1 / 11

GakuNin Registration System

GakuNin Registration System. Motonori Nakamura , NII Japan APAN33 r d Meeting (16 Feb. 2012). What to do to operate federation?. Accept applications from organizations (Universities / service providers) Check descriptions in application forms

candy
Download Presentation

GakuNin Registration System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GakuNinRegistration System Motonori Nakamura, NII Japan APAN33rd Meeting (16 Feb. 2012)

  2. What to do to operate federation? • Accept applications from organizations (Universities / service providers) • Check descriptions in application forms • Register the organization to federation metadata, and distribute it to DS/IdPs/SPs • Further support for IdP/ SP operation to reduce operation cost / improve usefulness

  3. GakuNinRegistration System • developed and provided to GakuNin subscribers since Feb. 2011 (for “production federation”) • Since June 2011 for “test federation” • Most of process is done online • only mailing a copy with signature/stampis required for production federation.

  4. Verification of an application(for production federation) • Verification of each item in an application form • Organization • doessatisfy bylaws of GakuNin? • entityID • Validness of server certificate • DN (Distinguished Name) • Expiration date • Which CA the certificate is signed by? • We require public certificate basically. • Position of responsible person • Contact address

  5. Metadata management • Automatic generation of entity metadata according to an application for IdP/SP • Marge the entity metadata into the federation metadata • The registration system also supports: • Periodical re-signing of federation metadata • “validUntil” is enabled, and valid for 2 weeks • Re-signing is done at interval of a week • Update ofcertificate for IdPs / SPs • Two certificates should be used at a time in transition period for seamless access

  6. Further support by the system • Reducing operation cost of IdPs/SPs • Improvement of Embedded-DS feature • Integrated administrative information exchange among IdPs / SPs

  7. Reducing operation cost of SPs • Generation of SP entity metadata which includes information about required attributes • “isRequired” of “RequestedAttribute” in the metadata

  8. Reducing operation cost of IdPs • Maintenance free configuration of IdP to send required attributes by each SPs using uApprove.jp • uApprove.jp is required for observance of personal information protection laws • uApprove.jp shows and sends only attributes required by the SP and approved by the userby: <afp:PermitValueRulexsi:type="uajp:AttributeUapprove" /> • Automatic generation of “attribute-filter.xml” for an IdP to use selected SPs. (2Q 2012) • Most of IdP organizations want to control list of accessible SP by members of the organization

  9. Improvement of Embedded-DS feature • Display only IdPs which allow/allowed to use the SP • e.g: services which requires p2p (IdP-SP) contract • Suppress an IdPin the listing on DS (Discovery Service) in case the IdP does not allow access to the SP to avoid confusion of users (My IdP is on the list. But I can not use. Why??)

  10. Integrated administrative information exchange • Imagine: • An IdP may be stopped accidentally or by maintenance. • When a user, belongs the organization of the IdP, visits an SP is failed to login, He may send complaint to SP administrators. • A solution for this miscommunication • a sort of integrated system may be useful so that administrators/users can see what is the problem at that time. • The GakuNinregistration system will have such integrated announcement feature.

  11. Summary • GakuNinRegistration System is constructed • Initially for reducing operation cost of GakuNin secretariat. • It also reduces maintenance cost of IdPs by providing automatic configuration features. • by combination with uApprove.jp • Useful to develop easy IdP hosting service to accelerate increase number of IdPs • It also provides convenience and avoidance of confusion for users by cooperation with SPs using Embedded-DS • It also provides integrated information exchange channel among IdPs and SPs (planned)

More Related