All about attributes
1 / 22

All About Attributes - PowerPoint PPT Presentation

  • Uploaded on

All About Attributes. All About Attributes (in federated identity). Nate Klingenstein [email protected] 30 January 2007 OGF 19 Chapel Hill. All About Attributes. Origination Transformation Transport Consumption Practical Guidelines. What’s an Attribute?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'All About Attributes' - avent

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
All about attributes

All About Attributes

All About Attributes

(in federated identity)

Nate Klingenstein

[email protected]

30 January 2007

OGF 19 Chapel Hill

All about attributes1
All About Attributes

  • Origination

  • Transformation

  • Transport

  • Consumption

  • Practical Guidelines

What s an attribute
What’s an Attribute?

  • Most attributes are atoms of information

    • At least one name

      • Sometimes more…

      • Often unique per protocol

    • At least one value

      • Sometimes more…

    • May include other bits, like scope or nesting

  • Practically anything can be stuffed into this structure

    • But all parties need to understand it

  • The data surrounding an attribute are as important as the attribute itself

Some useful attributes
Some Useful Attributes

  • CN(common name): Nate Klingenstein

  • DN(distinguished name): C=, O=, OU=…

  • eduPerson(Scoped)Affiliation: student, staff, faculty, etc. (

  • eduPersonPrincipalName: [email protected]

  • eduPersonEntitlement: urn:mace:dir:entitlement:common-lib-terms

    • Groups

    • Privileges

  • Email: [email protected]

Who makes attributes
Who Makes Attributes?

  • X.520

  • eduPerson (MACE/Internet2/EDUCAUSE)

  • Your applications

  • Your favorite corporate suite

  • Your friendly local federation

  • Your service provider

  • Your identity provider

  • You?

An attribute by any other name
An Attribute by any other Name…

eduPersonAffiliation: staff staff staff

urn:mace:dir:attribute-def:eduPersonScopedAffiliation: [email protected]

An attribute by any other name1
An Attribute by any other Name…

<saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:

profiles:attribute:XACML" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:

profiles:attribute:LDAP" xacmlprof:DataType="


ldapprof:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:" FriendlyName="givenName"> <saml:AttributeValue xsi:type="xs:string">




In the beginning
In the Beginning…

  • Attributes originate at a system of record

    • Database, directory, student information system, virtual organization, etc.

    • The ultimate (digital) authority

  • Everything really starts with people

    • I&A

    • Credentialing

    • Data entry

    • Governments, corporations, organizations, other users, self-asserted, etc.

At the end
At the End

  • Everything distills to an action by the SP

  • Final attribute format desired may vary

    • Set of name/value pairs

    • Boolean

    • Something more complicated

      • XACML?

      • Structured XML?

  • Issuance information required may vary

  • The SP is always a PDP and the PEP

    • And has ultimate control

How applications get them
How Applications Get Them

  • Shibboleth 1.3

    • Individual attributes exported as HTTP Header variables according to AAP.xml

    • Attribute assertion may also be exported

  • Shibboleth 2.0

    • Apache SP

      • Individual attributes exported as subprocess environment variables according to…?

      • Assertions available through (chunking? Localhost?)

    • Java SP

      • Individual attributes and assertions stored as attributes of the session object

  • Commercial product approaches will vary

What s in between
What’s in Between?

  • Issuers and Consumers

  • Assertions

    • Attributes can be contained in and depend on them

    • Provide context and meaning for attributes

  • Authentication

    • Both end user and server

    • Relative, not absolute

  • Protocols, Bindings, Requests/Queries

  • All to support movement, transformation, and use by the SP from the system of record

Saml 1 1 attribute assertion
SAML 1.1 Attribute Assertion

<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" InResponseTo="_b9d9777ac0b78d5b3b820e1eef63e275" IssueInstant="2007-01-29T19:20:05.716Z" MajorVersion="1" MinorVersion="1" ResponseID="_ba0e957d89d6f63ec8154ab962183eb4" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="" xmlns:xsi=""><Status><StatusCode Value="samlp:Success"/></Status><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_631d3b6cd865fa9cd5b101899fa8e157" IssueInstant="2007-01-29T19:20:05.716Z" Issuer="" MajorVersion="1" MinorVersion="1"><Conditions NotBefore="2007-01-29T19:20:05.716Z" NotOnOrAfter="2007-01-29T19:50:05.716Z"><AudienceRestrictionCondition><Audience></Audience><Audience>urn:mace:shibboleth:testshib</Audience></AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="">_9a46e887ae1bad9d81e25a8b1b12d819</NameIdentifier></Subject><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>urn:mace:dir:entitlement:common-lib-terms</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="">Member</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue>Member</AttributeValue></Attribute><Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue Scope="">myself</AttributeValue></Attribute></AttributeStatement></Assertion></Response>

Sometimes also in between third parties
Sometimes also in between: Third Parties

  • Many forms already on campus; when it’s all in the family, it’s just metadirectories & provisioning

    • Data Warehousing

    • Central Directories/Databases

  • Proxies

    • What NAT’s do for IP…

  • Portals

  • Scope vs. Issuer

  • ID-WSF

    • Attribute aggregation

    • Delegation

    • Client issuance

      • Provider/User Agent Convergence

Conservation of information
Conservation of Information

  • Information is inevitably destroyed

    • Where did this attribute originate?

    • What chain did it traverse to get to me?

    • Who was trusted along the way?

    • What other parameters is this attribute based upon?

      • Successful user authentication

      • Successful server authentication

  • Privacy and secrecy vs. knowledge

    • Your use cases may vary, but you should know how much you know

      Level of Assurance Grist

Practical approach
Practical Approach

  • Determine who needs to know what, who can say what, and what can’t be revealed

    • Metadata can help

  • Decide on common protocols & bindings

  • Check whether someone has already defined an attribute name/value space that meets your needs

  • If so, use it; if not, name your attribute wisely and constrain values if necessary

  • Populate if needed; set release and access control policies

Example 1
Example #1

  • A store wants to sell discount books and school shirts to university students

    • Who, exactly, is a student?

      • How precisely do you care?

  • The university and store collaborate to craft the trust agreement

  • If eduPersonScopedAffiliation isn’t good enough, or an eduPersonEntitlement

    • The university provisions the attribute to eligible users

  • Attribute information is released to the store, which maintains attribute-based access control

    • Beats accounts and IP Addresses

Example 11
Example #1

  • System of record: SIS

  • Attributes needed: eduPersonScopedAffiliation

  • Other information needed:

    • Check issuer against attribute scope so OSU can’t buy Florida shirts?

  • Access control rule:

    • require scopedaffiliation *.edu

Example 2
Example #2

  • A consortium of scientists from eighteen different universities is collaborating to devise a mind-control TV channel, forming the MCTV WG

    • Re-use institutional identifiers & authentication via a VO

  • They collectively purchase grid cycles for brain wave analysis from a third party cluster

  • The VO wants to audit resource use by member

  • Who speaks authoritatively for which information?

    • Issuer/scope duality

    • Conservation of information

  • Who needs to know what?

Example 21
Example #2

  • Systems of Record: Enterprise Directory(via HR), VO database

  • Attributes needed:

    • eduPersonPrincipalName


  • Other information needed: weeeeelll…

    • How do you aggregation your attributes?

  • Access control is usually done inside the application for better error handling

Guiding principles
Guiding Principles

  • Attribute-enable applications

  • Be pragmatic and trusting

    • Because it’s easy to audit and punish

  • The more common attributes, the more powerful federated identity is

    • Recycle, reduce, re-use

  • Name everything properly

  • Use strings whenever possible

    • Applications and people seem to like them

  • Keep flows as simple as possible

Question for you
Question for You

  • gridPerson?