Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tech Track: Attribute Delivery Newcastle University Caleb Racey

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Tech Track: Attribute Delivery Newcastle University Caleb Racey"— Presentation transcript:

1 Tech Track: Attribute Delivery Newcastle University Caleb Racey Caleb.Racey@ncl.ac.uk

2 Overview Introduction Attribute Issues –External site access –Internal site access –Provisioning –Usability improvements Roundup

3 Technical Background Distributed ad hoc identity infrastructure –No Authoritative directory of user info –Identity information spread across diverse systems Mixed Infrastructure: –Unix: Solaris + Redhat EL –Windows –SAP Mixed web application platforms: –The 3 P’s: PHP, Perl, Python –Java –ASP + ASP.net

4 What attributes are used for Access control to external applications –federated use Access control to internal applications Provisioning internal applications Usability internal enhancements

5 Prerequisites to attribute use Identify requirement for attributes Do people actually know? Chicken and egg, won’t use Shib until attributes there, won’t know what they need until they try Identify Sources of Attributes –Data Integrity –Ownership issues –Cultural issues –Uses Data protection issues –Can I release this? Service and support –What to do on failure –How to support devolved systems

6 Technical Stages, Attribute Delivery Aggregation –Get Attributes from data stores Release –Decide what information you will release to whom Acceptance –Decide what information you will accept –From whom –In what format –Mapped to what variables on the server

7 Attribute Release Determined by Site ARP and User ARP e.g. Arp.xml + arp.ncr18.xml files User Arp can be from LDAP Tools for user control SHARPE- web based gui Explanation + Email address on support site +manual intervention Problems: too complex for users?

8 Attribute release ARP.xml EMOL service at EDINA urn:mace:ac.uk:thing:provider:service:emol.sdss.ac.uk urn:mace:ac.uk:thing:entitlement:emol.sdss.ac.uk:restricted

9 Attribute Acceptance Map attribute to server variables (Header=) Flexibility useful for supporting legacy e.g. Map ncr18 to REMOTE_USER for legacy.htaccess Map ncr18@ncl.ac.uk to REMOTE_USER for federated appsncr18@ncl.ac.uk Give Attribute alias for access config (Alias=) Allow unscoped-affiliation member Determine what you will accept from whom What Whom ncl.ac.uk

10 Attribute acceptance AAP.xml ^[M|m][E|e][M|m][B|b][E|e][R|r]$

11 Fed use: What was required Identify Attribute requirements of providers –Generally stated by the federation –Can be bilateral agreements –Generally not complicated Aggregate attributes Release

12 Simple Example Access to “Athens” journal resources Via shib login gateway shib >> athen assertion conversion Access to most journals Requires “Affiliation” attribute login id in active directory => Affiliated user Policy implication login = membership Problem for edge cases (Distance learning, NHS staff) Echo the affiliation <SimpleAttributeDefinition id=“urn:thing: eduPersonAffiliation">

13 Complex example Restricted access to online medical videos Autopsy videos Medic only Duplicate Athens medic restricted group Manually provisioned by medical librarians Problem identifying medics Students = on medical courses, identify diversity of courses keep up to date Staff = convince medical librarian they are a medic Solution only good for students Long term solution = Grouper?

14 Complex example <JDBCDataConnector id=" db6 " dbURL="jdbc:mysql://thing.ncl.ac.uk/courseData?user=thing &amp ;password=thing" dbDriver=" com.mysql.jdbc.Driver “ maxActive="10“ maxIdle="5"> SELECT course_code, CASE course_code WHEN 'A101' THEN 'urn:mace:ac.uk:thing:entitlelement:emol.sdss.ac.uk:restricted' WHEN 'A106' THEN 'urn:mace:ac.uk:thing:entitlement:emol.sdss.ac.uk:restricted' ELSE 'none' END as sdssentitlement FROM CMstudentdata WHERE loginid = ?

15 Lessons Learned – federated use Federated attribute usage is a nice well defined simple subset Shibboleth useable with messy composite Identity Infrastructures –It is much better not to need to Need for identity enrichment tools: e.g. medical staff Shib Technology is not the hard bit The identity management processes are Not going to go away

16 Internal use: What is required Access control to internal resources Valid users - e.g. Exam papers Group membership - research wikis Better usability of applications Auto population of form fields Nicer interaction “Hello Cal” not “Hello ncr18” Provisioning of applications Simple deployment of applications e.g. Sympa mediawiki

17 Example: Names sn GivenName Need: sn +givenName for Usability enhancements e.g. ncr18@ncl.ac.uk vs Caleb Racey, form pre-populationncr18@ncl.ac.uk Problem: Userbase split into staff and students Data in separate tables Solution: Union selects across tables. Question: possible if they are in separate DBs?

18 Example SELECT forenames as givenName, surname as sn FROM staff WHERE loginname = ? UNION SELECT forenames as givenName, surname as sn FROM student WHERE loginname = ?

19 Future Enhancements Scriptable attribute Aggregation <![CDATA[ Attributes attributes = dependencies.getConnectorResolution("directory"); Attribute affiliation = attributes.get("eduPersonAffiliation"); if (affiliation.size() > 0) { resolverAttribute.addValue("affiliate"); } ]]> Potential Use case: Active Directory Groups Group membership property of user object LDAP lookup not easy/possible?

20 Lessons Learned – internal use Attribute aggregation = valuable business process Expose via webservices? Duplicate? Just use shib? Reengineer identity infrastructure? Need identity enrichment tool for future apps Dspace - identify librarians Wikis sympa - research groups Allow Integration of applications into a platform Grouper Enable identity enrichment Add once, use anywhere

21 Usability enhancements Provide identifiers for self service apps Library number Smart card number Pay role number Auto populate forms Login name Email address First name, Surname Greater Personal Data visibility = better integrity? = higher initial support burden?

22 Provisioning Applications Benefits Simplifies institutional back ends AA abstracts business logic Authentication + authorisation + provisioning in one shot Reusable between applications Enables lightweight deployment techniques –No more 22,000 user databases No Imports, Updates, Suspensions, Removals, Reactivations, Reprovisioning. –Fewer deprovisioning headaches –Application accounts provisioned on first use –Login deactivated in one place

23 Provisioning examples MediaWiki PHP based Install Shibboleth extension Requires:username (eppn) email address (optional) Deployed by Graduate in 1st 3 months of job Sympa Mailing list manager Perl based Requires: Email Address Configure shibboleth login system Compatible with legacy (8000 lists)

24 Media wiki

25 Sympa

26 Provisioning Applications: Questions Dealing with external users Separate directory? Compatible data formats? Aggrageting multiple identity sources User data changes Change of institute ncr18@ncl becomes ncr18@dur Deprovisioning out of scope Does no login = no problem? Lack of data control? Who is provisioning? “Freedom of information” requests Question: is this any worse than other techniques?

27 Final Questions? Are ARPs usable by users, will they ever be? Attribute Aggregation Deal with messy institutional data stores? Instigate identity management review? Enhance identity stores? Glory in perfect present? Provisioning: Good idea or trouble brewing?

Download ppt "Tech Track: Attribute Delivery Newcastle University Caleb Racey"

Similar presentations

Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.

April 22nd 2008 Internet2 Spring member meeting Caleb Racey Newcastle University UK Studies in Advanced Access Management.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Unleashing the Power of Kinetic Bridging Ben Christenson Kinetic Data.

Unleashing the Power of Kinetic Bridging Ben Christenson Kinetic Data.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Identity Management: Services, Tools and Processes Cal Racey

Identity Management: Services, Tools and Processes Cal Racey
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.

UPortal: A framework for the Personalization of Library Services John Fereira: Programmer/Analyst Cornell University Mann Library.
Case Study: Newcastle University

Case Study: Newcastle University
Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.

Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.

Similar presentations

Ads by Google