a a i @ terena

13
AA I @ TERENA EUROCamp 2010 Dyonisius Visser [email protected] www.terena.org

Upload: yaholo

Post on 23-Feb-2016

38 views

Category:

Documents


0 download

DESCRIPTION

A A I @ TERENA. EUROCamp 2010 Dyonisius Visser [email protected] www.terena.org. Where it all started. REFEDS Wiki Dog food MediaWiki + SimpleSAMLphpAuth One SP Accumulated > 20 IdPs . . Next SP comes along. TACAR  - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: A A I @ TERENA

AAI @ TERENA

EUROCamp 2010

Dyonisius [email protected]

Page 2: A A I @ TERENA

Slide 2

Where it all started

› REFEDS Wiki› Dog food› MediaWiki + SimpleSAMLphpAuth› One SP› Accumulated > 20 IdPs

<[email protected]>

Page 3: A A I @ TERENA

Next SP comes along

› TACAR › Will need to contact several IdPs again to

exchange metadata › 3rd SP› 4th SP etc etc

Slide 4

Page 4: A A I @ TERENA

Too many IdP-SP combinations

› Difficult to manage:

Slide 5

Page 5: A A I @ TERENA

New approach: cheating

› Create one SP to connect all our IdPs to› “Hide” all our REAL SPs behind that

› External IdPs only do business with a single TERENA SP

› We get to do fancy stuff at our magic SP

Slide 6

Page 6: A A I @ TERENA

Slide 7

Page 7: A A I @ TERENA

What could be the “?”

› Attribute injection› authproc: SmartAttr.php

Slide 8

Page 8: A A I @ TERENA

SmartAttr.php

› Generate globally unique identifier for ALL possible users

› Pick first available attribute name+value from:› eduPersonTargetedID› eduPersonPRincipalName› openid› sha1(salt.serialize(attributes))

› Append @$IdP› Results:

Slide 9

Page 9: A A I @ TERENA

SmartID exa,mples:

› urn:mace:dir:attribute-def:eduPersonTargetedID:[email protected]@https://login.terena.org/idp/saml2/idp/metadata.php

› urn:mace:dir:attribute-def:eduPersonPrincipalName:[email protected]@https://login.terena.org/idp/saml2/idp/metadata.php

› openid:https://www.google.com/accounts/o8/id?id=AItOawk1wEwIIRLSKf6kWb_1Rb0X00psc3lPqWU@https://login.terena.org/bridge/saml2/idp/metadata.php

Slide 10

Page 10: A A I @ TERENA

More attributes

› Fullname: Stolen from Olav › Organisation: first available from:

› organizationName› Uppercase version of schacHomeOrganization,

without TLD› Uppercase version of email domain without TLD› Uppercase version of eduPersonPrincipalName

domain without TLD› String ‘MY_ORG’

› Country, fname, lname, email, etc

Slide 11

Page 11: A A I @ TERENA

Group membership

› To be implemented…..

Slide 12

Page 12: A A I @ TERENA

Concepts

› We will have homeless users -> guest accounts› Everyone can login to any service› “logged-in” does not mean anything (well….)

› https://tnc2010.omega.terena.org› One page to manage all your data (‘profile’ page)

› Similar to Switch.ch javascript sidebar› To be implemented

Slide 13

Page 13: A A I @ TERENA

Issues encountered

› Changing your SP metadata at remote parties takes a long time non-technical, so think twice

› Non-federated users – don’t run ourselves› Too may guest options now!!!

› Provisioning before users log in -> not possible› Globally persistent ID

Slide 14