DANTE AAI Training: Part 2: Under the Hood Nicole Harris, TERENA.

Slides:



Advertisements
Similar presentations
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Advertisements

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Harry Potter and the Sorcerer's StoneHarry Potter and the Sorcerer's Stone, Harry Potter and the Chamber of SecretsHarry Potter and the Chamber of Secrets,
Harry Potter and the Sorcerer's StoneHarry Potter and the Sorcerer's Stone, Harry Potter and the Chamber of SecretsHarry Potter and the Chamber of Secrets,
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
RAISING ASPIRATIONS Work Experience Programme 13 th – 17 th July 2015.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Digital citizenship BY MRS. DERITA. Digital Communication The digital exchange of information.
By J.K. Rowling. Harry, Ron, and Hermoine are set on another adventure after a terrible spirit has been woken again. The spirit petrifies everyone and.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
SWITCHaai Team Federated Identity Management.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
SWITCHaai Team Introduction to Shibboleth.
Identity Management Report By Jean Carreon and Marlon Gonzales.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Integrating with UCSF’s Shibboleth system
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Harry Potter The Boy Who Lived To Die Catching Up on the last 7 years (of his life)
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.
Harry Potter and the Deathly Hallows
Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
AAI/Federated Identity Training Ann Harding, SWITCH Cambridge July 2014.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
Elements of Plot and Fiction LLD English. Setting The where and when of a story Example: Newton High School, September 1 Come up with your own example,
Access Policy - Federation March 23, 2016
Harry Potter and the Sorcerer’s Stone
Federation made simple
eduTEAMS – Current status & Future Plans
Identity Federations - Overview
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Elements of Plot and Fiction
South African Identity Federation
AARC2 JRA1 Nicolas Liampotis
Shibboleth Implementation in EZproxy
TERENA EUROCamp 2010 Dyonisius Visser
Community AAI with Check-In
Shibboleth 2.0 IdP Training: Introduction
The Attribute and the ecosystem
Baseline Expectations for Trust in Federation
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

DANTE AAI Training: Part 2: Under the Hood Nicole Harris, TERENA

2 Connect | Communicate | Collaborate Learning Objectives How does Federated Identity work in practice? Components: SAML Metadata Attributes Components: SAML Metadata Attributes User Experience Discovery Issues Current deployments User Experience Discovery Issues Current deployments

3 Connect | Communicate | Collaborate Under the Hood Cloak Identity Management with a little help from Harry Potter (with apologies for ensuing cheesiness and bad puns) “What happened down in the dungeons between you and Professor Quirrell is a complete secret, so, naturally the whole school knows.” - Philosopher’s Stone.

4 Connect | Communicate | Collaborate Why? We are ALL irresponsible with usernames and passwords. Importance of use of an AFFILIATED credential – proven less likely to share. Protect against the Gilderoy Lockhart’s of this world: Steals memory of witches and wizards; Claims authority for the exploits in autobiography. More lasting impact than simply sharing the password to the Gryffindor Common Room. "Which person, which abysmally foolish person wrote down this week's passwords and left them lying around?" - Prisoner of Azkahban.

5 Connect | Communicate | Collaborate What is SAML? AssertionProtocol BindingsProfile SAML Security Assertion Markup Language. A Standard.

6 Connect | Communicate | Collaborate Elements of SAML Assertion = A statement. Something I want to say or ask. Protocol = What assertions will be made. Bindings = HOW these assertions will be made Profile = How this gets deployed in a specific community SAML “The placing of your name in the goblet constitutes a binding, magical contract. There can be no change of heart once you have become a champion.” – Goblet of Fire.

7 Connect | Communicate | Collaborate Elements of SAML Redux Assertion “Hello this is Dobby”. Protocol “Hi this is Hogwarts with some information. Dobby would like to contact you and he would like to tell you some information. This information is his name.” Binding “Dobby will only be able to talk to you via Owl Service and not via Howler”. Profile “Hogwarts choses to use Owl Service to talk to the outside world. Hogwarts will not send owls to Dementors or Muggles but will always send them to qualified Wizards.”

8 Connect | Communicate | Collaborate So? “SAML is simply a tool that allows an Identity Provider to talk to a Service and share information safely and securely.” “Elementary wand safety, nobody bothers about it anymore…” – Goblet of Fire

9 Connect | Communicate | Collaborate What is Shibboleth? Software implementation of SAML Many parts to the software: Think of Shibboleth as your wand, and SAML as the spell words. Shibboleth IdPSPWAYF Fed Tools The wand chooses the wizard, Mr. Potter. – Philosopher’s Stone

10 Connect | Communicate | Collaborate What do federations do? Register MemberSign Policy Register ‘Entities’Verify Data Publish ‘Entities’Sign Metadata PROCESSTRUST THAT’S IT. Don't expect me to explain everything, just trust me blindly, trust that I know what I'm doing, trust me even though I don't trust you! – Deathly Hallows.

11 Connect | Communicate | Collaborate Policy Simply, a promise by the member to behave in a certain way. Self-declared, which will be important in the Assurance discussion. Like the Marauder’s Map:

12 Connect | Communicate | Collaborate Entity Information The information an IdP or SP gives to a federation. Publicly available. TERENA TERENA: Service Provider Proxy TERENA AAI Support TERENA AAI Support

13 Connect | Communicate | Collaborate Attributes The information an IdP sends an SP (the federation does not typically see this). Attributes about ourselves. For Sirius Black this might be: Sirius Animagus “Padfoot” Criminal Godfather “Which one of you can tell me the difference between an animagus and a werewolf?” – Prisoner of Azkahban.

14 Connect | Communicate | Collaborate Attributes (cont.) We only wish to share certain information with some people. We want to hide different information from different people (criminal, membership, relation to others). Can be anything – , name, address, wand size, wand wood etc. Mostly commonly expressed via “eduPerson” in educational context. KEYWORD = SCOPED. Means associated specifically with something. In this case, normally an organisation I belong to.

15 Connect | Communicate | Collaborate eduPersonScopedAffilation who you are in an organisation: student, staff, affiliate, library walk-in, house elf, dark lord. eduPersonPrincipleName “a persistent, globally unique user identifier”. Also scoped, so can look like an address: eduPersonTargetedID a random number associated with you, that gives no personal information about you. eduPersonEntitlement a bit of a cheat. Place to catch specific requirements that don’t fit elsewhere. eduPerson

16 Connect | Communicate | Collaborate Entity Categories Bold Gryffindor from wild moor, Fair Ravlenclaw from glen, Sweet Hufflepuff from valley broad, Shrewd Slytherin from fen. Sorting Hat places students in houses or categories based on their attributes. Entity Categories place Entities in to categories based on the attributes they need and are allowed.

17 Connect | Communicate | Collaborate Entity Category: R&S SP applies to be in research and scholarship category Federation checks purpose of SP business and ‘need’ for attributes. Tags SP Entity IdP has already decided to support R&S with support tag – attributes automagically flow! More on this tomorrow

18 Connect | Communicate | Collaborate Discovery: Where Are You From? First question asked in the exchanged when a user logs in. Which IdP should we use, Where Are You From? Either a list or a type-ahead box. Often very very very badly implemented. Try logging in as “King’s College London” to: onlinelibrary.wiley.com historicaltexts.jisc.ac.uk “Only a person who wanted to find the Stone -- find it, but not use it -- would be able to get it” – Philosopher’s Stone.

19 Connect | Communicate | Collaborate REFED Discovery Guide: discovery.refeds.org

20 Connect | Communicate | Collaborate REFED Discovery Guide: discovery.refeds.org

21 Connect | Communicate | Collaborate REFED Discovery Guide: discovery.refeds.org

22 Connect | Communicate | Collaborate REFED Discovery Guide: discovery.refeds.org

23 Connect | Communicate | Collaborate Quiz Time

24 Connect | Communicate | Collaborate Quiz Time 1.Which of the following does NOT describe SAML? a) Assertion b) Protocol c) Software implementation d) Binding 2.Which of the following is NOT true? a) Federation members must sign a policy when joining a federation. b) Policy statements are self declared. c) A member can only register 1 entity. d) The federation carries out verification checks for registered entities. 3.Who can see entity information in federation metadata?

25 Connect | Communicate | Collaborate Quiz Time 4.Who can see attribute information passed by the IdP? 5.What is eduPersonScopedAffiliation? a) A way to describe your role within an organisation. b) Your name. c) A description of what you can access. d) A number assigned to you. 6.Name one feature of good discovery practice.

26 Connect | Communicate | Collaborate | | Connect | Communicate | Collaborate Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.