1 / 38

Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph. I2MM April 2006 Neil Witheridge MAMS Project Manager nwitheridge@melcoe.mq.edu.au http://federation.org.au/. Problem Statement. ARP Administration (ShARPE)

sgillis
Download Presentation

Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ShibbolethAttribute Release PolicyEditing ToolsShARPE and Autograph I2MM April 2006 Neil Witheridge MAMS Project Manager nwitheridge@melcoe.mq.edu.au http://federation.org.au/ META ACCESS MANAGEMENT SYSTEM

  2. Problem Statement • ARP Administration (ShARPE) • ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. • User Privacy Control (Autograph) • There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. • A ‘zero-effort’ GUI interface is required. META ACCESS MANAGEMENT SYSTEM

  3. Evaluation Release • ShARPE and Autograph (version 0.7) released for evaluation purposes • Elicitation of ‘real world’ requirements • As Shibboleth stakeholders, IdP and SP administrators and users, do these tools satisfy your requirements for ARP management? • Feedback requested on usefulness and usability. META ACCESS MANAGEMENT SYSTEM

  4. (1) SAML Attribute Request + handle Protected Service IdP SP Attribute Authority Attribute Consumer Service (2) SAML Attribute Response ARPs AAP User Attributes Shibboleth Attribute Release Policy • Shibboleth provides for privacy control through Attribute Release Policies (ARPs) • Rules specifying which attributes may be released to a SP for IdP members in general, or for specific individuals • After user authentication & opaque handle delivery to SP META ACCESS MANAGEMENT SYSTEM

  5. Info Available To Protected App • Via HTTP header (standard header parameters) host = demo.federation.org.auuser-agent = Mozilla/5.0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alivereferer = https://openidp.mams.org.au/shibboleth-idp/SSO ... cookie = … (Shibboleth specific parameters) Shib-Identity-Provider= urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.auShib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified(User Attributes)Shib-EP-UnscopedAffiliation = Staff;PhysicsShib-Person-nickname= Sue META ACCESS MANAGEMENT SYSTEM

  6. Attributes – IdP context • Key:Value pairs e.g. eduPersonAffiliation:Physics • User information stored within institutional directory e.g. LDAP • Directory schema determines available keys (attribute names) • Standardised schema e.g. person, organizationalPerson, inetOrgPerson, eduPerson… • Custom schema - institution specific dataCustom schema for elements that don't have a clear mapping to standard schemas META ACCESS MANAGEMENT SYSTEM

  7. Attributes – SP context • Received user attributes (in SAML assertion from IdP) are basis of access control • Service or service feature accessibility • Service Levels – not necessarily hierarchical • Potential for complex attribute-based access control • university, campus, role, discipline, course, year, group… • SP Attribute requirements must conform to standard schema or be mappable from IdP attribute schema META ACCESS MANAGEMENT SYSTEM

  8. Current Shib Federations • Current generation of Shib Federations • 1st generation ? • Simple approach to access control, attributes & attribute management • How will SPs use attributes as Federated IAM evolves ? • Greater use of user attributes for service differentiation • Increasing service complexity (service features) and demand for user attributes META ACCESS MANAGEMENT SYSTEM

  9. Emerging Federated Services • Institutional Repositories and CMSs • More fine-grained protection of resources based on user attributes • Virtual Organisations & GRID Services • Inter-organisational, national ->international collaboration • Virtual Librarian (MAMS service development) • Example MAMS Shibbolised Service • Needs relatively rich set of attributes META ACCESS MANAGEMENT SYSTEM

  10. Current ARP Management • SP attribute requirements agreed negotiated manually (not scalable) • Site and User ARPs, no Group ARPs • Lack of service information for users (what attributes are required, released, for what reason) • Lack of interface for user ARP control • User can’t access ARP files META ACCESS MANAGEMENT SYSTEM

  11. Shibboleth ARP Editing Tools • Provide a GUI-based editor to enable • ARP admins to implement access contracts • Users to manage their ARPs • Provide visibility to user of: • attributes required by services • attributes released to services • Service received in return for attributes • Enable users to change their ARPs hence exercise privacy control META ACCESS MANAGEMENT SYSTEM

  12. New features (In order to provide comprehensive GUI for creation of ARPs) • Group ARPs • Current Shibboleth supports site and user ARPs • Service Descriptions • Comprehensive information about SP’s service, service levels, attribute requirements • Attribute Mapping • Support for mapping between IdP and SP schemas META ACCESS MANAGEMENT SYSTEM

  13. ShARPE – ARP Administrator • ARP Admin • Import Service Description (Physics research database from Sandstone Uni) • Create site ARP (all communities get bronze access) • Create group ARP (Physics community gets gold access) META ACCESS MANAGEMENT SYSTEM

  14. META ACCESS MANAGEMENT SYSTEM

  15. SandstoneUniServiceDescription.xml META ACCESS MANAGEMENT SYSTEM

  16. arp.site.xml META ACCESS MANAGEMENT SYSTEM

  17. META ACCESS MANAGEMENT SYSTEM

  18. arp.group.Physics.xml META ACCESS MANAGEMENT SYSTEM

  19. Autograph – IdP Member • IdP member:Susannah Halmay, Physics staff member • View attributes released • Deny release of attributes required for Gold access META ACCESS MANAGEMENT SYSTEM

  20. META ACCESS MANAGEMENT SYSTEM

  21. META ACCESS MANAGEMENT SYSTEM

  22. arp.user.sue.xml META ACCESS MANAGEMENT SYSTEM

  23. Group ARPs • How will contracts be established between an IdP and SPs ? • Groups within institutions (IdPs) create agreements, maybe requiring subscription involving formal T&Cs and/or payment • Attribute release policy defined for the group • Appropriate static values (contract number) • Members attribute release policy by virtue of group membership META ACCESS MANAGEMENT SYSTEM

  24. Group Information sources • List of Groups & IdP member group membership information • Institutional Directory • Flat files • Responsibility for Group ARP Administration ? • Future: Grouper & Signet META ACCESS MANAGEMENT SYSTEM

  25. Service Descriptions • SP’s Service and Service Level descriptions and attribute requirements • Services may provide service-levels - different functionality - based on supplied attributes • e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… • Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management • ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI META ACCESS MANAGEMENT SYSTEM

  26. Service Description Editor META ACCESS MANAGEMENT SYSTEM

  27. Service Description Editor META ACCESS MANAGEMENT SYSTEM

  28. Attribute Mapping • Requirement to map between IdP and SP schemas (standard/custom to standard/custom...) • Attribute mapping functions • One-to-One Mapping • Concatenation • Static Value assignment • Hashing (e.g. TargetedID) • Examples: • Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ • Complex: creating targetedID (e.g. hash(concat(SPname, email))) META ACCESS MANAGEMENT SYSTEM

  29. Attribute Mapping GUI META ACCESS MANAGEMENT SYSTEM

  30. Evaluating ShARPE & Autograph • View Flash Demonstrationsviahttp://www.federation.org.au/twiki/bin/view/Federation/ShARPE • Experiment with Autograph using a pre-configured ‘openIdP’http://opensharpe.mams.org.au • Install your own evaluation IdP including ShARPE and Autograph NMI Edit software release 9 http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip • MAMS’ Easy Installation IdP with ShARPEhttp://www.federation.org.au/software/installcd/ META ACCESS MANAGEMENT SYSTEM

  31. Evaluating ShARPE & Autograph (cont’d) • Install on top of existing IdPhttp://www.federation.org.au/software/Autograph_ShARPE-0.7.zip Qualifications: Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be deployed on production systems. ShARPE and Autograph without attribute mapping only writes to ARPs. META ACCESS MANAGEMENT SYSTEM

  32. Thank you Questions ? META ACCESS MANAGEMENT SYSTEM

  33. WAYF Identity Provider Service Provider Secure identity management is a core business requirement Provide Services accessible via the web User Belongs to an organisation which manages her identity Want to focus on core business & avoid risks of managing users’ confidential info. Privacy concerns Shibboleth Architecture • Shibboleth Federation components META ACCESS MANAGEMENT SYSTEM

  34. Background: Shibboleth • Standards based (SAML) • Open source middleware • Provides Web Single Sign-On (SSO) across or within institutional boundaries • SSO using session cookies • Provides secure transfer of user attributes between user’s Identity Provider (IdP) and Service Providers (SPs) META ACCESS MANAGEMENT SYSTEM

  35. Group Information sources <ReleasePolicyEngine> <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile> <GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing> </GroupLookup> </ArpRepository> </ReleasePolicyEngine> META ACCESS MANAGEMENT SYSTEM

  36. Group Information sources • Example of group names in flat file debian> cd /usr/local/shibboleth-idp/etc debian > cat sample.grouplookup.properties #Sample group lookup using PropertyFileGroupLookup #this defines institutional-wide groups institutionalGroupList=Administrator, Staff, Researcher #an example of local groups groupList=Library, Physics, Biology, Walk-in #user based attributes specifying the groups #ann.eduPersonAffiliation=Researcher #staff.eduPersonAffiliation=Staff #librarian.eduPersonAffiliation=HeadOfSchool, Staff, Librarian> debian > META ACCESS MANAGEMENT SYSTEM

  37. Service Description Schema • The SD XML schema includes the following @attributes and elements: • Service Provider identifier, name, location, description, service-independent attributes • Service @identifier, name, description, location, reference, service-specific level-independent attributes • Service Level @identifier, name, description, reference, level-specific attributes META ACCESS MANAGEMENT SYSTEM

  38. Service Description Example <ServiceProvider …> <ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</ServiceProviderIdentifier> <ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName> <ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation> <ServiceProviderDescription xml:lang="en">Online Services for Physics Researchers</ServiceProviderDescription> <Service identifier=“sandstoneuni:physicsdatabase"> <ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName> <ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription> <ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</ServiceLocation> <ServiceLevel identifier="gold"> <ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName> <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on Data</ServiceLevelDescription> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your affiliation" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your nickname" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname" isRequired="true"/> </ServiceLevel> <ServiceLevel identifier="silver">…</ServiceLevel> <ServiceLevel identifier="bronze">…</ServiceLevel> </Service> </ServiceProvider> META ACCESS MANAGEMENT SYSTEM

More Related