Sharpe autograph
Download
1 / 36

ShARPE & Autograph - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

ShARPE & Autograph. Managing Attribute Release in a Shibboleth Federation. Peter Schendzielorz Macquarie University’s E-Learning Centre of Excellence (MELCOE) [email protected] Contents. Introduction to the MAMS project ShARPE Shibboleth Attribute Release Policy Editor Autograph.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' ShARPE & Autograph' - cybill


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Sharpe autograph

ShARPE & Autograph

Managing Attribute Release

in a Shibboleth Federation

Peter Schendzielorz

Macquarie University’s E-Learning Centre of Excellence (MELCOE)

[email protected]

META ACCESS MANAGEMENT SYSTEM


Contents
Contents

  • Introduction to the MAMS project

  • ShARPE

    • Shibboleth Attribute Release Policy Editor

  • Autograph

META ACCESS MANAGEMENT SYSTEM


The mams project

The MAMS Project

Bringing inter institutional identity management to Australian higher education ...

META ACCESS MANAGEMENT SYSTEM


Backing australia s ability
Backing Australia’s Ability

Department of Education Services and Training (DEST) founded Australian Research Information Infrastructure Committee (ARIIC) to guide the first round of projects:

  • Australian Digital Thesis (ADT)

  • Australian Partnership for Sustainable Repositories (APSR)

  • Australian Research Repositories Online to the World (ARROW)

  • Meta Access Management System (MAMS)

FRODO (Federated Repositories of Digital Objects)

META ACCESS MANAGEMENT SYSTEM


About mams
About MAMS

  • http://mams.melcoe.mq.edu.au

  • Responsible for managing the Australian federation

  • Managed by James Dalziel and Erik Vullings

  • Hosted at Macquarie UniversitySydney, Australia

META ACCESS MANAGEMENT SYSTEM


About our federation
About our Federation

  • Name: MAMS Testbed Federation

  • Operator: MAMS (government funded)

    • project hosted at Macquarie University

    • infrastructure hosted by AARNet

  • Members: Higher education mainly, expanding to Grid & research, no guest access

  • Why join? Mini-grants for SPs (AUD$40,000)

  • Cost? Nothing currently

META ACCESS MANAGEMENT SYSTEM


About our federation1
About our Federation

  • WAYF: centralised, but customisable

  • Attrs: encouraging eduPerson adoption

  • VO: stay tuned tomorrow!

  • Disputes: targetedID, auditing

  • Scalable? Mechanisms for managing metadata

META ACCESS MANAGEMENT SYSTEM


Mams testbed federation
MAMS Testbed Federation

  • Dec.2005: Federation at federation.org.au

    • Level 1: Test purposes, Easy Install (Knoppix) CD

    • Level 2: Production quality, ~700,000 identities, 25% of HE Uni.

    • Level 3: As 2, incl. legal documents (TBD)

  • SP available to all:

    • UQ: Fez (URL)

    • Griffith: Wiki, Gnomic database

    • US: Scott Cantor’s Shibboleth Wiki

    • Expected soon: Science-Direct from Reed-Elsevier

  • SP available to some:

    • Murdoch & MQ: Online Librarian

    • QUT (for the ATN group): eGrad School

META ACCESS MANAGEMENT SYSTEM


Architecture view

Manages trustbetween parties.

Auditing?

Architecture View

Provides services to internaland external users via the web.

Want to focus on core business & avoid risks of managing

users’ confidential info.

Manages trustbetween parties.

Auditing

Hosted by AARNet

Service

Provider

Identity

Provider

Attribute Authority manages and asserts(to trusted SPs) user’s attributes securely.

Have privacy concerns.

Want transparent but secure SSO.

META ACCESS MANAGEMENT SYSTEM


Sharpe autograph1

ShARPE & Autograph

What personal attributes am I willing to share with others in the federation…

META ACCESS MANAGEMENT SYSTEM


Recall this

Who am I?

Recall this…

SP uses SAML handle to retrieve user attributes

Service

Provider

Identity

Provider

META ACCESS MANAGEMENT SYSTEM


Attribute release policies
Attribute Release Policies

When I visit an SP, how do I present myself?

Reference #123456

Staff at Macquarie Uni

John Smith

Staff at Macquarie Uni

Who am I?

John Smith

[email protected]

Staff at Macquarie Uni

+61-(0)2-9850.9000

MQ

META ACCESS MANAGEMENT SYSTEM


Different cards open different doors attributes give access to features

Reference #123456

Staff at Macquarie Uni

Enables access to repository

John Smith

Staff at Macquarie Uni

Allows me to rank material

John Smith

[email protected]

Staff at Macquarie Uni

+61-(0)2-9850.9000

Allows me to add comments

MQ

Different cards open different doors – Attributes give access to Features –

META ACCESS MANAGEMENT SYSTEM


Key features
Key Features

  • Acts as a GUI to the backend XML files

  • Gives control to the IdP admin

  • Allows IdP management of access to SPs

  • Provides attribute mapping

  • Installation instructions:

    http://www.federation.org.au/twiki/bin/view/Federation/ShARPEInstall

META ACCESS MANAGEMENT SYSTEM


Privacy in the federation

IdP

member

Privacy in the Federation

Set of attributes

SP1

IdP

CarRental

This Service Provider requires the givenName, surname and carLicense attribute for a car rental service.

Database with sensitive private information e.g. birthdate, phone, email, credit card number etc.

META ACCESS MANAGEMENT SYSTEM


Privacy in the federation1

IdP

member

Privacy in the Federation

SP1

IdP

CarRental

Set of attributes

ARP file

SP2

WeatherForecast

This Service Provider requires the givenName, surname and mobile attribute for a sms thunderstorm warning service.

META ACCESS MANAGEMENT SYSTEM


Sample site arp file
Sample Site ARP File

META ACCESS MANAGEMENT SYSTEM


Group arp
Group ARP

biologists

SP3

physicians

Physicsdatabase

Set of attributes

IdP members

SP1

IdP

CarRental

SP2

WeatherForecast

= site ARP

META ACCESS MANAGEMENT SYSTEM

= group ARPs


User arp
User ARP

Physics-

database

IdP members

SP1

IdP

CarRental

SP2

WeatherForecast

Never release mobile number.

= user ARPs

= site ARP

META ACCESS MANAGEMENT SYSTEM

= group ARPs


Precedence rules for arps
Precedence Rules for ARPs

  • If any of the applicable ARP rules deny the release of an attribute it is not released.

  • Therefore the main rule is “deny overrides”.

  • e.g. the mobile number is released in the site ARP and blocked in the user ARP. Therefore, the user’s mobile number won’t be released.

META ACCESS MANAGEMENT SYSTEM


Sharpe autograph2
ShARPE & Autograph

Autograph

ShARPE

IdP

ARP

Management

Identity

Management

IdP

admin

IdP

member

Attribute

mapping

META ACCESS MANAGEMENT SYSTEM


Arp management

ShARPE

IdP admin

ARP Management

SP

attributes

IdP

SP

ARP files

= site ARP

META ACCESS MANAGEMENT SYSTEM

= group ARPs


Arp management1
ARP Management

META ACCESS MANAGEMENT SYSTEM


Sharpe autograph3
ShARPE & Autograph

Autograph

ShARPE

IdP

ARP

Management

Identity

Management

IdP

admin

IdP

member

Attribute

mapping

META ACCESS MANAGEMENT SYSTEM


Autograph privacy

Autograph

Autograph – Privacy

I want to control the release of my attributes!

IdP members

SP

attributes

IdP

SP

ARP files

= user ARP

= site ARP

META ACCESS MANAGEMENT SYSTEM

= group ARPs


Privacy management
Privacy Management

IdP members

SP

Autograph

attributes

IdP

SP

ARP files

= user ARPs

= site ARP

META ACCESS MANAGEMENT SYSTEM

= group ARPs


Different cards open different doors services service level
Different cards open different doors – Services & Service Level –

META ACCESS MANAGEMENT SYSTEM


Different cards open different doors services service level1
Different cards open different doors – Services & Service Level –

META ACCESS MANAGEMENT SYSTEM


Adding personal attributes
Adding Personal Attributes

Other examples: Accessibility info (colorblind, blind)

META ACCESS MANAGEMENT SYSTEM


DEMO

Autograph in the Shibboleth cycle, releasing your preferred language to the AuthN Federated Search SP

https://sp-afs.mams.org.au/afs/

META ACCESS MANAGEMENT SYSTEM


Sharpe autograph4
ShARPE & Autograph

Autograph

ShARPE

IdP

ARP

Management

Identity

Management

IdP

admin

IdP

member

Attribute

mapping

META ACCESS MANAGEMENT SYSTEM


Attribute mapping

ShARPE

IdP admin

Attribute Mapping

IdP knows attribute with name ‘eduPersonAffiliation’

SP needs attribute ‘community’

R

E

S

O

L

V

E

R

M

A

P

P

E

R

attributes

SP

IdP

META ACCESS MANAGEMENT SYSTEM


Sharpe attribute mapping
ShARPE – attribute mapping

META ACCESS MANAGEMENT SYSTEM


Attribute mapping1
Attribute Mapping

  • Useful for aligning data storage schema

  • Can map eduPerson attributes using other source attributes

    • eg givenname  eduPersonNickname

  • Can combine attributes

    • eg givenname + sn  commonName

META ACCESS MANAGEMENT SYSTEM


Recap
Recap

  • Shibboleth with ShARPE manages:

    • Site Attribute Release Policies (ARP)

    • Group and User ARP

    • Attribute Mapping

  • Autograph gives privacy control to user

  • Different (sets of) attributes can open different doors  Service Levels

META ACCESS MANAGEMENT SYSTEM


Sharpe autograph5

ShARPE & Autograph

Managing Attribute Release

in a Shibboleth Federation

http://www.federation.org.au/twiki/bin/view/Federation/ShARPEInstall

Peter Schendzielorz

Macquarie University’s E-Learning Centre of Excellence (MELCOE)

[email protected]

META ACCESS MANAGEMENT SYSTEM


ad