct for each Service Provider eduPersonPrincipalName [username@coulsdon.ac.uk] Persistent user identifier, consistent across different Service Providers. Not generally released. eduPersonEntitlement For asserting additional specific conditions that apply to a particular resource eg medical students

Resolver.xml <AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:resolver:1.0" xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd"> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:employeeType"> <DataConnectorDependency requires="directory" /> </SimpleAttributeDefinition>

eduPersonPrincipalName <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonPrincipalName" sourceName="cn" smartScope="coulsdon.ac.uk"> <DataConnectorDependency requires="directory"/> </SimpleAttributeDefinition>

eduPersonTargetID <PersistentIDAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonTargetedID" scope="coulsdon.ac.uk" sourceName="eduPersonPrincipalName"> <DataConnectorDependency requires="echo"/> <Salt>XXXXXXXXXXXXXXXXXXXXXXX</Salt> </PersistentIDAttributeDefinition>

eduPersonScopedAffiliation First :eduPersonAffiliation <ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation"> <DataConnectorDependency requires="directory"/> <Scriptlet><![CDATA[ Attributes attributes = dependencies.getConnectorResolution("directory"); Attribute memberOf = attributes.get("groupmembership"); // add values from directory String value = "none"; boolean student = false; boolean staff = false; boolean member = false; for (int i = 0; memberOf != null && i < memberOf.size(); i++)‏ { value = memberOf.get(i); if (value.indexOf("FAM_STUD") > 0){ student = true;} if (value.indexOf("FAM_STAFF") > 0){staff = true; } }

eduPersonScopedAffiliation First :eduPersonAffiliation -continued if (student){ resolverAttribute.addValue("student"); } if (staff){ resolverAttribute.addValue("staff"); } if (student || staff){ resolverAttribute.addValue("affiliate"); } ]]> </Scriptlet> </ScriptletAttributeDefinition> Then :eduPersonScopedAffiliation <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" smartScope="coulsdon.ac.uk"> <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation"/> </SimpleAttributeDefinition>

Attribute Release Policy <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"> <AnyValue release="permit" /> </Attribute> - <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"> <AnyValue release="permit" /> </Attribute>

Testshib To test the initial implementation http://testshib.org/

Things I wish I'd known Time Log files Directory listing Resolvertest $ export IDP_HOME=/usr/local/shibboleth-idp $IDP_HOME/bin/resolvertest --user=gridshib \ --responder=https://idp.example.org/shibboleth \ --resolverxml=file:///user/local/shibboleth-idp/etc/resolver.xml

Implementing FAM

Implementing FAM

Presentation Transcript

FIM+FAM – OUTCOME MEASURES

Fam

Intermediate Jet FAM-17

Target Curves (FAM)

Fam. Staphylococcaceae

MPTS IJET FAM 4101 – FAM 4103 T-45

FAM launcher design

My fam i ly

Intermediate Jet FAM-06S

E2/C2 FAM-22

Intermediate Jet FAM-03S

MPTS IJET FAM 4201 – FAM 4203 T-45

E2/C2 FAM-21

E2/C2 FAM-21

Intermediate Jet FAM-08