Shibboleth Attribute Release Policy Editing Tools Sh. ARPE and Autograph I 2 MM April 2006 Neil Witheridge MAMS Project Manager nwitheridge@melcoe. mq. edu. au http: //federation. org. au/ 1 META ACCESS MANAGEMENT SYSTEM
Problem Statement l ARP Administration (Sh. ARPE) l ARP administrators need a ‘zero effort’ approach to implementing an access agreement with a SP – setting up site and group ARPs to supply required attributes. l User Privacy Control (Autograph) l There is a ‘real world’ requirement for privacy management, for end-user control of release of privacy sensitive attributes. l A ‘zero-effort’ GUI interface is required. 2 META ACCESS MANAGEMENT SYSTEM
Evaluation Release l Sh. ARPE and Autograph (version 0. 7) released for evaluation purposes l Elicitation of ‘real world’ requirements l As Shibboleth stakeholders, Id. P and SP administrators and users, do these tools satisfy your requirements for ARP management? l Feedback requested on usefulness and usability. 3 META ACCESS MANAGEMENT SYSTEM
Shibboleth Attribute Release Policy l Shibboleth provides for privacy control through Attribute Release Policies (ARPs) l Rules specifying which attributes may be released to a SP for Id. P members in general, or for specific individuals l After user authentication & opaque handle delivery to SP (1) SAML Attribute Request + handle Id. P Attribute Consumer Service Attribute Authority User Attributes ARPs Protected Service SP (2) SAML Attribute Response AAP 4 META ACCESS MANAGEMENT SYSTEM
Info Available To Protected App l Via HTTP header (standard header parameters) host = demo. federation. org. au user-agent = Mozilla/5. 0; accept = …; accept-encoding = …; accept-charset = Keep-Alive = 300 ; connection = keep-alive referer = https: //openidp. mams. org. au/shibboleth-idp/SSO. . . cookie = … (Shibboleth specific parameters) Shib-Identity-Provider = urn: mace: federation. org. au: testfed: level-1: openidp. mams. org. au Shib-Authentication-Method = urn: oasis: names: tc: SAML: 1. 0: am: unspecified (User Attributes) Shib-EP-Unscoped. Affiliation = Staff; Physics Shib-Person-nickname = Sue 5 META ACCESS MANAGEMENT SYSTEM
Attributes – Id. P context l Key: Value pairs e. g. edu. Person. Affiliation: Physics User information stored within institutional directory e. g. LDAP l Directory schema determines available keys (attribute names) l l Standardised schema e. g. person, organizational. Person, inet. Org. Person, edu. Person… l Custom schema - institution specific data Custom schema for elements that don't have a clear mapping to standard schemas 6 META ACCESS MANAGEMENT SYSTEM
Attributes – SP context l Received user attributes (in SAML assertion from Id. P) are basis of access control l Potential for complex attribute-based access control l l Service or service feature accessibility Service Levels – not necessarily hierarchical university, campus, role, discipline, course, year, group… SP Attribute requirements must conform to standard schema or be mappable from Id. P attribute schema 7 META ACCESS MANAGEMENT SYSTEM
Current Shib Federations l Current generation of Shib Federations l 1 st generation ? l Simple approach to access control, attributes & attribute management l How will SPs use attributes as Federated IAM evolves ? l Greater use of user attributes for service differentiation l Increasing service complexity (service features) and demand for user attributes 8 META ACCESS MANAGEMENT SYSTEM
Emerging Federated Services l Institutional Repositories and CMSs l More fine-grained protection of resources based on user attributes l Virtual Organisations & GRID Services l Inter-organisational, national ->international collaboration l Virtual Librarian (MAMS service development) l Example MAMS Shibbolised Service l Needs relatively rich set of attributes 9 META ACCESS MANAGEMENT SYSTEM
Current ARP Management SP attribute requirements agreed negotiated manually (not scalable) l Site and User ARPs, no Group ARPs l Lack of service information for users (what attributes are required, released, for what reason) l Lack of interface for user ARP control l l User can’t access ARP files 10 META ACCESS MANAGEMENT SYSTEM
Shibboleth ARP Editing Tools l Provide a GUI-based editor to enable l ARP admins to implement access contracts l Users to manage their ARPs l Provide visibility to user of: l attributes required by services l attributes released to services l Service received in return for attributes l Enable users to change their ARPs hence exercise privacy control 11 META ACCESS MANAGEMENT SYSTEM
New features (In order to provide comprehensive GUI for creation of ARPs) l Group ARPs l l Service Descriptions l l Current Shibboleth supports site and user ARPs Comprehensive information about SP’s service, service levels, attribute requirements Attribute Mapping l Support for mapping between Id. P and SP schemas 12 META ACCESS MANAGEMENT SYSTEM
Sh. ARPE – ARP Administrator l ARP Admin l Import Service Description (Physics research database from Sandstone Uni) l Create site ARP (all communities get bronze access) l Create group ARP (Physics community gets gold access) 13 META ACCESS MANAGEMENT SYSTEM
14 META ACCESS MANAGEMENT SYSTEM
Sandstone. Uni. Service. Description. xml 15 META ACCESS MANAGEMENT SYSTEM
arp. site. xml 16 META ACCESS MANAGEMENT SYSTEM
17 META ACCESS MANAGEMENT SYSTEM
arp. group. Physics. xml 18 META ACCESS MANAGEMENT SYSTEM
Autograph – Id. P Member l Id. P member: Susannah Halmay, Physics staff member l View attributes released l Deny release of attributes required for Gold access 19 META ACCESS MANAGEMENT SYSTEM
20 META ACCESS MANAGEMENT SYSTEM
21 META ACCESS MANAGEMENT SYSTEM
arp. user. sue. xml 22 META ACCESS MANAGEMENT SYSTEM
Group ARPs How will contracts be established between an Id. P and SPs ? l Groups within institutions (Id. Ps) create agreements, maybe requiring subscription involving formal T&Cs and/or payment l Attribute release policy defined for the group l l Appropriate static values (contract number) l Members attribute release policy by virtue of group membership 23 META ACCESS MANAGEMENT SYSTEM
Group Information sources l List of Groups & Id. P member group membership information l Institutional l Flat Directory files Responsibility for Group ARP Administration ? l Future: Grouper & Signet l 24 META ACCESS MANAGEMENT SYSTEM
Service Descriptions l SP’s Service and Service Level descriptions and attribute requirements l l Services may provide service-levels - different functionality - based on supplied attributes e. g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management Sh. ARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI 25 META ACCESS MANAGEMENT SYSTEM
Service Description Editor 26 META ACCESS MANAGEMENT SYSTEM
Service Description Editor 27 META ACCESS MANAGEMENT SYSTEM
Attribute Mapping l l Requirement to map between Id. P and SP schemas (standard/custom to standard/custom. . . ) Attribute mapping functions l l l One-to-One Mapping Concatenation Static Value assignment Hashing (e. g. Targeted. ID) Examples: l l Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targeted. ID (e. g. hash(concat(SPname, email))) 28 META ACCESS MANAGEMENT SYSTEM
Attribute Mapping GUI 29 META ACCESS MANAGEMENT SYSTEM
Evaluating Sh. ARPE & Autograph l View Flash Demonstrations via http: //www. federation. org. au/twiki/bin/view/Federation/Sh. ARPE l Experiment with Autograph using a preconfigured ‘open. Id. P’ http: //opensharpe. mams. org. au l Install your own evaluation Id. P including Sh. ARPE and Autograph NMI Edit software release 9 http: //www. federation. org. au/software/Autograph_Sh. ARPE-0. 7. zip l MAMS’ Easy Installation Id. P with Sh. ARPE http: //www. federation. org. au/software/installcd/ 30 META ACCESS MANAGEMENT SYSTEM
Evaluating Sh. ARPE & Autograph (cont’d) l Install on top of existing Id. P http: //www. federation. org. au/software/Autograph_Sh. ARPE-0. 7. zip Qualifications: Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be deployed on production systems. Sh. ARPE and Autograph without attribute mapping only writes to ARPs. 31 META ACCESS MANAGEMENT SYSTEM
Thank you Questions ? 32 META ACCESS MANAGEMENT SYSTEM
Shibboleth Architecture l Shibboleth Federation components WAYF Identity Provider Secure identity management is a core business requirement Service Provider User Belongs to an organisation which manages her identity Privacy concerns Provide Services accessible via the web Want to focus on core business & avoid risks of managing users’ confidential info. 33 META ACCESS MANAGEMENT SYSTEM
Background: Shibboleth Standards based (SAML) l Open source middleware l Provides Web Single Sign-On (SSO) across or within institutional boundaries l l SSO l using session cookies Provides secure transfer of user attributes between user’s Identity Provider (Id. P) and Service Providers (SPs) 34 META ACCESS MANAGEMENT SYSTEM
Group Information sources <Release. Policy. Engine> <Arp. Repository implementation= "au. edu. mq. melcoe. mams. sharpe. shib. aa. arp. provider. MAMSFile. System. Arp. Repository"> <Path>file: /usr/local/shibboleth-idp/etc/arps/</Path> <Group. Lookup implementation= "au. edu. mq. melcoe. mams. sharpe. shib. aa. arp. group. provider. Attribute. Resolver. Group. Lookup"> <Resolver. Config implementation= "edu. internet 2. middleware. shibboleth. aa. attrresolv. MAMSAttribute. Resolver"> file: ///usr/local/shibboleth-idp/etc/resolver. ldap. xml </Resolver. Config> <User. Group>urn: mace: dir: attribute-def: edu. Person. Affiliation</User. Group> </Group. Lookup> <Group. Lookup implementation= "au. edu. mq. melcoe. mams. sharpe. shib. aa. arp. group. provider. Property. File. Group. Lookup“ separator="%PRINCIPAL%. "> <Property. File>file: ///usr/local/shibboleth-idp/etc/sample. grouplookup. properties</Property. File> <Group. Listing>institutional. Group. List</Group. Listing> <Group. Listing>group. List</Group. Listing> </Group. Lookup> </Arp. Repository> </Release. Policy. Engine> 35 META ACCESS MANAGEMENT SYSTEM
Group Information sources l Example of group names in flat file debian> cd /usr/local/shibboleth-idp/etc debian > cat sample. grouplookup. properties #Sample group lookup using Property. File. Group. Lookup #this defines institutional-wide groups institutional. Group. List=Administrator, Staff, Researcher #an example of local groups group. List=Library, Physics, Biology, Walk-in #user based attributes specifying the groups #ann. edu. Person. Affiliation=Researcher #staff. edu. Person. Affiliation=Staff #librarian. edu. Person. Affiliation=Head. Of. School, Staff, Librarian> debian > 36 META ACCESS MANAGEMENT SYSTEM
Service Description Schema l The SD XML schema includes the following @attributes and elements: l Service Provider identifier, name, location, description, service-independent attributes l Service @identifier, name, description, location, reference, service-specific levelindependent attributes l Service Level @identifier, name, description, reference, level-specific attributes 37 META ACCESS MANAGEMENT SYSTEM
Service Description Example <Service. Provider …> <Service. Provider. Identifier>urn: mace: federation. org. au: testfed: level 1: federation. org. au</Service. Provider. Identifier> <Service. Provider. Name xml: lang="en">Sandstone University</Service. Provider. Name> <Service. Provider. Location xml: lang="en">https: //demo. federation. org. au</Service. Provider. Location> <Service. Provider. Description xml: lang="en">Online Services for Physics Researchers</Service. Provider. Description> <Service identifier=“sandstoneuni: physicsdatabase"> <Service. Name xml: lang="en">Laser and Optical Physics Database</Service. Name> <Service. Description xml: lang="en">Data Generated by Physics Researchers</Service. Description> <Service. Location xml: lang="en">https: //demo. federation. org. au/Sharpe. JSPDemo/demo. jsp</Service. Location> <Service. Level identifier="gold"> <Service. Level. Name xml: lang="en">Gold Access</Service. Level. Name> <Service. Level. Description xml: lang="en">Search, View, Query, Comment on Data</Service. Level. Description> <md: Requested. Attribute Name="urn: mace: dir: attribute-def: edu. Person. Affiliation" Friendly. Name="your affiliation" is. Required="true"/> <md: Requested. Attribute Name="urn: mace: dir: attribute-def: edu. Person. Nickname" Friendly. Name="your nickname" is. Required="true"/> <md: Requested. Attribute Name="urn: mace: dir: attribute-def: sn" Friendly. Name="surname" is. Required="true"/> </Service. Level> <Service. Level identifier="silver">…</Service. Level> <Service. Level identifier="bronze">…</Service. Level> </Service. Provider> 38 META ACCESS MANAGEMENT SYSTEM
Скачать презентацию Shibboleth Attribute Release Policy Editing Tools Sh ARPE
3812b7652d0a88ce402b316850a05a5f.ppt