Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA.

Similar presentations


Presentation on theme: "Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA."— Presentation transcript:

1 Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA

2 Shibboleth Development and Support Services JIBS User Group 16 June 20102 EDINA Service provider – Digimap, Film & Sound Online, etc… Identity provider – Various Federated Access – SDSS Federation – UKAMF: Metadata Management & Tech. Support

3 Shibboleth Development and Support Services JIBS User Group 16 June 20103 Where lies the guilt Service providers Identity providers UK Access Management Federation User Community Granularity and lack of management data from SAML protected resources 50% 30% 10%

4 Shibboleth Development and Support Services JIBS User Group 16 June 20104 SAML Security Assertion Markup Language Standard for Exchanging authentication and authorisation information Identity ProviderService Provider

5 Shibboleth Development and Support Services JIBS User Group 16 June 20105 The Questions Pussy cat pussy cat where have you been? Ive been down to London to visit at the Queen. Pussy cat pussy cat what did you there I frightened a little mouse under her chair.

6 Shibboleth Development and Support Services JIBS User Group 16 June 20106 Shibboleth flow diagram

7 Shibboleth Development and Support Services JIBS User Group 16 June 20107 Technical stuff Identity Provider Service Provider Resource Federation Metadata User SAML Dialogue Attribute Database Authorisation Database Federation Metadata

8 Shibboleth Development and Support Services JIBS User Group 16 June 20108 SAML Dialogue Uninteresting (to us): – Initiation/Termination – Security Interesting (to us): – Scope information Institution/Service who are you – Attributes User-specific information

9 Shibboleth Development and Support Services JIBS User Group 16 June 20109 Q1: Pussy cat pussy cat where have you been? From the IdP: – What resource are being used – Who is using them Shibb 2x IdPs only – Not outsourced IdPs – Not non-Shibb IdPs – Not Shibb 1.3 IdPs eosl date 30 June 2010

10 Shibboleth Development and Support Services JIBS User Group 16 June 201010 Q1: Pussy cat pussy cat where have you been? Shibb 2 IdP Audit log Who (ePPN) When (time stamp) What (relying party id) https://spaces.internet2.edu/display/SHIB2/IdPLogging Analysis Application Federation Metadata Attribute Database Audit Log(s) Access Reports

11 Shibboleth Development and Support Services JIBS User Group 16 June 201011 Tools Project Raptor – Software toolkit for reporting e-resource usage statistics – Shibboleth 2 IdPs & EZproxy – http://iam.cf.ac.uk/trac/RAPTOR http://iam.cf.ac.uk/trac/RAPTOR – JISC + Cardiff University + Kidderminster College – V1.0 due Feb 2011

12 Shibboleth Development and Support Services JIBS User Group 16 June 201012 Q2: Pussy cat pussy cat what did you there? Cannot come from IdP Must come from SP – What does SP know about user Service Provider Resource User Identity Provider Attribute Database Attributes

13 Shibboleth Development and Support Services JIBS User Group 16 June 201013 Attributes: EduPerson Object Class – Core Targeted ID Principal name [Scoped] Affiliation Entitlement – Other Nick name Org [Unit] DN http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html

14 Shibboleth Development and Support Services JIBS User Group 16 June 201014 Granularity: Core Attributes – [Scoped] Affiliation Scope Member | {Staff | Student | Employee | Affiliate | Alum | library-walk-in} – Entitlement Service - User Specific conditions urn:mace:dir:entitlement:common-lib-terms

15 Shibboleth Development and Support Services JIBS User Group 16 June 201015 On Passing Attributes Photo: Library of Virginia / Flikr

16 Shibboleth Development and Support Services JIBS User Group 16 June 201016 EDINA Digimap – [Scoped] Affiliation – Targeted ID – Principal Name – Title – Givenname – Sn [surname] – O [organisation] – Ou [organisational unit] – Mail http://www.ukfederation.org.uk/content/Documents/AttributeUsage

17 Shibboleth Development and Support Services JIBS User Group 16 June 201017 Reality Identity Provider Service Provider Attribute Release Policy

18 Shibboleth Development and Support Services JIBS User Group 16 June 201018 Reality Most IdPs give out only: – [Scoped] Affiliation Organisational affiliation (ePSA) SP cannot determine department etc. ePSA often just member@xxx.ac.uk – Targeted Id Service-specific, opaque ID (ePTI) SP cannot determine user SP cannot correlate usage between services. Many IdPs cannot handle entitlement

19 Shibboleth Development and Support Services JIBS User Group 16 June 201019 No one really asks us much for ARP changes IdP administrator

20 Shibboleth Development and Support Services JIBS User Group 16 June 201020 Why? IdPs – Fear of Data Protection legislation – No inclination; No capabilities – No SPs ask for it SPs – Not available from IdPs – No use for data

21 Shibboleth Development and Support Services JIBS User Group 16 June 201021 Stable Deadlock Too hard to ask, so SPs dont IdPs get no requests, think all is well

22 Shibboleth Development and Support Services JIBS User Group 16 June 201022 What Do SPs Do Personalisation – Registration system – Registration database Usage Statistics – Merge logs and registration details EDINA Digimap – Users / Status / Department

23 Shibboleth Development and Support Services JIBS User Group 16 June 201023 Attribute Release Progression Basic Attributes Extended Attributes Personal Attributes

24 Shibboleth Development and Support Services JIBS User Group 16 June 201024 Towards agreement Forums – Small scale – Application-area specific – Agree what is desirable – Agree what is possible – Experiment, agree, deploy, not theorise: No Top-down Dictate

25 Shibboleth Development and Support Services JIBS User Group 16 June 201025 NESLi2 JISC Statistics Portal – Cranfield, Birmingham City University, MIMAS – Database/Journal/article level reporting – Oct 2009 – Dec 2010 – "one-stop shop" could go to view and download their own usage reports from NESLi2 publishers – http://www.jusp.mimas.ac.uk/

26 Shibboleth Development and Support Services JIBS User Group 16 June 201026 Granularity & Management Data Technically Capabilities exist Natural restful inertia - problem large – UKAMF 800+ members 440 + SPs 630 + IdPs User Driven Tackle from the bottom up


Download ppt "Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA."

Similar presentations


Ads by Google