Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006 © SWITCH Group Management Tool Lukas Haemmerle

Published byIsabela Bartlett Modified over 10 years ago

Similar presentations

Presentation on theme: "2006 © SWITCH Group Management Tool Lukas Haemmerle"— Presentation transcript:

1 2006 © SWITCH Group Management Tool Lukas Haemmerle haemmerle@switch.ch

2 2006 © SWITCH 2 Situation  Web application/files/functions that must be protected  Access/authorization shall be based on user groups  Overhead for group administration shall be small  Shibboleth/Other solution available  Users have an AAI account Real life example: The slides/photos of this meeting shall only be accessible by all people who attended the meeting.

3 2006 © SWITCH 3 Case 1: Users share common attributes HomeOrg = IdP X| IdP Y| IdP Z Affiliation = Student StudyBranch = Medicine Access Rule

4 2006 © SWITCH 4 Case 2: No common user attributes How can these users be authorized?

5 2006 © SWITCH 5 Solution 1: Create a common attribute Add an entitlement attribute for specific users Require entitlement urn:mace:rediris.es:entitlement:wiki:jra5  Easy solution for a difficult problem  Additional work for user directory administrator  Difficult to efficiently manage many entitlement values  Only IdP admin can manage access + - Access Rule

6 2006 © SWITCH 6 Solution 2.a: Use uniqueIDs or email 1.Get unique IDs or AAI email addresses of users. 2.Create access rules like: require uniqueID 465@idp-x.ch 234@idp-y.ch […] require email hans.muster@idpx.ch pierre.m@idpz.ch […]  Straight-forward solution  SP administrator must know unique ID/Email address  Difficult to efficiently manage for many users/apps  Only SP admin can manage access + - Access Rule

7 2006 © SWITCH 7 Solution 2.b: Use SWITCH GMT 0.9  Open Source software (BSD license)  Easy to install  Light-weight PHP application  Human readable text files to store group data Features  Manage multiple groups for multiple applications  Three user/admin roles with different privileges  Transfer privileges to other users  Invite new users to join group via email  User can request to join a group (self-registration)  Generate authorization files (Apache.htaccess)  API for use on remote hosts

8 2006 © SWITCH 8 Administration interface  Every role has different options and views  Red groups are system groups

9 2006 © SWITCH 9 Group settings

10 2006 © SWITCH 10 Manage a group

11 2006 © SWITCH 11 Adding users to a group  Add registered users to one or more groups with a certain role

12 2006 © SWITCH 12 Inviting new users  Invitation token (link) is sent to provided email addresses  Tokens can be revoked

13 2006 © SWITCH 13 Request to join a group

14 2006 © SWITCH 14 Generate authorization files  Multiple authorization files can be generated per group  Files are updated automatically on changes

15 2006 © SWITCH 15 Authorization files

16 2006 © SWITCH 16 Interface for remote hosts PHP/PERL functions: isInGroup($uniqueID, $gName) getGroupModifyURL($gName) getUserGroups($uniqueID) getStatus() getError() Secure queries:  Over SSL  Encrypted with shared key  Limited to allowed hosts

17 2006 © SWITCH 17 Summary and outlook Summary  Convenient management of “virtual” groups  Roles can be transferred  Users can request to join a group with self-registration  Authorize users on remote servers  Libraries available for PHP and Perl Preliminary outlook for GMT 1.0  Generation of Shibboleth XML authorization files  Additional API functions with SOAP/REST  Probably new name (e.g. “grot”, “groupy”, …) http://www.switch.ch/aai/gmt

18 2006 © SWITCH 18 Questions Q & A http://www.switch.ch/aai aai@switch.ch

Download ppt "2006 © SWITCH Group Management Tool Lukas Haemmerle"

Similar presentations

© 2006 FedEx. All rights reserved. FedEx Ship Manager ® at fedex.com Shipping Administration.

© 2006 FedEx. All rights reserved. FedEx Ship Manager ® at fedex.com Shipping Administration.
Final Project Instructor: Nguyen Anh Tu Students: Tran Tien Tai Tran Tien Tai Tran Ngoc Mai Tran Ngoc Mai Tu Kim Tuan Tu Kim Tuan Nguyen Ngoc Phuong Nguyen.

Final Project Instructor: Nguyen Anh Tu Students: Tran Tien Tai Tran Tien Tai Tran Ngoc Mai Tran Ngoc Mai Tu Kim Tuan Tu Kim Tuan Nguyen Ngoc Phuong Nguyen.
RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Drybridge Consulting Party Identification Directory Installing the Microsoft Research Service IDEAlliance and Drybridge Consulting – collaborating to deliver.

Drybridge Consulting Party Identification Directory Installing the Microsoft Research Service IDEAlliance and Drybridge Consulting – collaborating to deliver.
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.

IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
BeKnown How-to: Company Profiles & Jobs App for Timeline.

BeKnown How-to: Company Profiles & Jobs App for Timeline.
Datamax/MCL Off-Line License Activation Method

Datamax/MCL Off-Line License Activation Method
Virtual Trunk Protocol

Virtual Trunk Protocol
UNIVERSITY OF EDUCATION BY H.M.ISHTIAQ RAFIQUE. Domain Name Structure.

UNIVERSITY OF EDUCATION BY H.M.ISHTIAQ RAFIQUE. Domain Name Structure.
Slide 1 Insert your own content. Slide 2 Insert your own content.

Slide 1 Insert your own content. Slide 2 Insert your own content.
eduroam Delegate Authentication System with Shibboleth SSO

eduroam Delegate Authentication System with Shibboleth SSO
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
1 An Update on XML.org Registry and Repository Una Kearns Documentum, Inc.

1 An Update on XML.org Registry and Repository Una Kearns Documentum, Inc.
Online Access to Student Information The primary goal of the Cleveland Metropolitan School District is to become a premier school district in the United.

Online Access to Student Information "The primary goal of the Cleveland Metropolitan School District is to become a premier school district in the United.
1 Advanced E-mail with GMail A CYC Electives Module 10-15-10.

1 Advanced with GMail A CYC Electives Module
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
1 State Wildlife Action Plans Wiki: Business Transformation Tutorial Brand Niemann July 5, 2008

1 State Wildlife Action Plans Wiki: Business Transformation Tutorial Brand Niemann July 5, 2008
Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.

Click to edit Master title style Page - 1 OneSky Teams Step-by-Step Online Corporate Communication Support 2006.
Michigan Electronic Grants System Plus

Michigan Electronic Grants System Plus

Similar presentations

Ads by Google