Add to collection(s) Add to saved
  1. No category

SAML protected resources: the theory and practice of granularity

advertisement 
Shibboleth Development and Support Services
SAML Protected Resources
The theory and practice of
granularity and
management data
Ed Dee
EDINA
Shibboleth Development and Support Services
EDINA
• Service provider
– Digimap, Film & Sound Online, etc…
• Identity provider
– Various
• Federated Access
– SDSS Federation
– UKAMF: Metadata Management & Tech. Support
JIBS User Group
16 June 2010
2
Shibboleth Development and Support Services
Where lies the guilt
Granularity and lack of management data
from SAML protected resources
• Service providers
• 50%
• Identity providers
• 30%
• UK Access Management Federation
• 10%
• User Community
• 10%
JIBS User Group
16 June 2010
3
Shibboleth Development and Support Services
SAML
• Security Assertion Markup Language
• Standard for Exchanging authentication and
authorisation information
• Identity Provider
JIBS User Group
• Service Provider
16 June 2010
4
Shibboleth Development and Support Services
The Questions
Pussy cat pussy cat where have you been?
“I’ve been down to London to visit at the Queen.”
Pussy cat pussy cat what did you there
“I frightened a little mouse under her chair.”
JIBS User Group
16 June 2010
5
Shibboleth Development and Support Services
Shibboleth flow diagram
JIBS User Group
16 June 2010
6
Shibboleth Development and Support Services
Technical stuff
Authorisation
Database
Attribute
Database
User
JIBS User Group
Federation
Metadata
Identity
Provider
Federation
Metadata
SAML
Dialogue
Service
Provider
Resource
16 June 2010
7
Shibboleth Development and Support Services
SAML Dialogue
• Uninteresting (to us):
– Initiation/Termination
– Security
• Interesting (to us):
– Scope information
 Institution/Service ‘who are you’
– Attributes
 User-specific information
JIBS User Group
16 June 2010
8
Shibboleth Development and Support Services
Q1: Pussy cat pussy cat where have you been?
• From the IdP:
– What resource are being used
– Who is using them
• Shibb 2x IdPs only
– Not outsourced IdPs
– Not non-Shibb IdPs
– Not Shibb 1.3 IdPs
 eosl date 30 June 2010
JIBS User Group
16 June 2010
9
Shibboleth Development and Support Services
Q1: Pussy cat pussy cat where have you been?
• Shibb 2 IdP Audit log
 Who (ePPN)
 When (time stamp)
 What (relying party id)
• https://spaces.internet2.edu/display/SHIB2/IdPLogging
Audit
Log(s)
Attribute
Database
JIBS User Group
Federation
Metadata
Analysis
Application
Access
Reports
16 June 2010
10
Shibboleth Development and Support Services
Tools
• Project Raptor
– Software toolkit for reporting
e-resource usage statistics
– Shibboleth 2 IdPs & EZproxy
– http://iam.cf.ac.uk/trac/RAPTOR
– JISC + Cardiff University + Kidderminster College
– V1.0 due Feb 2011
JIBS User Group
16 June 2010
11
Shibboleth Development and Support Services
Q2: Pussy cat pussy cat what did you there?
Attribute
Database
Identity
Attributes
Provider
User
Service
Provider
Resource
• Cannot come from IdP
• Must come from SP
– What does SP know about user
JIBS User Group
16 June 2010
12
Shibboleth Development and Support Services
Attributes: EduPerson Object Class
– Core
 Targeted ID
 Principal name
 [Scoped] Affiliation
 Entitlement
– Other
 Nick name
 Org [Unit] DN
http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html
JIBS User Group
16 June 2010
13
Shibboleth Development and Support Services
Granularity: Core Attributes
– [Scoped] Affiliation
 Scope
 Member | {Staff | Student | Employee | Affiliate |
Alum | library-walk-in}
– Entitlement
 Service - User Specific conditions
• urn:mace:dir:entitlement:common-lib-terms
JIBS User Group
16 June 2010
14
Shibboleth Development and Support Services
On Passing Attributes
Photo: Library of Virginia / Flikr
JIBS User Group
16 June 2010
15
Shibboleth Development and Support Services
EDINA Digimap
– [Scoped] Affiliation
– Targeted ID
– Principal Name
– Title
– Givenname
– Sn [surname]
– O [organisation]
– Ou [organisational unit]
– Mail
http://www.ukfederation.org.uk/content/Documents/AttributeUsage
JIBS User Group
16 June 2010
16
Shibboleth Development and Support Services
Reality
Identity
Service
Provider
Provider
Attribute Release Policy
JIBS User Group
16 June 2010
17
Shibboleth Development and Support Services
Reality
• Most IdPs give out only:
– [Scoped] Affiliation
 Organisational affiliation (ePSA)
• SP cannot determine department etc.
• ePSA often just member@xxx.ac.uk
– Targeted Id
 Service-specific, opaque ID (ePTI)
• SP cannot determine user
• SP cannot correlate usage between services.
• Many IdPs cannot handle entitlement
JIBS User Group
16 June 2010
18
Shibboleth Development and Support Services
“No one really asks
us much for ARP
changes”
IdP administrator
JIBS User Group
16 June 2010
19
Shibboleth Development and Support Services
Why?
• IdPs
– Fear of Data Protection legislation
– No inclination; No capabilities
– No SPs ask for it
• SPs
– Not available from IdPs
– No use for data
JIBS User Group
16 June 2010
20
Shibboleth Development and Support Services
Stable Deadlock
IdPs get no requests,
think all is well
JIBS User Group
Too hard to ask,
so SPs don’t
16 June 2010
21
Shibboleth Development and Support Services
What Do SPs Do
• Personalisation
– Registration system
– Registration database
• Usage Statistics
– Merge logs and registration details
• EDINA Digimap
– Users / Status / Department
JIBS User Group
16 June 2010
22
Shibboleth Development and Support Services
Attribute Release Progression
Personal
Attributes
Extended
Attributes
Basic
Attributes
JIBS User Group
16 June 2010
23
Shibboleth Development and Support Services
Towards agreement
• Forums
– Small scale
– Application-area specific
– Agree what is desirable
– Agree what is possible
– Experiment, agree, deploy, not theorise:
• No Top-down Dictate
JIBS User Group
16 June 2010
24
Shibboleth Development and Support Services
NESLi2
• JISC Statistics Portal
– Cranfield, Birmingham City University, MIMAS
– Database/Journal/article level reporting
– Oct 2009 – Dec 2010
– "one-stop shop"
 could go to view and download their own usage
reports from NESLi2 publishers
– http://www.jusp.mimas.ac.uk/
JIBS User Group
16 June 2010
25
Shibboleth Development and Support Services
Granularity & Management Data
• Technically Capabilities exist
• “Natural restful inertia” - problem large
– UKAMF
 800+ members
• 440 + SPs
• 630 + IdPs
• User Driven
• Tackle from the bottom up
JIBS User Group
16 June 2010
26
Related documents
KLINGENS
KLINGENS
Basic Search and Full text Access from Emerald Insight
Basic Search and Full text Access from Emerald Insight
slides - Terena TNC 2003
slides - Terena TNC 2003
Call for Papers
Call for Papers
Shibboleth Access Management System
Shibboleth Access Management System
here - Shibboleth
here - Shibboleth
20021028-Shibboleth-Cantor
20021028-Shibboleth-Cantor
Download
advertisement