Shibboleth and uApprove at University of Michigan

Shibboleth and uApprove at
University of Michigan
Luke Tracy – [email protected]
Ken Hammer – [email protected]
What is uApprove?
• Developed by SWITCHaai under BSD License
• Purposes:
– For the user, mechanism to be informed about the release of
attributes to a Service Provider (SP).
– For the admin of an Identity Provider (IdP)
• Provides a tool to implement data protection laws by requiring
to obtain user consent before personal attributes are released
to a SP
• Allows for collection of information about the release of
attributes and accesses to SP (if configured to do so).
Source: on June 15, 2010.
What is uApprove?
• From the user's point of view, uApprove is an
application which presents a webpage, on which to
– accept or decline the Terms of Use of a Shibboleth Identity
Provider upon first access to the system (optional)
– globally accept the release of attributes to any/all Service
– accept the release of attributes upon first access to a given
Service Provider (if the global release has not been
Note: User can reset attribute release consent on a separate webpage,
such that he/she will be asked again, whenever attributes have to be
Source: on June 15, 2010.
U of M Attribute Release
• InCommon IdP had been operating in Pilot
– Opt-in required
– Temporarily provided means to approve the
release of identity data
• To move beyond Pilot
– Remove barriers
– Make more self-describing
Governance Board
• Investigated how others were handling privacy
concerns around attribute release
– Found common desire existed to be able to have individuals
approve the release of attributes
– Saw mention of uApprove being used within SWITCH
• Demonstrated uApprove to IDM Governance Board
– Liked it, but had issues with changes to data and privacy
settings after approval to release
– Looked into methods of detecting state changes and forcing
• Determined best method was to prompt each time
(until a more elegant solution was possible, maybe)
• Discussed with uApprove developers method for
forcing prompt every time
– Decided together that in short term, using database triggers
was optimal
User Visits Site and Selects Home
User Logs In Using Our Single Sign On
User is presented with the uApprove
If the user declines…
If the user approves…
uApprove configuration
• Can use a flat file or a mysql database for
• Can be disabled on a per-SP basis
• Can configure which attributes are displayed and in
what order
• Optional “Terms of Use” screen
• Multiple options for resetting preferences
Normally, uApprove looks like this…
• Presentation controlled
by .jsp templates
• Template text strings
stored separately to
make translation easy
U-M localizations
• Database trigger / cron job combination
to effect our desired login behavior
• Applied our SSO “skin” to the
• Changed text to better suit our audience
<resolver:AttributeDefinition id="displayName" xsi:type="Simple"
<resolver:Dependency ref="mcomm" />
<resolver:DisplayName xml:lang="en">Full Name</resolver:DisplayName>
<resolver:DisplayDescription xml:lang="en">
This is your full name.
• uApprove
• U-M InCommon Attribute Release Policy and
Procedure -
Related flashcards

Web colors

17 cards

Web design

34 cards

Web designers

34 cards

Create Flashcards