shibboleth as attribute delivery for authorization renee shuey penn state university june 27, 2006

Shibboleth as Attribute Delivery for Authorization

Renee ShueyPenn State University

June 27, 2006

Outline

‣ PSU and ITS

‣ What Identity Management looks like at Penn State

‣ External attribute distribution

‣ Considerations when releasing attributes

‣ Wrap-up

A little bit about Penn State and ITS…

Penn State

Penn State

‣ Established 1855, PA’s Land Grant

‣ 24 campus locations

‣ 80K students, 10K faculty, 10K staff

‣ $640M annual research expenditure

Information Technology Services

atPenn State

Components of IdMat Penn State

‣ Kerberos, DCE, Active Directory

‣ LDAP (eduPerson)

‣ Cosign (WebAccess is local branding)

‣ Shibboleth

‣ Member of InCommon

‣ “Access Account” - branding for Penn State identity (authn only available too), ~120K

‣ “Short Term Access Accounts” (authn only available too)

‣ “Friends of Penn State” - branding for external identity, ~450K

Example of Access Account Uses

‣ WebMail

‣ eLion

‣ Filespace

‣ Employee Benefits

‣ Personal webspace

‣ LIAS (Library Resources)

‣ ANGEL (Course Management)

‣ Penn State Portal

‣ Time cards

‣ e-Portfolio

‣ General Stores – shopping online

‣ Parking permit applications

‣ Res Hall applications, network connections

‣ Travel services

‣ Office of Physical Plant –Customer Info Center

‣ Id+ Online

‣ WebForum

‣ Student Computer Labs

‣ Wireless authn

‣ VPN

‣ etc.

Examples of Short Term Access Account uses

‣ Temporary access to a computer lab

‣ Temporary access to wireless

‣ Helps solve the summer camp problem

‣ Continuing Education (big deal at non-UP campuses)

Examples of“Friends of Penn State” Uses

‣ ANGEL (Course Mgt)

‣ Undergraduate Admissions

‣ World Campus

‣ Registrar

‣ Office of Human Resources

‣ Outreach

‣ Bursar

‣ Counselor Training Program

Examples of Shib uses

‣ WebAssign

‣ Napster

‣ ANGEL

‣ Office of Student Aid (coming soon)

‣ Symplicity (coming soon)

‣ Worldwide University Network

‣ turnitin.com (coming soon)

‣ Lionshare

‣ Thomson Publishing (coming soon)

What attributes do we share with which service

providers?

Example 1 - WebAssign

‣ Attributes Released

‣ eduPersonPrincipalName (EPPN)

‣ Physics course

‣ Common name

‣ Surname

‣ Given name

Example 2 - Turnitin

‣ Attributes Released:

‣ eduPersonPrincipalName

‣ eduPersonPrimaryAffiliation

‣ Given Name

‣ Surname

Example 3 – PHEAA(Pennsylvania Higher Education Assistance

Agency)

‣ Attributes Released:

‣ eduPersonScopedAffiliation

‣ eduPersonAffiliation

‣ Given Name

‣ Surname

‣ Date of Birth

‣ Social Security Number      

So….how did we decide what

attributes can be released to an

external service provider?

Using Example 1 - WebAssign

‣ Course information

‣ students pay directly for access to physics content

‣ Existing policies related to FERPA and student records (AD-11)

‣ “The following is a list of directory items that may be made available to the public regarding students of the University without their prior consent and is considered part of the public record of their attendance: “

‣ Confidentiality hold

Using Example 3 - PHEAA

‣ Current policies define what attributes, or combination of attributes, constitute a FERPA protected record

‣ AD-11 - University policy on confidentiality of student records

‣ Social Security Number

‣ AD-19 - Use of Penn State Identification and Social Security Number

‣ Requires special permission from Chief Privacy Officer

Summary of Process for Distributing Attributes

‣ Identify which attributes are “required” by service provider to complete transaction

‣ Work with appropriate people to verify attributes can be shared

‣ University affiliate, IdM administrators, Chief Privacy Officer, Data Stewards

‣ Shibboleth Identity provider admin creates attribute release policy

Points to Ponder‣ Confidentiality hold

‣ Leverage well established business rules

‣ Personal management of attribute release (Autograph)

‣ Third party policy

‣ Audits of TP security practices

‣ Addendums to contracts (mutual non-disclosure)

The On-Going Challenge

‣ Good tools exist but that’s not enough

‣ The only thing standing between these principles & practices and making a big difference with them is:

‣ developing the institutional will to constantly improve IdM

‣ creating a groundswell of epiphanies across the university

Questions?