Presentation is loading. Please wait.

Presentation is loading. Please wait.

EduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell

Published byPhilippa Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "EduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell"— Presentation transcript:

1 eduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell http://www.personal.leeds.ac.uk/~ecldh/xlm4he/

2 XLM4HE project X.509 — identification LDAP — authorisation Middleware — incompatibilities for Higher Education — scalability, cost Part of Internet2/JISC collaboration in UK 2

3 Shibboleth Architecture DRAFT 3

4 Resource Provider’s Web Server XLM4HE Middleware XLM4HE Interactions http://129.11.152.25/xlm4heWeb site has step-by-step version 4

5 An Example in which Futile Operations On-Line (FOOL) to provide access to their on-line educational product called the Department of Futile Studies negotiates with a content provider called F-Systems 5

6 4. LDAP search : baseDN = namespace (i.e. FOOL ) certNum = certificate serial number certSign = certificate signer FOOL is requested attribute 4 University F-Systems 6

7 7. LDAP searchResponse : DN = whatever policy specifies FOOL = user’s status in accessing FOOL 7 University F-Systems 7

8 Shibboleth Equivalent 1 SHAR redirects browser to AA giving handle and product name (i.e. FOOL ) 1.0 00565d61-301c-1b1c-0010a4908950 newman.leeds.ac.uk 991702501 http:/www.f-systems.co.uk/futility.html 0015d1f1-307c-1b1c-9581-0010a4908950 FOOL 8

9 Shibboleth Equivalent 2 AA redirects browser to SHAR giving YES or NO 1.0 00565d61-301c-1b1c-0010a4908950 aa.iss.leeds.ac.uk 991702561 FOOL yes 9

10 Vanilla Shibboleth AA redirects browser to SHAR giving eduPerson attributes 1.0 00565d61-301c-1b1c-0010a4908950 aa.psu.edu 991702561 rshuey@psu.edu staff employee member 10

11 Trust Target must trust university to answer honestly –Trust already needed to believe attributes Target must check that AA is trusted for requested product –i.e. there is a contractual relationship –could be global list of trusted AAs 11

12 Conclusions Shibboleth has decision at target Attributes (eduPerson) sent to target Uniformity of eduPerson usage at all institutions is needed XLM4HE has decision at university Attribute release to target is minimal Simplicity at the target end More Trust of university is needed, but there has to be trust in either case. 12

13 Recommendation Include both mechanisms in Shibboleth architecture Let experience see whether decision is best at University or Resource Provider More information: http://129.11.152.25/xlm4he/ 13

Download ppt "EduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell"

Similar presentations

INFN CA1 active since July 1998 manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.

SCENARIO Suppose the presenter wants the students to access a file Supply Credenti -als Grant Access Is it efficient? How can we make this negotiation.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.
Enterprise Portal Authentication: who are you? Authorization: what are you permitted to do? Personalization: the web pages you see are dynamically created.

Enterprise Portal Authentication: who are you? Authorization: what are you permitted to do? Personalization: the web pages you see are dynamically created.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.

Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Similar presentations

Ads by Google