The Attribute and the ecosystem

Slides:



Advertisements
Similar presentations
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
National libraries and identity in the Semantic Web Gordon Dunsire BNE, Madrid, 14 Dec 2011.
OCLC Online Computer Library Center A Global OpenURL Resolver Registry Phil Norman OCLC Dlsr4lib Workshop March 23 rd, 2006 Arlington VA.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
FIM-ig Federated Identity Management Interest Group.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
XP New Perspectives on XML Tutorial 4 1 XML Schema Tutorial – Carey ISBN Working with Namespaces and Schemas.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
VO Identity, Attributes, and Infrastructure: Some Basics.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.
Middleware, Ten Years In: Vapority into Reality into Virtuality Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist,
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
The Application and the Ecosystem. Acknowledgments Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/
Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Digital Certificates Presented by: Matt Weaver. What is a digital certificate? Trusted ID cards in electronic format that bind to a public key; ex. Drivers.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Access Policy - Federation March 23, 2016
Cross-sector and user-centric AAI
The Semantic Web By: Maulik Parikh.
Mechanisms of Interfederation
AAI for a Collaborative Data Infrastructure
eduTEAMS platform for collaboration Niels Van Dijk
Extending Authentication to Members of Social Networks
John O’Keefe Director of Academic Technology & Network Services
XACML and the Cloud.
InCommon and Federated Identity Update
Scalability of trust and metadata exchange across federations
CLARIN Federated Identity Vision
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Federated Identity Management for Scientific Collaborations
Self Service Group Management (SSGM)
The French federation Eurocamp 2007 Helsinki
PASSHE InCommon & Federated Identity Workshop
Federated Digital Rights Management
AARC Blueprint Architecture and Pilots
Consent and Federated Identity
COMP 150-IDS: Internet Scale Distributed Systems (Spring 2016)
VO Identity, Attributes, and Infrastructure: Some Basics
Office 365 Development.
Community AAI with Check-In
Moving forward with assurance
Introduction to World Wide Web
Protecting Privacy with Federated AA
Presentation transcript:

The Attribute and the ecosystem

Topics Basics Common Schema Complexity and Extensibility LOA of attributes Privacy Naming Complexity and Extensibility Tagging Complexity vs Metadata IdP releasing vs SP asking Query languages Dealing with Aggregation

Killer Attributes (and the applications that love them) Human readable identifiers Email address, eppn, display name, etc Opaque identifiers ePTID Affiliation Citizenship Over legal age

Community or collaboration asserted Types of attributes Institutional Organizational Reassertion of Official attributes Temporal – geolocation, etc. Community or collaboration asserted Formal – Virtual organizations, groups Informal – reputation systems, FoF Self-asserted

Common Schema NIEM – National Information Exchange Model – www.niem.gov eduPerson -http://middleware.internet2.edu/eduperson/ http://www.terena.org/activities/tf-emc2/schac.html Accessability schema - http://www.w3.org/WAI/ and http://www.w3.org/WAI/intro/uaag.php http://doc.esd.org.uk/IPSV/2.00.html

Eve Maler’s Attribute Assurance Matrix

Naming Oids vs URNs vs URLs vs URI’s vs Registering name spaces

Which attributes are PII? Privacy Which attributes are PII? ePTID – opaque, non-correlating, but 1-1 IP address Which jurisdiction applies? IdP? SP? Nationality of user? Which require consent and for what purpose?

Authorization – Problem Statement In a federated landscape, with scale in mind, groups more than identities control access But attributes may express, in addition or instead, a user's relationship with the authenticating organization, membership in groups, or possession of roles or entitlements that signify permission to access application resources. In such cases, authorization may be delegated or distributed to the authenticating organization, or even across additional organizations. This is a relatively common pattern when the authorization policy is simple (typically all or nothing) and applies to large numbers of users at multiple organizations. It is less common as policies become more complex and fine-grained.

Groups Local Groups User Identification Provisioning (and Deprovisioning) Representation isMemberOf eduPersonEntitlement Groups with Federated Members Federated Groups Privacy Implications Visibility of members to other members Sharing groups across services

Of Entitlements and Attributes In entitlements, SP community passes business logic to IdP’s, who compute authorization and pass entitlement To scale, must have common license terms SP’s need to be willing to expose business logic In attributes, IdP’s pass attributes to SP for authorization Raises privacy issues To scale, must have shared community attributes

Some key issues Which schema Knowing which IdP to ask for which attributes, especially as we get into aggregation How to ask, e.g. over 18 Making values extensible, so that they can be tagged, like validation, date, terms of use

Attribute Release SP Asking vs. IdP Releasing Specifying requirements (queries, metadata, policy files, web pages, etc.) Consent

Attribute aggregation At the IdP Already doing internal aggregation Can arrange bulk feeds – e.g. IEEE member At the SP Already in the Shib code At an intermediate point Portals and gateways do this now Can greatly simplify trust

Use cases are legion and confusing “Over legal age” Use cases are legion and confusing Legal age of the web site country Legal age of the IdP country Legal age of the identity holder’s country Authoritative sources and delegation Query languages

Complexity and Extensibility Tagging within attribute vs use of metadata vs context Extensibility The ability to add new controlled values How much flat attribute proliferation can be managed through a structured data space? DRM of metadata

Principles of the Tao 属性之道 Least privilege/minimal release Using data “closest” to source of authority Late and dynamic bindings where possible Dynamic identity data increases in value the shorter the exposure.  If identity data is cached away from the source there is increased likelihood of staleness and over-exposure which can lead to privacy and data accuracy concerns.

Beyond the first horizon LOA of attributes Specifying semantic rules Shifting from attribute values as text strings to rich signed data Terms of use Time limits etc

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.