All about attributes
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

All About Attributes PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

All About Attributes. All About Attributes (in federated identity). Nate Klingenstein [email protected] 30 January 2007 OGF 19 Chapel Hill. All About Attributes. Origination Transformation Transport Consumption Practical Guidelines. What’s an Attribute?.

Download Presentation

All About Attributes

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


All about attributes

All About Attributes

All About Attributes

(in federated identity)

Nate Klingenstein

[email protected]

30 January 2007

OGF 19 Chapel Hill


All about attributes1

All About Attributes

  • Origination

  • Transformation

  • Transport

  • Consumption

  • Practical Guidelines


What s an attribute

What’s an Attribute?

  • Most attributes are atoms of information

    • At least one name

      • Sometimes more…

      • Often unique per protocol

    • At least one value

      • Sometimes more…

    • May include other bits, like scope or nesting

  • Practically anything can be stuffed into this structure

    • But all parties need to understand it

  • The data surrounding an attribute are as important as the attribute itself


Some useful attributes

Some Useful Attributes

  • CN(common name): Nate Klingenstein

  • DN(distinguished name): C=, O=, OU=…

  • eduPerson(Scoped)Affiliation: student, staff, faculty, etc. (@supervillain.edu)

  • eduPersonPrincipalName: [email protected]

  • eduPersonEntitlement: urn:mace:dir:entitlement:common-lib-terms

    • Groups

    • Privileges

  • Email: [email protected]


Who makes attributes

Who Makes Attributes?

  • X.520

  • eduPerson (MACE/Internet2/EDUCAUSE)

  • Your applications

  • Your favorite corporate suite

  • Your friendly local federation

  • Your service provider

  • Your identity provider

  • You?


An attribute by any other name

An Attribute by any other Name…

eduPersonAffiliation: staff

1.3.6.1.4.1.5923.1.1.1.10: staff

https://middleware.internet2.edu/attributes/eduPerson/eduPersonAffiliation: staff

urn:mace:dir:attribute-def:eduPersonScopedAffiliation: [email protected]


An attribute by any other name1

An Attribute by any other Name…

<saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:

profiles:attribute:XACML" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:

profiles:attribute:LDAP" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema

#string”

ldapprof:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">

By-Tor

</saml:AttributeValue>

</saml:Attribute>


In the beginning

In the Beginning…

  • Attributes originate at a system of record

    • Database, directory, student information system, virtual organization, etc.

    • The ultimate (digital) authority

  • Everything really starts with people

    • I&A

    • Credentialing

    • Data entry

    • Governments, corporations, organizations, other users, self-asserted, etc.


At the end

At the End

  • Everything distills to an action by the SP

  • Final attribute format desired may vary

    • Set of name/value pairs

    • Boolean

    • Something more complicated

      • XACML?

      • Structured XML?

  • Issuance information required may vary

  • The SP is always a PDP and the PEP

    • And has ultimate control


How applications get them

How Applications Get Them

  • Shibboleth 1.3

    • Individual attributes exported as HTTP Header variables according to AAP.xml

    • Attribute assertion may also be exported

  • Shibboleth 2.0

    • Apache SP

      • Individual attributes exported as subprocess environment variables according to…?

      • Assertions available through (chunking? Localhost?)

    • Java SP

      • Individual attributes and assertions stored as attributes of the session object

  • Commercial product approaches will vary


What s in between

What’s in Between?

  • Issuers and Consumers

  • Assertions

    • Attributes can be contained in and depend on them

    • Provide context and meaning for attributes

  • Authentication

    • Both end user and server

    • Relative, not absolute

  • Protocols, Bindings, Requests/Queries

  • All to support movement, transformation, and use by the SP from the system of record


Saml 1 1 attribute assertion

SAML 1.1 Attribute Assertion

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_b9d9777ac0b78d5b3b820e1eef63e275" IssueInstant="2007-01-29T19:20:05.716Z" MajorVersion="1" MinorVersion="1" ResponseID="_ba0e957d89d6f63ec8154ab962183eb4" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_631d3b6cd865fa9cd5b101899fa8e157" IssueInstant="2007-01-29T19:20:05.716Z" Issuer="https://idp.testshib.org/shibboleth/testshib/idp" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2007-01-29T19:20:05.716Z" NotOnOrAfter="2007-01-29T19:50:05.716Z"><AudienceRestrictionCondition><Audience>https://sp.testshib.org/shibboleth/testshib/sp</Audience><Audience>urn:mace:shibboleth:testshib</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="https://idp.testshib.org/shibboleth/testshib/idp">_9a46e887ae1bad9d81e25a8b1b12d819</NameIdentifier></Subject><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>urn:mace:dir:entitlement:common-lib-terms</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="testshib.org">Member</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>Member</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="testshib.org">myself</AttributeValue></Attribute></AttributeStatement></Assertion></Response>


Sometimes also in between third parties

Sometimes also in between: Third Parties

  • Many forms already on campus; when it’s all in the family, it’s just metadirectories & provisioning

    • Data Warehousing

    • Central Directories/Databases

  • Proxies

    • What NAT’s do for IP…

  • Portals

  • Scope vs. Issuer

  • ID-WSF

    • Attribute aggregation

    • Delegation

    • Client issuance

      • Provider/User Agent Convergence


Conservation of information

Conservation of Information

  • Information is inevitably destroyed

    • Where did this attribute originate?

    • What chain did it traverse to get to me?

    • Who was trusted along the way?

    • What other parameters is this attribute based upon?

      • Successful user authentication

      • Successful server authentication

  • Privacy and secrecy vs. knowledge

    • Your use cases may vary, but you should know how much you know

      Level of Assurance Grist


Practical approach

Practical Approach

  • Determine who needs to know what, who can say what, and what can’t be revealed

    • Metadata can help

  • Decide on common protocols & bindings

  • Check whether someone has already defined an attribute name/value space that meets your needs

  • If so, use it; if not, name your attribute wisely and constrain values if necessary

  • Populate if needed; set release and access control policies


Example 1

Example #1

  • A store wants to sell discount books and school shirts to university students

    • Who, exactly, is a student?

      • How precisely do you care?

  • The university and store collaborate to craft the trust agreement

  • If eduPersonScopedAffiliation isn’t good enough, http://www.cheapbooks.edu/attributes/ourstudent or an eduPersonEntitlement

    • The university provisions the attribute to eligible users

  • Attribute information is released to the store, which maintains attribute-based access control

    • Beats accounts and IP Addresses


Example 11

Example #1

  • System of record: SIS

  • Attributes needed: eduPersonScopedAffiliation

  • Other information needed:

    • Check issuer against attribute scope so OSU can’t buy Florida shirts?

  • Access control rule:

    • require scopedaffiliation *.edu


Example 2

Example #2

  • A consortium of scientists from eighteen different universities is collaborating to devise a mind-control TV channel, forming the MCTV WG

    • Re-use institutional identifiers & authentication via a VO

  • They collectively purchase grid cycles for brain wave analysis from a third party cluster

  • The VO wants to audit resource use by member

  • Who speaks authoritatively for which information?

    • Issuer/scope duality

    • Conservation of information

  • Who needs to know what?


Example 21

Example #2

  • Systems of Record: Enterprise Directory(via HR), VO database

  • Attributes needed:

    • eduPersonPrincipalName

    • https://third.party.cluster/attributes/flops

  • Other information needed: weeeeelll…

    • How do you aggregation your attributes?

  • Access control is usually done inside the application for better error handling


Guiding principles

Guiding Principles

  • Attribute-enable applications

  • Be pragmatic and trusting

    • Because it’s easy to audit and punish

  • The more common attributes, the more powerful federated identity is

    • Recycle, reduce, re-use

  • Name everything properly

  • Use strings whenever possible

    • Applications and people seem to like them

  • Keep flows as simple as possible


Question for you

Question for You

  • gridPerson?


Any questions

Any Questions?

Nate Klingenstein

[email protected]


  • Login