Presentation is loading. Please wait.

Presentation is loading. Please wait.

AARC2 JRA1 Nicolas Liampotis

Published byAmbrose Nash Modified over 6 years ago

Similar presentations

Presentation on theme: "AARC2 JRA1 Nicolas Liampotis"— Presentation transcript:

1 AARC2 JRA1 Nicolas Liampotis
Exchange of scoped affiliation information across infrastructures Nicolas Liampotis JRA1, AARC2 GRNET AARC2 2nd meeting, Amsterdam 22 November 2017

2 Scoped affiliation information What is it
“The person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.” The values consist of a left and right component separated by an sign The left component is one of the values from the eduPersonAffiliation controlled vocabulary This right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName The "scope" portion MUST be the administrative domain to which the affiliation applies

3 Scoped affiliation information Why we need it
RPs typically use scoped affiliation information to make authorisation decisions based on the person’s affiliation within their: Home Organisation  HO affiliation, e.g. Infrastructure  Infrastructure affiliation, e.g.

4 Scoped affiliation information The problem with X-infra exchange
Scoped affiliation information can be communicated via the ePSA attribute which is an (optional) attribute of the REFEDS R&S bundle so.. problem solved! BUT ePSA attribute values will be typically filtered out by SPs due to scope checking

5 Scoped affiliation information What is scope checking
After receiving a scoped attribute from the IdP, SP software can be configured to compare the asserted scope to the scope value(s) in metadata or to a locally defined list The scoped attribute is accepted by the SP if and only if the asserted scope matches a scope value in metadata or one that's manually configured The Shibboleth SP software is configured this way by default. SimpleSAMLphp doesn't perform scope checking by default but it may in the near future (at last!) Other SP software may require explicit configuration or in many cases may not support the <shibmd:Scope> element at all.

6 Scoped affiliation information The big question
To check, or not to check the scope?

7 Scoped affiliation information Can SPs trust it?
“Consumers of ePSA will have to decide whether or not they trust values of this attribute. In the general case, the directory carrying the ePSA is not the ultimate authoritative speaker for the truth of the assertion. Trust must be established out of band with respect to exchanges of this attribute value.” Q. Do the asserted ePSA value scopes need to match the scope value(s) in metadata? Well… You can't read an eduPerson definition and make any inference about scopes in metadata, since the definition is of an attribute that exists independently of SAML. If you want the asserted attribute values to be acceptable, you'll need to add them [their scopes] to metadata. Otherwise all bets are off. To be honest though, that text is just weird. I don't actually know what it was trying to say.

8 Scoped affiliation information Can SPs trust it in a proxy environment?
Q. How can an IdP proxy of a research/e-Infra AAI pass the ePSA values received by upstream IdPs to the downstream SPs? The proxy is almighty and can assert whatever it wants, and the SPs relying on that one proxy have no* way to verify anything the proxy asserts (other than that it's actually the proxy they know that sent them data) BUT Can this work for SPs that are connected to a proxy and are exposed in eduGAIN at the same time?

9 Scoped affiliation information Different approaches to support X-infra exchange
The IdP Proxy communicates scoped affiliation values via the ePSA attribute with all scope values in the IdP proxy metadata The IdP Proxy communicates scoped affiliation values via the ePSA attribute and downstream SPs are configured to disable scope checking for that attribute The IdP/SP proxy introduces an existing eduPerson attribute (e.g. eduPersonEntitlement) to communicate scoped affiliation values The IdP/SP proxy introduces a new ePSA-like attribute “XScopedAffiliation” to communicate scoped affiliation values

10 Scoped affiliation information Exchange via ePSA attribute with all scope values in the IdP Proxy metadata ePSA is a standard attribute ePSA is an optional attribute of the REFEDS R&S bundle No config required for downstream SPs Needs agreement with Federation operators who are in effect authoritative for the scope element in metadata

11 Scoped affiliation information Exchange via ePSA attribute without scope values in IdP Proxy metadata No need to add scopes in IdP proxy metadata ePSA is a standard attribute ePSA is an optional attribute of the REFEDS R&S bundle Requires SPs to be configured to disable scope checking for ePSA values from the proxy

12 Scoped affiliation information Exchange via ePEntitlement attribute without scope values in IdP Proxy metadata No need to add scopes in IdP Proxy metadata ePEntitlement is a standard attribute ePEntitlement is already used for access control by SPs ePEntitlement is not part of the REFEDS R&S attribute bundle Requires SPs to be configured to parse affiliation information from IdP Proxies in a special way

13 Scoped affiliation information Exchange via new xScopedAffiliationAttribute attribute without scope values in IdP Proxy metadata No need to add scopes in IdP proxy metadata xScopedAffiliation is not part of the REFEDS R&S attribute bundle Requires SPs to be configured to handle affiliation information from both ePSA and new attribute

14

Download ppt "AARC2 JRA1 Nicolas Liampotis"

Similar presentations

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide.

Towards Interconnecting the Nordic Identity Federations TNC2007 Walter M Tveter, UiO Mikael Linden, CSC/HAKA Ingrid Melve, Uninett/Feide.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
DANTE AAI Training: Part 2: Under the Hood Nicole Harris, TERENA.

DANTE AAI Training: Part 2: Under the Hood Nicole Harris, TERENA.
REFEDs Wiki A test-bed for cross-federation practices ? Firstname Lastname Job title

REFEDs Wiki A test-bed for cross-federation practices ? Firstname Lastname Job title
Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.

Similar presentations

Ads by Google