1 / 26

SAML Protected Resources

The theory and practice of granularity and management data. SAML Protected Resources. Ed Dee EDINA. EDINA. Service provider Digimap, Film & Sound Online, etc… Identity provider Various Federated Access SDSS Federation UKAMF: Metadata Management & Tech. Support. Where lies the guilt.

donnel
Download Presentation

SAML Protected Resources

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The theory and practice of granularity and management data SAML Protected Resources Ed Dee EDINA

  2. EDINA • Service provider • Digimap, Film & Sound Online, etc… • Identity provider • Various • Federated Access • SDSS Federation • UKAMF: Metadata Management & Tech. Support

  3. Where lies the guilt • Service providers • Identity providers • UK Access Management Federation • User Community Granularity and lack of management data from SAML protected resources • 50% • 30% • 10% • 10%

  4. SAML • Security Assertion Markup Language • Standard for Exchanging authentication and authorisation information • Identity Provider • Service Provider

  5. The Questions Pussy cat pussy cat where have you been? “I’ve been down to London to visit at the Queen.” Pussy cat pussy cat what did you there “I frightened a little mouse under her chair.”

  6. Shibboleth flow diagram

  7. Resource Federation Metadata Federation Metadata Attribute Database Authorisation Database Technical stuff Service Provider Identity Provider SAML Dialogue User

  8. SAML Dialogue • Uninteresting (to us): • Initiation/Termination • Security • Interesting (to us): • Scope information • Institution/Service ‘who are you’ • Attributes • User-specific information

  9. Q1: Pussy cat pussy cat where have you been? • From the IdP: • What resource are being used • Who is using them • Shibb 2x IdPs only • Not outsourced IdPs • Not non-Shibb IdPs • Not Shibb 1.3 IdPs • eosl date 30 June 2010

  10. Federation Metadata Attribute Database Audit Log(s) Access Reports Q1: Pussy cat pussy cat where have you been? • Shibb 2 IdP Audit log • Who (ePPN) • When (time stamp) • What (relying party id) • https://spaces.internet2.edu/display/SHIB2/IdPLogging Analysis Application

  11. Tools • Project Raptor • Software toolkit for reporting e-resource usage statistics • Shibboleth 2 IdPs & EZproxy • http://iam.cf.ac.uk/trac/RAPTOR • JISC + Cardiff University + Kidderminster College • V1.0 due Feb 2011

  12. Resource Attribute Database Q2: Pussy cat pussy cat what did you there? • Cannot come from IdP • Must come from SP • What does SP know about user Identity Provider Service Provider Attributes User

  13. Attributes: EduPerson Object Class • Core • Targeted ID • Principal name • [Scoped] Affiliation • Entitlement • Other • Nick name • Org [Unit] DN http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html

  14. Granularity: Core Attributes • [Scoped] Affiliation • Scope • Member | {Staff | Student | Employee | Affiliate |Alum | library-walk-in} • Entitlement • Service - User Specific conditions • urn:mace:dir:entitlement:common-lib-terms

  15. On Passing Attributes Photo: Library of Virginia / Flikr

  16. EDINA Digimap • [Scoped] Affiliation • Targeted ID • Principal Name • Title • Givenname • Sn [surname] • O [organisation] • Ou [organisational unit] • Mail http://www.ukfederation.org.uk/content/Documents/AttributeUsage

  17. Reality Identity Provider Service Provider Attribute Release Policy

  18. Reality • Most IdPs give out only: • [Scoped] Affiliation • Organisational affiliation (ePSA) • SP cannot determine department etc. • ePSA often just member@xxx.ac.uk • Targeted Id • Service-specific, opaque ID (ePTI) • SP cannot determine user • SP cannot correlate usage between services. • Many IdPs cannot handle entitlement

  19. “No one really asks us much for ARP changes” IdP administrator

  20. Why? • IdPs • Fear of Data Protection legislation • No inclination; No capabilities • No SPs ask for it • SPs • Not available from IdPs • No use for data

  21. Stable Deadlock IdPs get no requests, think all is well Too hard to ask,so SPs don’t

  22. What Do SPs Do • Personalisation • Registration system • Registration database • Usage Statistics • Merge logs and registration details • EDINA Digimap • Users / Status / Department

  23. Attribute Release Progression Personal Attributes Extended Attributes Basic Attributes

  24. Towards agreement • Forums • Small scale • Application-area specific • Agree what is desirable • Agree what is possible • Experiment, agree, deploy, not theorise: • No Top-down Dictate

  25. NESLi2 • JISC Statistics Portal • Cranfield, Birmingham City University, MIMAS • Database/Journal/article level reporting • Oct 2009 – Dec 2010 • "one-stop shop" • could go to view and download their own usage reports from NESLi2 publishers • http://www.jusp.mimas.ac.uk/

  26. Granularity & Management Data • Technically Capabilities exist • “Natural restful inertia” - problem large • UKAMF • 800+ members • 440 + SPs • 630 + IdPs • User Driven • Tackle from the bottom up

More Related