410 likes | 506 Views
Shibboleth Attribute Release Policy Editing Tools ShARPE. CAMP Shib June 2006 Bruc Lee Liong bliong@melcoe.mq.edu.au http://federation.org.au. Topics. ShARPE & Autograph GUI SP Description Metadata Group ARP Attribute Mapping Policy Filter Chain.
E N D
ShibbolethAttribute Release PolicyEditing ToolsShARPE CAMP Shib June 2006 Bruc Lee Liong bliong@melcoe.mq.edu.au http://federation.org.au META ACCESS MANAGEMENT SYSTEM
Topics • ShARPE & Autograph GUI • SP Description Metadata • Group ARP • Attribute Mapping • Policy Filter Chain META ACCESS MANAGEMENT SYSTEM
Part of MAMS IAM Suite(I really AM Sweet) Autograph ShARPE IdP ARP Manage- ment Privacy Manage- ment IdP admin IdP member Attribute mapping META ACCESS MANAGEMENT SYSTEM
Context Autograph attributes IdP SP ARP ShARPE = user ARP = site ARP IdP admin = group ARPs META ACCESS MANAGEMENT SYSTEM
Shibboleth ARP Editor (ShARPE) • Provide a GUI-based editor to enable • ARP admins to implement access contracts • Users to manage their ARPs • Provide visibility to user of: • attributes required by services • attributes released to services • Service received in return for attributes • Enable users to change their ARPs hence exercise privacy control • Helpdesk META ACCESS MANAGEMENT SYSTEM
New features • ARP management GUI • Group ARPs • Current Shibboleth supports site and user ARPs • Service Descriptions • Comprehensive information about SP’s service, service levels, attribute requirements • Attribute Mapping • Support for mapping between IdP and SP schemas • Policy-filter-chain extension META ACCESS MANAGEMENT SYSTEM
ShARPE – ARP Administrator • ARP Admin • Import Service Description (Physics research database from Sandstone Uni) – if never imported before • Create site ARP (all communities get bronze access) • Create group ARP (Physics community gets gold access) META ACCESS MANAGEMENT SYSTEM
Service Descriptions • SP’s Service and Service Level descriptions and attribute requirements • Services may provide service-levels - different functionality - based on supplied attributes • e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… • Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management • ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI META ACCESS MANAGEMENT SYSTEM
SandstoneUniServiceDescription.xml META ACCESS MANAGEMENT SYSTEM
Service Description Editor META ACCESS MANAGEMENT SYSTEM
Service Description Editor (cont) META ACCESS MANAGEMENT SYSTEM
arp.site.xml META ACCESS MANAGEMENT SYSTEM
arp.group.Physics.xml META ACCESS MANAGEMENT SYSTEM
Autograph META ACCESS MANAGEMENT SYSTEM
Autograph META ACCESS MANAGEMENT SYSTEM
arp.user.sue.xml META ACCESS MANAGEMENT SYSTEM
Group ARP • Reason: diff dept admins want to manage their own users • No modification to original Shib code • Extending from Shib ARP structure • Uses simplified flatten group (i.e. no hierarchical groups) • Group information provided by a set of plugins: AttributeResolver (LDAP/DB/etc), file, etc • Simplified API to allow extensions • Released Attributes = processing (site ARP + group ARPs + user ARP) • http://federation.org.au/twiki/bin/view/Federation/GroupLookup META ACCESS MANAGEMENT SYSTEM
Activating Group ARP <ReleasePolicyEngine> <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile> <GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing> </GroupLookup> </ArpRepository> </ReleasePolicyEngine> META ACCESS MANAGEMENT SYSTEM
Example of Group Info (FlatFile) • sample.grouplookup.properties using PropertyFileGroupLookup # this defines institutional-wide groups institutionalGroupList = Administrator, Staff, Researcher # an example of local groups groupList = Library, Physics, Biology, Walk-in # user based attributes specifying the groups using ‘memberOf’ # ann.memberOf = Researcher # john.memberOf = Staff # joe.memberOf = HeadOfSchool, Staff, Librarian META ACCESS MANAGEMENT SYSTEM
Attribute Mapping • Not all organizations use the same schemas for attributes, mapping is needed • Attribute mapping functions • One-to-One Mapping • Concatenation • Static Value assignment • Hashing (e.g. TargetedID) • Examples: • Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ • Complex: creating targetedID (e.g. hash(concat(SPname, email))) META ACCESS MANAGEMENT SYSTEM
Attribute Mapping GUI META ACCESS MANAGEMENT SYSTEM
What’s offered by AttributeResolver • Rename (mail email) • Value mapping (“alumn” “alumn”, “alumni”) • Regex (changing to upper case) • Formatted output • Composite ( A, B “A B”). Limited to same number of rows attributes • Some others: StaticConnector, ScriptletAttributeDefinition,… • All, with exception of rename are *newly* introduced in 1.3c META ACCESS MANAGEMENT SYSTEM
Shib implementation • Scattered implementation but simple as revolve around resolver plugins • No chaining (A B C, hence A = C) • Some implementations are limited to certain conditions (i.e. cannot concat different length attributes) • Same map applicable to all SPs, no differentiations or per SP mapping META ACCESS MANAGEMENT SYSTEM
MAMS Attribute Mapping implementation • Attributes with different rows concatenation ability • One entry point for all mapping entries one mapping engine (CustomAttributeDefinition) • Different maps loaded for different SPs • SP1 has mail email • SP2 has fname + sn + ‘@nowhere.com’ e-mail • SP3 has … • General mapping can be provided (i.e. default mapping from eduPerson2MySchema applicable to all SPs) META ACCESS MANAGEMENT SYSTEM
Attribute Mapping for SPa: X = X + Y • Rename existing entry of X to X’ on resolver • Create map entry on resolver for X that depends on X’ and Y • Put X = X’ + Y on SPa’s map • Put X = X’ on default.mapper (for other SPs) META ACCESS MANAGEMENT SYSTEM
Processing attribute X • Requests come to resolve X for SPa • X is registered to be handled by mapper • Crosswalk for SPa loaded • If no crosswalk found, default.mapper loaded • All X’s dependencies provided to Crosswalk • Map function try to resolve X META ACCESS MANAGEMENT SYSTEM
Activating Attribute Mapping • Done automatically by ShARPE when enabled <CustomAttributeDefinition id=“X” class=“au.edu.mq.melcoe.mams.sharpe.shib.aa.attrresolv.provider.CrosswalkAttributeDefinition”> <AttributeDependency requires=“idp:X"/> <AttributeDependency requires=“Y"/> </CustomAttributeDefinition> <SimpleAttributeDefinition id=“idp:X” sourceName=“X”> <DataConnectorDependency requires=“echo”/> </SimpleAttributeDefinition> META ACCESS MANAGEMENT SYSTEM
Map file entry for SPa <Crosswalk …> <Map class=“…” functionName=“concat”> <Attribute>X</Attribute> <MapValue>idp:X + Y</MapValue> </Map> </Crosswalk> META ACCESS MANAGEMENT SYSTEM
Future Works • Privacy settings for coarse-grain release policy • Hierarchical groups to implement ‘room in room’ concept (if enough requests) • Integrations with Grouper & Signet for local management (currently planned for GroupManager and PrivilegeManager) • Push Shib for ability to register new attributes to resolver for Attribute Mapping META ACCESS MANAGEMENT SYSTEM
Questions? • Email: bliong@melcoe.mq.edu.au • ShARPE @ http://federation.org.au/ShARPE • MAMS @ http://mams.melcoe.mq.edu.au • Experiment http://opensharpe.federation.org.au • Sharpe-users mailing list http://federation.org.au/cgi-bin/mailman/listinfo • MAMS’ Easy Installation IdP with ShARPE http://federation.org.au/software/installcd META ACCESS MANAGEMENT SYSTEM
Extra Slides META ACCESS MANAGEMENT SYSTEM
Shib ARP Management • SP attribute requirements agreed negotiated manually (not scalable) • Site and User ARPs, no Group ARPs • Lack of service information for users (what attributes are required, released, for what reason) • Lack of interface for user ARP control • User can’t access ARP files META ACCESS MANAGEMENT SYSTEM
Design Group ARP META ACCESS MANAGEMENT SYSTEM
Design Attribute Mapping META ACCESS MANAGEMENT SYSTEM
Policy Filter Chaining • Allowing policies (ARP) to be passed through chain of filters prior its final process on ArpEngine • Allow selective processing of policies • i.e. when user has attribute X set to Y, do not process group policy Z • Used by Autograph to “find what attributes affected by all policies without inclusion of user ARP” or similar use cases • http://federation.org.au/twiki/bin/view/Federation/PolicyFilter META ACCESS MANAGEMENT SYSTEM
Policy Filter • Different types of Policy Filter, extendible design • Filter on different types of ARP • Filter on simple access control for the ARP (create, read, update, delete) • create is slightly difficult to enforce • Combination of filters and chaining META ACCESS MANAGEMENT SYSTEM
Design PolicyFilter META ACCESS MANAGEMENT SYSTEM
PolicyFilter Processing • For each activity identified as create, read, update, delete on the policy • Calls registered PolicyFilters • Arp’ = PolicyFilter(Arp) • The resultant policy is given back to the system • All active policies to be used by the system are processed prior being used META ACCESS MANAGEMENT SYSTEM
Activating PolicyFilter <ReleasePolicyEngine> <ArpRepository implementation=“...provider.MAMSFileSystemArpRepository“> <PolicyFilter implementation=“..provider.PolicyTypeFilter”> <PolicyType>sitePolicy</PolicyType> <PolicyType>userPolicy</PolicyType> </PolicyFilter> … META ACCESS MANAGEMENT SYSTEM