Скачать презентацию Shibboleth Attribute Release Policy Editing Tools Sh ARPE Скачать презентацию Shibboleth Attribute Release Policy Editing Tools Sh ARPE

3812b7652d0a88ce402b316850a05a5f.ppt

  • Количество слайдов: 38

Shibboleth Attribute Release Policy Editing Tools Sh. ARPE and Autograph I 2 MM April Shibboleth Attribute Release Policy Editing Tools Sh. ARPE and Autograph I 2 MM April 2006 Neil Witheridge MAMS Project Manager nwitheridge@melcoe. mq. edu. au http: //federation. org. au/ 1 META ACCESS MANAGEMENT SYSTEM

Problem Statement l ARP Administration (Sh. ARPE) l ARP administrators need a ‘zero effort’ Problem Statement l ARP Administration (Sh. ARPE) l ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. l User Privacy Control (Autograph) l There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. l A ‘zero-effort’ GUI interface is required. 2 META ACCESS MANAGEMENT SYSTEM

Evaluation Release l Sh. ARPE and Autograph (version 0. 7) released for evaluation purposes Evaluation Release l Sh. ARPE and Autograph (version 0. 7) released for evaluation purposes l Elicitation of ‘real world’ requirements l As Shibboleth stakeholders, Id. P and SP administrators and users, do these tools satisfy your requirements for ARP management? l Feedback requested on usefulness and usability. 3 META ACCESS MANAGEMENT SYSTEM

Shibboleth Attribute Release Policy l Shibboleth provides for privacy control through Attribute Release Policies Shibboleth Attribute Release Policy l Shibboleth provides for privacy control through Attribute Release Policies (ARPs) l Rules specifying which attributes may be released to a SP for Id. P members in general, or for specific individuals l After user authentication & opaque handle delivery to SP (1) SAML Attribute Request + handle Id. P Attribute Consumer Service Attribute Authority User Attributes ARPs Protected Service SP (2) SAML Attribute Response AAP 4 META ACCESS MANAGEMENT SYSTEM

Info Available To Protected App l Via HTTP header (standard header parameters) host = Info Available To Protected App l Via HTTP header (standard header parameters) host = demo. federation. org. au user-agent = Mozilla/5. 0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alive referer = https: //openidp. mams. org. au/shibboleth-idp/SSO. . . cookie = … (Shibboleth specific parameters) Shib-Identity-Provider = urn: mace: federation. org. au: testfed: level-1: openidp. mams. org. au Shib-Authentication-Method = urn: oasis: names: tc: SAML: 1. 0: am: unspecified (User Attributes) Shib-EP-Unscoped. Affiliation = Staff; Physics Shib-Person-nickname = Sue 5 META ACCESS MANAGEMENT SYSTEM

Attributes – Id. P context l Key: Value pairs e. g. edu. Person. Affiliation: Attributes – Id. P context l Key: Value pairs e. g. edu. Person. Affiliation: Physics User information stored within institutional directory e. g. LDAP l Directory schema determines available keys (attribute names) l l Standardised schema e. g. person, organizational. Person, inet. Org. Person, edu. Person… l Custom schema - institution specific data Custom schema for elements that don't have a clear mapping to standard schemas 6 META ACCESS MANAGEMENT SYSTEM

Attributes – SP context l Received user attributes (in SAML assertion from Id. P) Attributes – SP context l Received user attributes (in SAML assertion from Id. P) are basis of access control l Potential for complex attribute-based access control l l Service or service feature accessibility Service Levels – not necessarily hierarchical university, campus, role, discipline, course, year, group… SP Attribute requirements must conform to standard schema or be mappable from Id. P attribute schema 7 META ACCESS MANAGEMENT SYSTEM

Current Shib Federations l Current generation of Shib Federations l 1 st generation ? Current Shib Federations l Current generation of Shib Federations l 1 st generation ? l Simple approach to access control, attributes & attribute management l How will SPs use attributes as Federated IAM evolves ? l Greater use of user attributes for service differentiation l Increasing service complexity (service features) and demand for user attributes 8 META ACCESS MANAGEMENT SYSTEM

Emerging Federated Services l Institutional Repositories and CMSs l More fine-grained protection of resources Emerging Federated Services l Institutional Repositories and CMSs l More fine-grained protection of resources based on user attributes l Virtual Organisations & GRID Services l Inter-organisational, national ->international collaboration l Virtual Librarian (MAMS service development) l Example MAMS Shibbolised Service l Needs relatively rich set of attributes 9 META ACCESS MANAGEMENT SYSTEM

Current ARP Management SP attribute requirements agreed negotiated manually (not scalable) l Site and Current ARP Management SP attribute requirements agreed negotiated manually (not scalable) l Site and User ARPs, no Group ARPs l Lack of service information for users (what attributes are required, released, for what reason) l Lack of interface for user ARP control l l User can’t access ARP files 10 META ACCESS MANAGEMENT SYSTEM

Shibboleth ARP Editing Tools l Provide a GUI-based editor to enable l ARP admins Shibboleth ARP Editing Tools l Provide a GUI-based editor to enable l ARP admins to implement access contracts l Users to manage their ARPs l Provide visibility to user of: l attributes required by services l attributes released to services l Service received in return for attributes l Enable users to change their ARPs hence exercise privacy control 11 META ACCESS MANAGEMENT SYSTEM

New features (In order to provide comprehensive GUI for creation of ARPs) l Group New features (In order to provide comprehensive GUI for creation of ARPs) l Group ARPs l l Service Descriptions l l Current Shibboleth supports site and user ARPs Comprehensive information about SP’s service, service levels, attribute requirements Attribute Mapping l Support for mapping between Id. P and SP schemas 12 META ACCESS MANAGEMENT SYSTEM

Sh. ARPE – ARP Administrator l ARP Admin l Import Service Description (Physics research Sh. ARPE – ARP Administrator l ARP Admin l Import Service Description (Physics research database from Sandstone Uni) l Create site ARP (all communities get bronze access) l Create group ARP (Physics community gets gold access) 13 META ACCESS MANAGEMENT SYSTEM

14 META ACCESS MANAGEMENT SYSTEM 14 META ACCESS MANAGEMENT SYSTEM

Sandstone. Uni. Service. Description. xml 15 META ACCESS MANAGEMENT SYSTEM Sandstone. Uni. Service. Description. xml 15 META ACCESS MANAGEMENT SYSTEM

arp. site. xml 16 META ACCESS MANAGEMENT SYSTEM arp. site. xml 16 META ACCESS MANAGEMENT SYSTEM

17 META ACCESS MANAGEMENT SYSTEM 17 META ACCESS MANAGEMENT SYSTEM

arp. group. Physics. xml 18 META ACCESS MANAGEMENT SYSTEM arp. group. Physics. xml 18 META ACCESS MANAGEMENT SYSTEM

Autograph – Id. P Member l Id. P member: Susannah Halmay, Physics staff member Autograph – Id. P Member l Id. P member: Susannah Halmay, Physics staff member l View attributes released l Deny release of attributes required for Gold access 19 META ACCESS MANAGEMENT SYSTEM

20 META ACCESS MANAGEMENT SYSTEM 20 META ACCESS MANAGEMENT SYSTEM

21 META ACCESS MANAGEMENT SYSTEM 21 META ACCESS MANAGEMENT SYSTEM

arp. user. sue. xml 22 META ACCESS MANAGEMENT SYSTEM arp. user. sue. xml 22 META ACCESS MANAGEMENT SYSTEM

Group ARPs How will contracts be established between an Id. P and SPs ? Group ARPs How will contracts be established between an Id. P and SPs ? l Groups within institutions (Id. Ps) create agreements, maybe requiring subscription involving formal T&Cs and/or payment l Attribute release policy defined for the group l l Appropriate static values (contract number) l Members attribute release policy by virtue of group membership 23 META ACCESS MANAGEMENT SYSTEM

Group Information sources l List of Groups & Id. P member group membership information Group Information sources l List of Groups & Id. P member group membership information l Institutional l Flat Directory files Responsibility for Group ARP Administration ? l Future: Grouper & Signet l 24 META ACCESS MANAGEMENT SYSTEM

Service Descriptions l SP’s Service and Service Level descriptions and attribute requirements l l Service Descriptions l SP’s Service and Service Level descriptions and attribute requirements l l Services may provide service-levels - different functionality - based on supplied attributes e. g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management Sh. ARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI 25 META ACCESS MANAGEMENT SYSTEM

Service Description Editor 26 META ACCESS MANAGEMENT SYSTEM Service Description Editor 26 META ACCESS MANAGEMENT SYSTEM

Service Description Editor 27 META ACCESS MANAGEMENT SYSTEM Service Description Editor 27 META ACCESS MANAGEMENT SYSTEM

Attribute Mapping l l Requirement to map between Id. P and SP schemas (standard/custom Attribute Mapping l l Requirement to map between Id. P and SP schemas (standard/custom to standard/custom. . . ) Attribute mapping functions l l l One-to-One Mapping Concatenation Static Value assignment Hashing (e. g. Targeted. ID) Examples: l l Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targeted. ID (e. g. hash(concat(SPname, email))) 28 META ACCESS MANAGEMENT SYSTEM

Attribute Mapping GUI 29 META ACCESS MANAGEMENT SYSTEM Attribute Mapping GUI 29 META ACCESS MANAGEMENT SYSTEM

Evaluating Sh. ARPE & Autograph l View Flash Demonstrations via http: //www. federation. org. Evaluating Sh. ARPE & Autograph l View Flash Demonstrations via http: //www. federation. org. au/twiki/bin/view/Federation/Sh. ARPE l Experiment with Autograph using a preconfigured ‘open. Id. P’ http: //opensharpe. mams. org. au l Install your own evaluation Id. P including Sh. ARPE and Autograph NMI Edit software release 9 http: //www. federation. org. au/software/Autograph_Sh. ARPE-0. 7. zip l MAMS’ Easy Installation Id. P with Sh. ARPE http: //www. federation. org. au/software/installcd/ 30 META ACCESS MANAGEMENT SYSTEM

Evaluating Sh. ARPE & Autograph (cont’d) l Install on top of existing Id. P Evaluating Sh. ARPE & Autograph (cont’d) l Install on top of existing Id. P http: //www. federation. org. au/software/Autograph_Sh. ARPE-0. 7. zip Qualifications: Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be deployed on production systems. Sh. ARPE and Autograph without attribute mapping only writes to ARPs. 31 META ACCESS MANAGEMENT SYSTEM

Thank you Questions ? 32 META ACCESS MANAGEMENT SYSTEM Thank you Questions ? 32 META ACCESS MANAGEMENT SYSTEM

Shibboleth Architecture l Shibboleth Federation components WAYF Identity Provider Secure identity management is a Shibboleth Architecture l Shibboleth Federation components WAYF Identity Provider Secure identity management is a core business requirement Service Provider User Belongs to an organisation which manages her identity Privacy concerns Provide Services accessible via the web Want to focus on core business & avoid risks of managing users’ confidential info. 33 META ACCESS MANAGEMENT SYSTEM

Background: Shibboleth Standards based (SAML) l Open source middleware l Provides Web Single Sign-On Background: Shibboleth Standards based (SAML) l Open source middleware l Provides Web Single Sign-On (SSO) across or within institutional boundaries l l SSO l using session cookies Provides secure transfer of user attributes between user’s Identity Provider (Id. P) and Service Providers (SPs) 34 META ACCESS MANAGEMENT SYSTEM

Group Information sources <Release. Policy. Engine> <Arp. Repository implementation= Group Information sources file: /usr/local/shibboleth-idp/etc/arps/ file: ///usr/local/shibboleth-idp/etc/resolver. ldap. xml urn: mace: dir: attribute-def: edu. Person. Affiliation file: ///usr/local/shibboleth-idp/etc/sample. grouplookup. properties institutional. Group. List group. List 35 META ACCESS MANAGEMENT SYSTEM

Group Information sources l Example of group names in flat file debian> cd /usr/local/shibboleth-idp/etc Group Information sources l Example of group names in flat file debian> cd /usr/local/shibboleth-idp/etc debian > cat sample. grouplookup. properties #Sample group lookup using Property. File. Group. Lookup #this defines institutional-wide groups institutional. Group. List=Administrator, Staff, Researcher #an example of local groups group. List=Library, Physics, Biology, Walk-in #user based attributes specifying the groups #ann. edu. Person. Affiliation=Researcher #staff. edu. Person. Affiliation=Staff #librarian. edu. Person. Affiliation=Head. Of. School, Staff, Librarian> debian > 36 META ACCESS MANAGEMENT SYSTEM

Service Description Schema l The SD XML schema includes the following @attributes and elements: Service Description Schema l The SD XML schema includes the following @attributes and elements: l Service Provider identifier, name, location, description, service-independent attributes l Service @identifier, name, description, location, reference, service-specific levelindependent attributes l Service Level @identifier, name, description, reference, level-specific attributes 37 META ACCESS MANAGEMENT SYSTEM

Service Description Example <Service. Provider …> <Service. Provider. Identifier>urn: mace: federation. org. au: testfed: Service Description Example urn: mace: federation. org. au: testfed: level 1: federation. org. au Sandstone University https: //demo. federation. org. au Online Services for Physics Researchers Laser and Optical Physics Database Data Generated by Physics Researchers https: //demo. federation. org. au/Sharpe. JSPDemo/demo. jsp Gold Access Search, View, Query, Comment on Data 38 META ACCESS MANAGEMENT SYSTEM