1 / 13

eduPerson is only part of the answer

Leeds University. eduPerson is only part of the answer. David Holdsworth & Ray Powell. http://www.personal.leeds.ac.uk/~ecldh/xlm4he/. XLM4HE project. Part of Internet2/JISC collaboration in UK. X .509 — identification L DAP — authorisation M iddleware — incompatibilities for H igher

hank
Download Presentation

eduPerson is only part of the answer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leeds University eduPerson is only part of the answer David Holdsworth & Ray Powell http://www.personal.leeds.ac.uk/~ecldh/xlm4he/

  2. XLM4HE project Part of Internet2/JISC collaboration in UK • X.509 — identification • LDAP — authorisation • Middleware — incompatibilities • for • Higher • Education — scalability, cost 2

  3. DRAFT Shibboleth Architecture 3

  4. XLM4HE Interactions Web site has step-by-step version http://129.11.152.25/xlm4he ResourceProvider’sWeb Server XLM4HEMiddleware 4

  5. An Example in which the Department of Futile Studies negotiates with a content provider called F-Systems to provide access to their on-line educational product called Futile Operations On-Line (FOOL) 5

  6. 4. LDAP search:baseDN = namespace (i.e. FOOL)certNum = certificate serial numbercertSign = certificate signerFOOL is requested attribute 4 F-Systems University 6

  7. 7. LDAP searchResponse:DN = whatever policy specifiesFOOL = user’s status in accessing FOOL 7 F-Systems University 7

  8. Shibboleth Equivalent 1 <?xml version="1.0" encoding="UTF-8" ?> <ShibAttributeQuery ... > <Version>1.0</Version> <RequestID>00565d61-301c-1b1c-0010a4908950</RequestID> <Issuer>newman.leeds.ac.uk</Issuer> <IssueInstant>991702501</IssueInstant> <TargetURI>http:/www.f-systems.co.uk/futility.html</TargetURI> <Handle>0015d1f1-307c-1b1c-9581-0010a4908950</Handle> </ShibAttributeQuery> • SHAR redirects browser to AA giving handle and product name (i.e. FOOL) <ProductID>FOOL</ ProductID > 8

  9. Shibboleth Equivalent 2 <ShibAttributeResponse …. > <Version>1.0</Version> <RequestID>00565d61-301c-1b1c-0010a4908950</RequestID> <Issuer>aa.iss.leeds.ac.uk</Issuer> <IssueInstant>991702561</IssueInstant> <Attributes> </Attributes> </ShibAttributeResponse> • AA redirects browser to SHAR giving YES or NO <ProductID>FOOL</ ProductID > <status>yes</ status > 9

  10. Vanilla Shibboleth <ShibAttributeResponse … > <Version>1.0</Version> <RequestID>00565d61-301c-1b1c-0010a4908950</RequestID> <Issuer>aa.psu.edu</Issuer> <IssueInstant>991702561</IssueInstant> <Attributes> </Attributes> </ShibAttributeResponse> • AA redirects browser to SHAR giving eduPerson attributes <eduPersonPrincipalName>rshuey@psu.edu </eduPersonPrincipalName> <eduPersonAffiliation>staff</eduPersonAffiliation> <eduPersonAffiliation>employee</eduPersonAffiliation> <eduPersonAffiliation>member</eduPersonAffiliation> 10

  11. Trust • Target must trust university to answer honestly • Trust already needed to believe attributes • Target must check that AA is trusted for requested product • i.e. there is a contractual relationship • could be global list of trusted AAs 11

  12. Conclusions • Shibboleth has decision at target • Attributes (eduPerson) sent to target • Uniformity of eduPerson usage at all institutions is needed • XLM4HE has decision at university • Attribute release to target is minimal • Simplicity at the target end • More Trust of university is needed, but there has to be trust in either case. 12

  13. Recommendation • Include both mechanisms in Shibboleth architecture • Let experience see whether decision is best at University or Resource Provider More information: http://129.11.152.25/xlm4he/ 13

More Related