Presentation is loading. Please wait.

Presentation is loading. Please wait.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Published byDarien Crosland Modified over 9 years ago

Similar presentations

Presentation on theme: "EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2."— Presentation transcript:

1 eduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2

2 eduPerson Is an Attribute Schema What is an Attribute Schema? A documented list of attributes with rules about their names, their values and their meanings eduPerson focuses on attributes about people in the context of teaching, learning and research When are attribute schema useful? –For institutional directories of person information in LDAP format –For federated access scenarios…

3 Attribute Schema for Federated Access Whenever an organization wants its members to get access to third party digital resources and services In federated scenarios, the organization offers an Identity Provider (IdP) serving its members/users while third party resources and services are represented as Service Providers (SPs)

4 Federated Flows (A) Request

5 Federated Flows (A) Request Redirect

6 Federated Flows (A) Request Redirect Login Prompt

7 Federated Flows (B) Authenticate

8 Federated Flows (B) Assert Attributes Authenticate

9 Federated Flows (B) Deliver Content Assert Attributes Authenticate

10 Federated Flows (B) Deliver Content Assert Attributes Authenticate

11 Interests of the Parties re Attributes Why the Service Provider (SP) wants user attributes –To determine if the user should be granted access to the online service or resource –(Often) To uniquely identify the user –(Sometimes) To personalize the service or communicate with the user What the IdP is concerned about –To release information that facilitates the user’s access to online resources to which they are entitled –To limit the release of user information in the interest of privacy

12 Leveraging eduPerson in K-12 Scenarios There may be K-12 specific attribute needs, but re-use what you can from eduPerson

13 Leveraging eduPerson in K-12 Scenarios To support SP access control decisions Basic institutional affiliation: faculty, staff, student, alum,… –If faculty or staff or student, “member” is also asserted; –eduPersonScopedAffiliation: member@foo.edumember@foo.edu –Caveat: The list of values is not extensible except through revisions to eduPerson specification: useful but not flexible

14 Leveraging eduPerson in K-12 Scenarios To support SP access control decisions If you need to specify other affiliations or groupings, use isMemberOf –Define a group and give it an identifier, put users in the appropriate group(s) –IdP Asserts isMemberOf values for each group the user belongs to –isMemberOf: apCalculusAB:student –isMemberOf: wi:madison:memorialhigh:sophomore –Very flexible, but IdP and SP both need to agree on what to define, populate, assert

15 Leveraging eduPerson in K-12 Scenarios To support SP access control decisions Groups are sets of people An alternative conceptual approach: An entitlement or permission granted to a user eduPersonEntitlement: calendarApp eduPersonEntitlement: acme:contract:1432 Very flexible, but IdP and SP both need to agree on what to define, assign, assert

16 Leveraging eduPerson in K-12 Scenarios Support pseudonymous access whenever possible –Groups and entitlements don’t identify individuals If the SP has a valid need to uniquely identify users –Determine if the SP needs service-specific and service-local user records (think learning tool with performance tracking) –If so, a provisioning model is probably required –Institution will need to facilitate creation/update of user records at the SP side –MUCH less standardized than federated attribute assertion model –Out of scope for today

17 Leveraging eduPerson in K-12 Scenarios Support pseudonymous access whenever possible –Groups and entitlements don’t identify individuals If the SP has a valid need to uniquely identify users but provisioning is not required Pass identifiers in the IdP-SP attribute assertion Candidate identifiers from eduPerson –eduPersonPrincipalName –eduPersonTargetedID –eduPersonUniqueID (new in 2013 edition of eduPerson)

18 Leveraging eduPerson in K-12 Scenarios eduPersonPrincipalName as an identifier Example value: hazelton@wisc.eduhazelton@wisc.edu Characteristics: globally unique, persistent Drawbacks: –Some institutions re-use values as people turn over; can lead to inappropriate grants of access –Reveals identity

19 Leveraging eduPerson in K-12 Scenarios eduPersonTargetedId as an identifier Example value: https://idp.example.org/idp/shibboleth!https://sp.example. org/shibboleth!84e411ea-7daa-4a57-bbf6- b5cc52981b73 https://idp.example.org/idp/shibboleth!https://sp.example. org/shibboleth!84e411ea-7daa-4a57-bbf6- b5cc52981b73 Characteristics: globally unique, persistent, privacy preserving, not reassignable Drawbacks: –Not widely enough supported by IdPs

20 Leveraging eduPerson in K-12 Scenarios eduPersonUniqueId as an identifier Example value: 28c5353b8bb34984a8bd4169ba94c606@foo.edu 28c5353b8bb34984a8bd4169ba94c606@foo.edu Characteristics: globally unique, persistent, not reassignable Drawbacks: –New, no known IdP production support yet –Reveals identity

21 Is a k12Person schema needed? k12GradeLevel has come up in conversation; Use as a hypothetical example Are there use cases? Which Service Providers might base access policies on grade level? Could be accomplished by agreeing on a shared set of group identifiers, one per grade level, and then passing appropriate values per user via the isMemberOf attribute If not, then a new schema needs to be created to carry k12GradeLevel MACE-Dir would be willing to host and facilitate this work

22 Recommendations Keep it simple –Focus on supporting one or a couple of real-world IdP/SP use cases –Identify the minimal attribute information needed to support the use cases –Expect to iterate: design, implement, try, review, revise design… –Don’t attempt to boil the ocean Encourage representative IdPs and SPs to collaborate and drive the work efforts –Common failing of schema efforts has been to drive solely from the IdP side

23 References and Links eduPerson –http://software.internet2.edu/eduperson/internet2-mace-dir- eduperson-201310.htmlhttp://software.internet2.edu/eduperson/internet2-mace-dir- eduperson-201310.html isMemberOf –http://macedir.org/specs/internet2-mace-dir-ldap-group- membership-200507.htmlhttp://macedir.org/specs/internet2-mace-dir-ldap-group- membership-200507.html InCommon Federation Attribute Overview –http://www.incommon.org/federation/attributes.htmlhttp://www.incommon.org/federation/attributes.html InCommon Federation Attribute Summary –http://www.incommon.org/federation/attributesummary.html

Download ppt "EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2."

Similar presentations

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.
All About Attributes (in federated identity) Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

All About Attributes (in federated identity) Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.

Schema: eduPerson views Michael R Gettes Duke University EuroCAMP, November 2005.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.

REFEDS RESEARCH AND EDUCATION (R&S) ENTITY CATEGORY NICOLE HARRIS.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.

Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Similar presentations

Ads by Google