shibboleth as attribute delivery for authorization
DESCRIPTION
Shibboleth as Attribute Delivery for Authorization. Renee Shuey Penn State University June 27, 2006. Outline. PSU and ITS What Identity Management looks like at Penn State External attribute distribution Considerations when releasing attributes Wrap-up. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/1.jpg)
Shibboleth as Attribute Delivery for Authorization
Renee ShueyPenn State University
June 27, 2006
![Page 2: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/2.jpg)
Outline
‣ PSU and ITS
‣ What Identity Management looks like at Penn State
‣ External attribute distribution
‣ Considerations when releasing attributes
‣ Wrap-up
![Page 3: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/3.jpg)
A little bit about Penn State and ITS…
![Page 4: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/4.jpg)
Penn State
![Page 5: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/5.jpg)
Penn State
‣ Established 1855, PA’s Land Grant
‣ 24 campus locations
‣ 80K students, 10K faculty, 10K staff
‣ $640M annual research expenditure
![Page 6: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/6.jpg)
Components of IdMat Penn State
‣ Kerberos, DCE, Active Directory
‣ LDAP (eduPerson)
‣ Cosign (WebAccess is local branding)
‣ Shibboleth
‣ Member of InCommon
‣ “Access Account” - branding for Penn State identity (authn only available too), ~120K
‣ “Short Term Access Accounts” (authn only available too), 178/9104 as of 11AM today
‣ “Friends of Penn State” - branding for external identity, ~450K
![Page 7: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/7.jpg)
Example of Access Account Uses
‣ WebMail
‣ eLion
‣ Filespace
‣ Employee Benefits
‣ Personal webspace
‣ LIAS (Library Resources)
‣ ANGEL (Course Management)
‣ Penn State Portal
‣ Time cards
‣ e-Portfolio
‣ General Stores – shopping online
‣ Parking permit applications
‣ Res Hall applications, network connections
‣ Travel services
‣ Office of Physical Plant –Customer Info Center
‣ Id+ Online
‣ WebForum
‣ Student Computer Labs
‣ Wireless authn
‣ VPN
‣ etc.
![Page 8: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/8.jpg)
Examples of Short Term Access Account uses
‣ Temporary access to a computer lab
‣ Temporary access to wireless
‣ Helps solve the summer camp problem
‣ Continuing Education (big deal at non-UP campuses)
![Page 9: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/9.jpg)
Examples of“Friends of Penn State” Uses
‣ ANGEL (Course Mgt)
‣ Undergraduate Admissions
‣ World Campus
‣ Registrar
‣ Office of Human Resources
‣ Outreach
‣ Bursar
‣ Counselor Training Program
![Page 10: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/10.jpg)
Examples of Shib uses
‣ WebAssign
‣ Napster
‣ ANGEL
‣ Office of Student Aid (coming soon)
‣ Symplicity (coming soon)
‣ Worldwide University Network
‣ turnitin.com (coming soon)
‣ Lionshare
‣ Thomson Publishing (coming soon)
![Page 11: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/11.jpg)
What attributes do we share with which service
providers?
![Page 12: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/12.jpg)
Example 1 - WebAssign
‣ Attributes Released
‣ eduPersonPrincipalName (EPPN)
‣ Physics course
‣ Common name
‣ Surname
‣ Given name
![Page 13: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/13.jpg)
Example 2 - Turnitin
‣ Attributes Released:
‣ eduPersonPrincipalName
‣ eduPersonPrimaryAffiliation
‣ Given Name
‣ Surname
![Page 14: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/14.jpg)
Example 3 – PHEAA(Pennsylvania Higher Education Assistance
Agency)
‣ Attributes Released:
‣ eduPersonScopedAffiliation
‣ eduPersonAffiliation
‣ Given Name
‣ Surname
‣ Date of Birth
‣ Social Security Number
![Page 15: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/15.jpg)
So….how did we decide what
attributes can be released to an
external service provider?
![Page 16: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/16.jpg)
Using Example 1 - WebAssign
‣ Course information
‣ students pay directly for access to physics content
‣ Existing policies related to FERPA and student records (AD-11)
‣ “The following is a list of directory items that may be made available to the public regarding students of the University without their prior consent and is considered part of the public record of their attendance: “
‣ Confidentiality hold
![Page 17: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/17.jpg)
Using Example 3 - PHEAA
‣ Current policies define what attributes, or combination of attributes, constitute a FERPA protected record
‣ AD-11 - University policy on confidentiality of student records
‣ Social Security Number
‣ AD-19 - Use of Penn State Identification and Social Security Number
‣ Requires special permission from Chief Privacy Officer
![Page 18: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/18.jpg)
Summary of Process for Distributing Attributes
‣ Identify which attributes are “required” by service provider to complete transaction
‣ Work with appropriate people to verify attributes can be shared
‣ University affiliate, IdM administrators, Chief Privacy Officer, Data Stewards
‣ Shibboleth Identity provider admin creates attribute release policy
![Page 19: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/19.jpg)
Points to Ponder‣ Confidentiality hold
‣ Leverage well established business rules
‣ Personal management of attribute release (SHARPE)
‣ Third party policy
‣ Audits of TP security practices
‣ Addendums to contracts
![Page 20: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/20.jpg)
The On-Going Challenge
‣ Good tools exist but that’s not enough
‣ The only thing standing between these principles & practices and making a big difference with them is:
‣ developing the institutional will to constantly improve IdM
‣ creating a groundswell of epiphanies across the university
![Page 21: Shibboleth as Attribute Delivery for Authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062519/5681541c550346895dc2192d/html5/thumbnails/21.jpg)
Questions?