EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Slides:



Advertisements
Similar presentations
04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.
Advertisements

All About Attributes (in federated identity) Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
Online Tools Creating a Social Media Policy These training materials have been prepared by Aspiration.
TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, (updated version)
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
19 May 2003, TERENA, Zagreb Civilizing eduPerson Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group Keith Hazelton,
MACE-Dir: Attributes, Schema and Information Models for Education and Research InCommon Virtual Working Groups, May 21, 2013 Keith Hazelton MACE-Dir Chair,
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Overview of schemas used for IdM community Setting up of identity provider Motonori Nakamura, National Institute of Informatics, Japan 2nd TEIN IAM Workshop.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
The UK Access Management Federation John Chapman Project Adviser – Becta.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
05 October 2001 Directories: The Next Stage Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect University.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Authorization: Just when you thought middleware was no fun anymore Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Member, Internet2 Middleware.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
May I introduce you to eduPerson? Keith Hazelton Sr. IT Architect, UW-Madison TNC 2001, Antalya, Turkey, 15-May-2001.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
David Millman—Columbia January 2005
Shibboleth Architecture
OMG, Another Simple, Lightweight Authentication Service???
John O’Keefe Director of Academic Technology & Network Services
e-Infrastructure Workshop 28th March 2006, University of Leeds
GakuNin: Federated Identity Management Activities in Japan
ESA Single Sign On (SSO) and Federated Identity Management
Shibboleth as Attribute Delivery for Authorization
UK Access Management Federation
Shibboleth Deployment Overview
The Attribute and the ecosystem
4th Annual Conference on Technology and Standards Washington
Presentation transcript:

eduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2

eduPerson Is an Attribute Schema What is an Attribute Schema? A documented list of attributes with rules about their names, their values and their meanings eduPerson focuses on attributes about people in the context of teaching, learning and research When are attribute schema useful? –For institutional directories of person information in LDAP format –For federated access scenarios…

Attribute Schema for Federated Access Whenever an organization wants its members to get access to third party digital resources and services In federated scenarios, the organization offers an Identity Provider (IdP) serving its members/users while third party resources and services are represented as Service Providers (SPs)

Federated Flows (A) Request

Federated Flows (A) Request Redirect

Federated Flows (A) Request Redirect Login Prompt

Federated Flows (B) Authenticate

Federated Flows (B) Assert Attributes Authenticate

Federated Flows (B) Deliver Content Assert Attributes Authenticate

Federated Flows (B) Deliver Content Assert Attributes Authenticate

Interests of the Parties re Attributes Why the Service Provider (SP) wants user attributes –To determine if the user should be granted access to the online service or resource –(Often) To uniquely identify the user –(Sometimes) To personalize the service or communicate with the user What the IdP is concerned about –To release information that facilitates the user’s access to online resources to which they are entitled –To limit the release of user information in the interest of privacy

Leveraging eduPerson in K-12 Scenarios There may be K-12 specific attribute needs, but re-use what you can from eduPerson

Leveraging eduPerson in K-12 Scenarios To support SP access control decisions Basic institutional affiliation: faculty, staff, student, alum,… –If faculty or staff or student, “member” is also asserted; –eduPersonScopedAffiliation: –Caveat: The list of values is not extensible except through revisions to eduPerson specification: useful but not flexible

Leveraging eduPerson in K-12 Scenarios To support SP access control decisions If you need to specify other affiliations or groupings, use isMemberOf –Define a group and give it an identifier, put users in the appropriate group(s) –IdP Asserts isMemberOf values for each group the user belongs to –isMemberOf: apCalculusAB:student –isMemberOf: wi:madison:memorialhigh:sophomore –Very flexible, but IdP and SP both need to agree on what to define, populate, assert

Leveraging eduPerson in K-12 Scenarios To support SP access control decisions Groups are sets of people An alternative conceptual approach: An entitlement or permission granted to a user eduPersonEntitlement: calendarApp eduPersonEntitlement: acme:contract:1432 Very flexible, but IdP and SP both need to agree on what to define, assign, assert

Leveraging eduPerson in K-12 Scenarios Support pseudonymous access whenever possible –Groups and entitlements don’t identify individuals If the SP has a valid need to uniquely identify users –Determine if the SP needs service-specific and service-local user records (think learning tool with performance tracking) –If so, a provisioning model is probably required –Institution will need to facilitate creation/update of user records at the SP side –MUCH less standardized than federated attribute assertion model –Out of scope for today

Leveraging eduPerson in K-12 Scenarios Support pseudonymous access whenever possible –Groups and entitlements don’t identify individuals If the SP has a valid need to uniquely identify users but provisioning is not required Pass identifiers in the IdP-SP attribute assertion Candidate identifiers from eduPerson –eduPersonPrincipalName –eduPersonTargetedID –eduPersonUniqueID (new in 2013 edition of eduPerson)

Leveraging eduPerson in K-12 Scenarios eduPersonPrincipalName as an identifier Example value: Characteristics: globally unique, persistent Drawbacks: –Some institutions re-use values as people turn over; can lead to inappropriate grants of access –Reveals identity

Leveraging eduPerson in K-12 Scenarios eduPersonTargetedId as an identifier Example value: org/shibboleth!84e411ea-7daa-4a57-bbf6- b5cc52981b73 org/shibboleth!84e411ea-7daa-4a57-bbf6- b5cc52981b73 Characteristics: globally unique, persistent, privacy preserving, not reassignable Drawbacks: –Not widely enough supported by IdPs

Leveraging eduPerson in K-12 Scenarios eduPersonUniqueId as an identifier Example value: Characteristics: globally unique, persistent, not reassignable Drawbacks: –New, no known IdP production support yet –Reveals identity

Is a k12Person schema needed? k12GradeLevel has come up in conversation; Use as a hypothetical example Are there use cases? Which Service Providers might base access policies on grade level? Could be accomplished by agreeing on a shared set of group identifiers, one per grade level, and then passing appropriate values per user via the isMemberOf attribute If not, then a new schema needs to be created to carry k12GradeLevel MACE-Dir would be willing to host and facilitate this work

Recommendations Keep it simple –Focus on supporting one or a couple of real-world IdP/SP use cases –Identify the minimal attribute information needed to support the use cases –Expect to iterate: design, implement, try, review, revise design… –Don’t attempt to boil the ocean Encourage representative IdPs and SPs to collaborate and drive the work efforts –Common failing of schema efforts has been to drive solely from the IdP side

References and Links eduPerson – eduperson htmlhttp://software.internet2.edu/eduperson/internet2-mace-dir- eduperson html isMemberOf – membership htmlhttp://macedir.org/specs/internet2-mace-dir-ldap-group- membership html InCommon Federation Attribute Overview – InCommon Federation Attribute Summary –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.