shibboleth attribute release policy editing tools sharpe and autograph
DESCRIPTION
Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph. I2MM April 2006 Neil Witheridge MAMS Project Manager [email protected] http://federation.org.au/. Problem Statement. ARP Administration (ShARPE) - PowerPoint PPT PresentationTRANSCRIPT
04/22/2304/22/23META ACCESS MANAGEMENT SYSTEM
11
ShibbolethShibbolethAttribute Release PolicyAttribute Release Policy
Editing ToolsEditing Tools
ShARPE and AutographShARPE and AutographI2MM April 2006I2MM April 2006
Neil WitheridgeNeil WitheridgeMAMS Project ManagerMAMS Project [email protected]@melcoe.mq.edu.au
http://federation.org.au/http://federation.org.au/
04/22/2304/22/23 22META ACCESS MANAGEMENT SYSTEM
Problem StatementProblem StatementARP Administration (ShARPE)ARP Administration (ShARPE)
ARP administrators need a ‘zero effort’ ARP administrators need a ‘zero effort’ approach to implementing an access approach to implementing an access agreement with a SP – setting up site and agreement with a SP – setting up site and group ARPs to supply required attributes.group ARPs to supply required attributes.
User Privacy Control (Autograph)User Privacy Control (Autograph)There is a ‘real world’ requirement for privacy There is a ‘real world’ requirement for privacy
management, for end-user control of release management, for end-user control of release of privacy sensitive attributes.of privacy sensitive attributes.
A ‘zero-effort’ GUI interface is required.A ‘zero-effort’ GUI interface is required.
04/22/2304/22/23 33META ACCESS MANAGEMENT SYSTEM
Evaluation ReleaseEvaluation Release
ShARPE and Autograph (version 0.7) ShARPE and Autograph (version 0.7) released for evaluation purposesreleased for evaluation purposes
Elicitation of ‘real world’ requirementsElicitation of ‘real world’ requirementsAs Shibboleth stakeholders, IdP and SP As Shibboleth stakeholders, IdP and SP
administrators and users, do these tools administrators and users, do these tools satisfy your requirements for ARP satisfy your requirements for ARP management?management?
Feedback requested on usefulness and Feedback requested on usefulness and usability.usability.
04/22/2304/22/23 44META ACCESS MANAGEMENT SYSTEM
Shibboleth Attribute Release PolicyShibboleth Attribute Release PolicyShibboleth provides for privacy control Shibboleth provides for privacy control
through Attribute Release Policies (ARPs)through Attribute Release Policies (ARPs)Rules specifying which attributes may be Rules specifying which attributes may be
released to a SP for IdP members in general, released to a SP for IdP members in general, or for specific individualsor for specific individuals
After user authentication & opaque handle delivery to SPAfter user authentication & opaque handle delivery to SPProtectedService
SPIdP
Attribute Authority Attribute ConsumerService
ARPs AAPUserAttributes
(1) SAMLAttribute
Request + handle
(2) SAMLAttribute
Response
04/22/2304/22/23 55META ACCESS MANAGEMENT SYSTEM
Info Available To Protected AppInfo Available To Protected App Via HTTP headerVia HTTP header
(standard header parameters)(standard header parameters)
hosthost = demo.federation.org.au = demo.federation.org.auuser-agentuser-agent = Mozilla/5.0; = Mozilla/5.0; acceptaccept = …; = …; accept-encodingaccept-encoding = …; = …; accept-charsetaccept-charset = = Keep-AliveKeep-Alive = 300 ; = 300 ; connectionconnection = keep-alive = keep-aliverefererreferer = https://openidp.mams.org.au/shibboleth-idp/SSO ... = https://openidp.mams.org.au/shibboleth-idp/SSO ... cookiecookie = … = …
(Shibboleth specific parameters)(Shibboleth specific parameters)
Shib-Identity-ProviderShib-Identity-Provider = = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au
Shib-Authentication-MethodShib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified = urn:oasis:names:tc:SAML:1.0:am:unspecified
(User Attributes)(User Attributes)
Shib-EP-UnscopedAffiliationShib-EP-UnscopedAffiliation = Staff;Physics = Staff;Physics
Shib-Person-nicknameShib-Person-nickname = Sue= Sue
04/22/2304/22/23 66META ACCESS MANAGEMENT SYSTEM
Attributes – IdP contextAttributes – IdP contextKey:Value pairs Key:Value pairs
e.g. eduPersonAffiliation:Physicse.g. eduPersonAffiliation:PhysicsUser information stored within institutional User information stored within institutional
directory e.g. LDAPdirectory e.g. LDAPDirectory schema determines available Directory schema determines available
keys (attribute names)keys (attribute names)Standardised schema Standardised schema
e.g. person, organizationalPerson, inetOrgPerson, eduPerson…e.g. person, organizationalPerson, inetOrgPerson, eduPerson…
Custom schema - institution specific dataCustom schema - institution specific dataCustom schema for elements that don't have a clear mapping to standard Custom schema for elements that don't have a clear mapping to standard schemasschemas
04/22/2304/22/23 77META ACCESS MANAGEMENT SYSTEM
Attributes – SP contextAttributes – SP context Received user attributes (in SAML assertion Received user attributes (in SAML assertion
from IdP) are basis of access controlfrom IdP) are basis of access control Service or service feature accessibilityService or service feature accessibility Service Levels – not necessarily hierarchicalService Levels – not necessarily hierarchical
Potential for complex attribute-based access Potential for complex attribute-based access controlcontrol university, campus, role, discipline, course, year, university, campus, role, discipline, course, year,
group…group… SP Attribute requirements must conform to SP Attribute requirements must conform to
standard schema or be mappable from IdP standard schema or be mappable from IdP attribute schemaattribute schema
04/22/2304/22/23 88META ACCESS MANAGEMENT SYSTEM
Current Shib FederationsCurrent Shib FederationsCurrent generation of Shib FederationsCurrent generation of Shib Federations
11stst generation ? generation ?Simple approach to access control, attributes Simple approach to access control, attributes
& attribute management& attribute managementHow will SPs use attributes as Federated How will SPs use attributes as Federated
IAM evolves ?IAM evolves ?Greater use of user attributes for service Greater use of user attributes for service
differentiationdifferentiation Increasing service complexity (service Increasing service complexity (service
features) and demand for user attributesfeatures) and demand for user attributes
04/22/2304/22/23 99META ACCESS MANAGEMENT SYSTEM
Emerging Federated ServicesEmerging Federated Services Institutional Repositories and CMSsInstitutional Repositories and CMSs
More fine-grained protection of resources More fine-grained protection of resources based on user attributes based on user attributes
Virtual Organisations & GRID ServicesVirtual Organisations & GRID Services Inter-organisational, national ->international Inter-organisational, national ->international
collaborationcollaborationVirtual Librarian Virtual Librarian (MAMS service development)(MAMS service development)
Example MAMS Shibbolised ServiceExample MAMS Shibbolised ServiceNeeds relatively rich set of attributesNeeds relatively rich set of attributes
04/22/2304/22/23 1010META ACCESS MANAGEMENT SYSTEM
Current ARP ManagementCurrent ARP ManagementSP attribute requirements agreed SP attribute requirements agreed
negotiated manually (not scalable)negotiated manually (not scalable)Site and User ARPs, no Group ARPsSite and User ARPs, no Group ARPsLack of service information for users (what Lack of service information for users (what
attributes are required, released, for what attributes are required, released, for what reason) reason)
Lack of interface for user ARP controlLack of interface for user ARP controlUser can’t access ARP filesUser can’t access ARP files
04/22/2304/22/23 1111META ACCESS MANAGEMENT SYSTEM
Shibboleth ARP Editing ToolsShibboleth ARP Editing ToolsProvide a GUI-based editor to enable Provide a GUI-based editor to enable
ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPsUsers to manage their ARPs
Provide visibility to user of:Provide visibility to user of:attributes required by servicesattributes required by servicesattributes released to servicesattributes released to servicesService received in return for attributesService received in return for attributes
Enable users to change their ARPs hence Enable users to change their ARPs hence exercise privacy controlexercise privacy control
04/22/2304/22/23 1212META ACCESS MANAGEMENT SYSTEM
New featuresNew features(In order to provide comprehensive GUI for (In order to provide comprehensive GUI for
creation of ARPs)creation of ARPs)Group ARPsGroup ARPs
Current Shibboleth supports site and user ARPsCurrent Shibboleth supports site and user ARPsService DescriptionsService Descriptions
Comprehensive information about SP’s service, Comprehensive information about SP’s service, service levels, attribute requirementsservice levels, attribute requirements
Attribute MappingAttribute Mapping Support for mapping between IdP and SP Support for mapping between IdP and SP
schemasschemas
04/22/2304/22/23 1313META ACCESS MANAGEMENT SYSTEM
ShARPE – ARP AdministratorShARPE – ARP Administrator ARP AdminARP Admin
Import Service Description (Physics research Import Service Description (Physics research database from Sandstone Uni)database from Sandstone Uni)
Create site ARP (all communities get bronze Create site ARP (all communities get bronze access)access)
Create group ARP (Physics community gets gold Create group ARP (Physics community gets gold access)access)
04/22/2304/22/23 1414META ACCESS MANAGEMENT SYSTEM
04/22/2304/22/23 1515META ACCESS MANAGEMENT SYSTEM
SandstoneUniServiceDescription.xml
04/22/2304/22/23 1616META ACCESS MANAGEMENT SYSTEM
arp.site.xml
04/22/2304/22/23 1717META ACCESS MANAGEMENT SYSTEM
04/22/2304/22/23 1818META ACCESS MANAGEMENT SYSTEM
arp.group.Physics.xml
04/22/2304/22/23 1919META ACCESS MANAGEMENT SYSTEM
Autograph – IdP MemberAutograph – IdP Member IdP member:IdP member:
Susannah Halmay, Physics staff memberSusannah Halmay, Physics staff member
View attributes releasedView attributes released
Deny release of attributes required for Gold Deny release of attributes required for Gold accessaccess
04/22/2304/22/23 2020META ACCESS MANAGEMENT SYSTEM
04/22/2304/22/23 2121META ACCESS MANAGEMENT SYSTEM
04/22/2304/22/23 2222META ACCESS MANAGEMENT SYSTEM
arp.user.sue.xml
04/22/2304/22/23 2323META ACCESS MANAGEMENT SYSTEM
Group ARPsGroup ARPsHow will contracts be established between How will contracts be established between
an IdP and SPs ?an IdP and SPs ?Groups within institutions (IdPs) create Groups within institutions (IdPs) create
agreements, maybe requiring subscription agreements, maybe requiring subscription involving formal T&Cs and/or paymentinvolving formal T&Cs and/or payment
Attribute release policy defined for the Attribute release policy defined for the groupgroupAppropriate static values (contract number)Appropriate static values (contract number)Members attribute release policy by virtue of Members attribute release policy by virtue of
group membershipgroup membership
04/22/2304/22/23 2424META ACCESS MANAGEMENT SYSTEM
Group Information sourcesGroup Information sourcesList of Groups & IdP member group List of Groups & IdP member group
membership informationmembership information Institutional DirectoryInstitutional DirectoryFlat filesFlat files
Responsibility for Group ARP Responsibility for Group ARP Administration ?Administration ?
Future: Grouper & SignetFuture: Grouper & Signet
04/22/2304/22/23 2525META ACCESS MANAGEMENT SYSTEM
Service DescriptionsService Descriptions SP’s Service and Service Level descriptions and SP’s Service and Service Level descriptions and
attribute requirementsattribute requirements Services may provide service-levels - different Services may provide service-levels - different
functionality - based on supplied attributesfunctionality - based on supplied attributes e.g. for a institutional repository or publisher: read e.g. for a institutional repository or publisher: read
access, adding comments/rank/annotations, submit access, adding comments/rank/annotations, submit access… access…
Comprehensive Service Provider information Comprehensive Service Provider information needed by both admins and users for ‘sensible’ needed by both admins and users for ‘sensible’ attribute managementattribute management
ShARPE introduces ‘Service Description’ ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUImetadata to support ‘fully informative’ GUI
04/22/2304/22/23 2626META ACCESS MANAGEMENT SYSTEM
Service Description EditorService Description Editor
04/22/2304/22/23 2727META ACCESS MANAGEMENT SYSTEM
Service Description EditorService Description Editor
04/22/2304/22/23 2828META ACCESS MANAGEMENT SYSTEM
Attribute MappingAttribute Mapping Requirement to map between IdP and SP Requirement to map between IdP and SP
schemas schemas (standard/custom to standard/custom...)(standard/custom to standard/custom...) Attribute mapping functionsAttribute mapping functions
One-to-One MappingOne-to-One Mapping ConcatenationConcatenation Static Value assignmentStatic Value assignment Hashing (e.g. TargetedID)Hashing (e.g. TargetedID)
Examples:Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedIDComplex: creating targetedID
(e.g. hash(concat(SPname, email))) (e.g. hash(concat(SPname, email)))
04/22/2304/22/23 2929META ACCESS MANAGEMENT SYSTEM
Attribute Mapping GUIAttribute Mapping GUI
04/22/2304/22/23 3030META ACCESS MANAGEMENT SYSTEM
Evaluating ShARPE & AutographEvaluating ShARPE & AutographView Flash DemonstrationsView Flash Demonstrations
viavia http://www.federation.org.au/twiki/bin/view/Federation/ShARPE
Experiment with Autograph using a pre-Experiment with Autograph using a pre-configured ‘openIdP’configured ‘openIdP’ http://opensharpe.mams.org.au
Install your own evaluation IdP including Install your own evaluation IdP including ShARPE and AutographShARPE and Autograph
NMI Edit software release 9NMI Edit software release 9 http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip
MAMS’ Easy Installation IdP with ShARPEMAMS’ Easy Installation IdP with ShARPE http://www.federation.org.au/software/installcd/
04/22/2304/22/23 3131META ACCESS MANAGEMENT SYSTEM
Evaluating ShARPE & Autograph Evaluating ShARPE & Autograph (cont’d)(cont’d)
Install on top of existing IdPInstall on top of existing IdPhttp://www.federation.org.au/software/Autograph_ShARPE-0.7.zip
Qualifications: Qualifications: Attribute Mapping is optional functionality (can be Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be complex and changes resolver file, not intended to be deployed on production systems. deployed on production systems. ShARPE and Autograph without attribute mapping ShARPE and Autograph without attribute mapping only writes to ARPs.only writes to ARPs.
04/22/2304/22/23 3232META ACCESS MANAGEMENT SYSTEM
Thank you
Questions ?
04/22/2304/22/23 3333META ACCESS MANAGEMENT SYSTEM
Shibboleth ArchitectureShibboleth Architecture Shibboleth Federation componentsShibboleth Federation components
ServiceProvider
Provide Services accessiblevia the web
Want to focus on core business& avoid risks of managing
users’ confidential info.
WAYF
Belongs to an organisation whichmanages her identity
User
Privacy concerns
IdentityProvider
Secure identity management is a
core business requirement
04/22/2304/22/23 3434META ACCESS MANAGEMENT SYSTEM
Background: ShibbolethBackground: ShibbolethStandards based (SAML)Standards based (SAML)Open source middlewareOpen source middlewareProvides Web Single Sign-On (SSO) Provides Web Single Sign-On (SSO)
across or within institutional boundariesacross or within institutional boundariesSSO using session cookiesSSO using session cookies
Provides secure transfer of user attributes Provides secure transfer of user attributes between user’s Identity Provider (IdP) and between user’s Identity Provider (IdP) and Service Providers (SPs)Service Providers (SPs)
04/22/2304/22/23 3535META ACCESS MANAGEMENT SYSTEM
Group Information sourcesGroup Information sources <ReleasePolicyEngine> <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile> <GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing> </GroupLookup> </ArpRepository> </ReleasePolicyEngine>
04/22/2304/22/23 3636META ACCESS MANAGEMENT SYSTEM
Group Information sourcesGroup Information sources Example of group names in flat fileExample of group names in flat file
debian> cd /usr/local/shibboleth-idp/etcdebian > cat sample.grouplookup.properties
#Sample group lookup using PropertyFileGroupLookup
#this defines institutional-wide groupsinstitutionalGroupList=Administrator, Staff, Researcher
#an example of local groupsgroupList=Library, Physics, Biology, Walk-in
#user based attributes specifying the groups#ann.eduPersonAffiliation=Researcher#staff.eduPersonAffiliation=Staff#librarian.eduPersonAffiliation=HeadOfSchool, Staff, Librarian>
debian >
04/22/2304/22/23 3737META ACCESS MANAGEMENT SYSTEM
Service Description SchemaService Description SchemaThe SD XML schema includes the The SD XML schema includes the
following @attributes and elements:following @attributes and elements:Service ProviderService Provider identifier, name, location, identifier, name, location,
description, service-independent attributesdescription, service-independent attributesServiceService @identifier, name, description, @identifier, name, description,
location, reference, service-specific level-location, reference, service-specific level-independent attributesindependent attributes
Service LevelService Level @identifier, name, description, @identifier, name, description, reference, level-specific attributesreference, level-specific attributes
04/22/2304/22/23 3838META ACCESS MANAGEMENT SYSTEM
Service Description ExampleService Description Example<ServiceProvider …><ServiceProvider …> <ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</<ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</
ServiceProviderIdentifier>ServiceProviderIdentifier> <ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName><ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName> <ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation><ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation> <ServiceProviderDescription xml:lang="en">Online Services for Physics <ServiceProviderDescription xml:lang="en">Online Services for Physics
Researchers</ServiceProviderDescription>Researchers</ServiceProviderDescription> <Service identifier=“sandstoneuni:physicsdatabase"><Service identifier=“sandstoneuni:physicsdatabase"> <ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName><ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName> <ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription><ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription> <ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</<ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</
ServiceLocation>ServiceLocation> <ServiceLevel identifier="gold"><ServiceLevel identifier="gold"> <ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName><ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName> <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on
Data</ServiceLevelDescription>Data</ServiceLevelDescription> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your
affiliation" isRequired="true"/>affiliation" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your
nickname" isRequired="true"/>nickname" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname" <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname"
isRequired="true"/>isRequired="true"/> </ServiceLevel></ServiceLevel> <ServiceLevel identifier="silver">…</ServiceLevel><ServiceLevel identifier="silver">…</ServiceLevel> <ServiceLevel identifier="bronze">…</ServiceLevel><ServiceLevel identifier="bronze">…</ServiceLevel> </Service></Service></ServiceProvider></ServiceProvider>