shibboleth attribute release policy editing tools sharpe
DESCRIPTION
Shibboleth Attribute Release Policy Editing Tools ShARPE. CAMP Shib June 2006 Bruc Lee Liong [email protected] http://federation.org.au. Topics. ShARPE & Autograph GUI SP Description Metadata Group ARP Attribute Mapping Policy Filter Chain. - PowerPoint PPT PresentationTRANSCRIPT
ShibbolethAttribute Release Policy
Editing Tools
ShARPECAMP Shib June 2006
Bruc Lee [email protected]
http://federation.org.au
META ACCESS MANAGEMENT SYSTEM
TopicsTopics
ShARPE & Autograph GUIShARPE & Autograph GUISP Description MetadataSP Description MetadataGroup ARPGroup ARPAttribute MappingAttribute MappingPolicy Filter ChainPolicy Filter Chain
META ACCESS MANAGEMENT SYSTEM
Part of MAMS IAM Suite(I really AM Sweet)
META ACCESS MANAGEMENT SYSTEM
ShARPEShARPE AutographAutograph
IdPIdPadminadmin
IdP IdP membermember
IdPARP ARP Manage-Manage-mentment
AttributeAttributemappingmapping
Privacy Privacy Manage-Manage-mentment
Context
META ACCESS MANAGEMENT SYSTEMIdP adminIdP admin
ShARPE
attributes
IdP SPSPARP
Autograph
= group ARPs= group ARPs
= site ARP= site ARP
= user ARP= user ARP
Shibboleth ARP Editor (ShARPE)
Provide a GUI-based editor to enable Provide a GUI-based editor to enable ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPsUsers to manage their ARPs
Provide visibility to user of:Provide visibility to user of: attributes required by servicesattributes required by services attributes released to servicesattributes released to services Service received in return for attributesService received in return for attributes
Enable users to change their ARPs hence Enable users to change their ARPs hence exercise privacy controlexercise privacy control
HelpdeskHelpdesk
META ACCESS MANAGEMENT SYSTEM
New featuresARP management GUIARP management GUIGroup ARPsGroup ARPs
Current Shibboleth supports site and user ARPsCurrent Shibboleth supports site and user ARPsService DescriptionsService Descriptions
Comprehensive information about SP’s service, Comprehensive information about SP’s service, service levels, attribute requirementsservice levels, attribute requirements
Attribute MappingAttribute Mapping Support for mapping between IdP and SP Support for mapping between IdP and SP
schemasschemas Policy-filter-chainPolicy-filter-chain extension extension
META ACCESS MANAGEMENT SYSTEM
ShARPE – ARP Administrator
ARP AdminARP Admin
Import Service Description (Physics research Import Service Description (Physics research database from Sandstone Uni) – if never database from Sandstone Uni) – if never imported beforeimported before
Create site ARP (all communities get bronze Create site ARP (all communities get bronze access)access)
Create group ARP (Physics community gets Create group ARP (Physics community gets gold access)gold access)
META ACCESS MANAGEMENT SYSTEM
Service Descriptions SP’s Service and Service Level descriptions and SP’s Service and Service Level descriptions and
attribute requirementsattribute requirements Services may provide service-levels - different Services may provide service-levels - different
functionality - based on supplied attributesfunctionality - based on supplied attributes e.g. for a institutional repository or publisher: read e.g. for a institutional repository or publisher: read
access, adding comments/rank/annotations, submit access, adding comments/rank/annotations, submit access… access…
Comprehensive Service Provider information Comprehensive Service Provider information needed by both admins and users for ‘sensible’ needed by both admins and users for ‘sensible’ attribute managementattribute management
ShARPE introduces ‘Service Description’ ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUImetadata to support ‘fully informative’ GUI
META ACCESS MANAGEMENT SYSTEM
SandstoneUniServiceDescription.xml
META ACCESS MANAGEMENT SYSTEM
Service Description Editor
META ACCESS MANAGEMENT SYSTEM
Service Description Editor (cont)
META ACCESS MANAGEMENT SYSTEM
META ACCESS MANAGEMENT SYSTEM
arp.site.xml
META ACCESS MANAGEMENT SYSTEM
META ACCESS MANAGEMENT SYSTEM
arp.group.Physics.xml
META ACCESS MANAGEMENT SYSTEM
META ACCESS MANAGEMENT SYSTEM
Autograph
META ACCESS MANAGEMENT SYSTEM
Autograph
arp.user.sue.xml
META ACCESS MANAGEMENT SYSTEM
Group ARP Reason: diff dept admins want to manage their Reason: diff dept admins want to manage their
own usersown users No modification to original Shib codeNo modification to original Shib code Extending from Shib ARP structureExtending from Shib ARP structure Uses simplified flatten group (i.e. no hierarchical Uses simplified flatten group (i.e. no hierarchical
groups)groups) Group information provided by a set of plugins: Group information provided by a set of plugins:
AttributeResolver (LDAP/DB/etc), file, etcAttributeResolver (LDAP/DB/etc), file, etc Simplified API to allow extensionsSimplified API to allow extensions Released Attributes = processing (site ARP + Released Attributes = processing (site ARP +
group ARPs + user ARP)group ARPs + user ARP) http://federation.org.au/twiki/bin/view/Federation/http://federation.org.au/twiki/bin/view/Federation/
GroupLookupGroupLookup
META ACCESS MANAGEMENT SYSTEM
Activating Group ARP <ReleasePolicyEngine>
<ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path>
<GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup>
<GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</
PropertyFile>
<GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing>
</GroupLookup>
</ArpRepository>
</ReleasePolicyEngine>
META ACCESS MANAGEMENT SYSTEM
Example of Group Info (FlatFile) sample.grouplookup.properties sample.grouplookup.properties using
PropertyFileGroupLookup
# this defines institutional-wide groupsinstitutionalGroupList = Administrator, Staff, Researcher
# an example of local groupsgroupList = Library, Physics, Biology, Walk-in
# user based attributes specifying the groups using ‘memberOf’# ann.memberOf = Researcher# john.memberOf = Staff# joe.memberOf = HeadOfSchool, Staff, Librarian
META ACCESS MANAGEMENT SYSTEM
Attribute Mapping Not all organizations use the same schemas for Not all organizations use the same schemas for
attributes, mapping is neededattributes, mapping is needed Attribute mapping functionsAttribute mapping functions
One-to-One MappingOne-to-One Mapping ConcatenationConcatenation Static Value assignmentStatic Value assignment Hashing (e.g. TargetedID)Hashing (e.g. TargetedID)
Examples:Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedIDComplex: creating targetedID
(e.g. hash(concat(SPname, email))) (e.g. hash(concat(SPname, email)))
META ACCESS MANAGEMENT SYSTEM
Attribute Mapping GUI
META ACCESS MANAGEMENT SYSTEM
What’s offered by AttributeResolver
Rename (mail Rename (mail email) email) Value mapping (“alumn” Value mapping (“alumn” “alumn”, “alumni”) “alumn”, “alumni”) Regex (changing to upper case)Regex (changing to upper case) Formatted outputFormatted output Composite ( A, B Composite ( A, B “A B”). Limited to same “A B”). Limited to same
number of rows attributesnumber of rows attributes Some others: StaticConnector, Some others: StaticConnector,
ScriptletAttributeDefinition,…ScriptletAttributeDefinition,… All, with exception of rename are *newly* All, with exception of rename are *newly*
introduced in 1.3cintroduced in 1.3c
META ACCESS MANAGEMENT SYSTEM
Shib implementation
Scattered implementation but simple as Scattered implementation but simple as revolve around resolver pluginsrevolve around resolver plugins
No chaining (A No chaining (A B B C, hence A = C) C, hence A = C)Some implementations are limited to Some implementations are limited to
certain conditions (i.e. cannot concat certain conditions (i.e. cannot concat different length attributes)different length attributes)
Same Same mapmap applicable to all SPs, no applicable to all SPs, no differentiations or per SP mappingdifferentiations or per SP mapping
META ACCESS MANAGEMENT SYSTEM
MAMS Attribute Mapping implementation
Attributes with different rows concatenation Attributes with different rows concatenation abilityability
One entry point for all mapping entries One entry point for all mapping entries one one mapping engine (CustomAttributeDefinition)mapping engine (CustomAttributeDefinition)
Different maps loaded for different SPsDifferent maps loaded for different SPs SP1 has mail SP1 has mail email email SP2 has fname + sn + ‘@nowhere.com’ SP2 has fname + sn + ‘@nowhere.com’ e-mail e-mail SP3 has …SP3 has …
GGeneral mapping can be provided (i.e. default eneral mapping can be provided (i.e. default mapping from eduPerson2MySchema mapping from eduPerson2MySchema applicable to all SPs)applicable to all SPs)
META ACCESS MANAGEMENT SYSTEM
Attribute Mapping for SPa: X = X + Y
1. Rename existing entry of X to X’ on resolver
2. Create map entry on resolver for X that depends on X’ and Y
3. Put X = X’ + Y on SPa’s map
4. Put X = X’ on default.mapper (for other SPs)
META ACCESS MANAGEMENT SYSTEM
Processing attribute X
1.1. Requests come to resolve X for SPaRequests come to resolve X for SPa
2.2. X is registered to be handled by mapperX is registered to be handled by mapper
3.3. Crosswalk for SPa loadedCrosswalk for SPa loadeda)a) If no crosswalk found, default.mapper loadedIf no crosswalk found, default.mapper loaded
4.4. All X’s dependencies provided to All X’s dependencies provided to CrosswalkCrosswalk
5.5. Map function try to resolve XMap function try to resolve X
META ACCESS MANAGEMENT SYSTEM
Activating Attribute Mapping• Done automatically by ShARPE when enabled
<CustomAttributeDefinition id=“X”class=“au.edu.mq.melcoe.mams.sharpe.shib.aa.attrresolv.
provider.CrosswalkAttributeDefinition”> <AttributeDependency requires=“idp:X"/> <AttributeDependency requires=“Y"/></CustomAttributeDefinition>
<SimpleAttributeDefinition id=“idp:X” sourceName=“X”> <DataConnectorDependency requires=“echo”/></SimpleAttributeDefinition>
META ACCESS MANAGEMENT SYSTEM
Map file entry for SPa
<Crosswalk …>
<Map class=“…” functionName=“concat”>
<Attribute>X</Attribute>
<MapValue>idp:X + Y</MapValue>
</Map>
</Crosswalk>
META ACCESS MANAGEMENT SYSTEM
Future Works
Privacy settings for coarse-grain release Privacy settings for coarse-grain release policypolicy
Hierarchical groups to implement ‘room in Hierarchical groups to implement ‘room in room’ concept (if enough requests)room’ concept (if enough requests)
Integrations with Grouper & Signet for Integrations with Grouper & Signet for local management (currently planned for local management (currently planned for GroupManager and PrivilegeManager)GroupManager and PrivilegeManager)
Push Shib for ability to register new Push Shib for ability to register new attributes to resolver for Attribute Mappingattributes to resolver for Attribute Mapping
META ACCESS MANAGEMENT SYSTEM
Questions?
Email: [email protected] ShARPE @ http://federation.org.au/ShARPE MAMS @ http://mams.melcoe.mq.edu.au Experiment http://opensharpe.federation.org.au Sharpe-users mailing list
http://federation.org.au/cgi-bin/mailman/listinfo MAMS’ Easy Installation IdP with ShARPE http
://federation.org.au/software/installcd
META ACCESS MANAGEMENT SYSTEM
Extra Slides
META ACCESS MANAGEMENT SYSTEM
Shib ARP ManagementSP attribute requirements agreed
negotiated manually (not scalable)Site and User ARPs, no Group ARPsLack of service information for users (what
attributes are required, released, for what reason)
Lack of interface for user ARP controlUser can’t access ARP files
META ACCESS MANAGEMENT SYSTEM
Design Group ARP
META ACCESS MANAGEMENT SYSTEM
Design Attribute Mapping
META ACCESS MANAGEMENT SYSTEM
Policy Filter Chaining Allowing policies (ARP) to be passed through
chain of filters prior its final process on ArpEngine
Allow selective processing of policies i.e. when user has attribute X set to Y, do not
process group policy Z Used by Autograph to “find what attributes
affected by all policies without inclusion of user ARP” or similar use cases
http://federation.org.au/twiki/bin/view/Federation/PolicyFilter
META ACCESS MANAGEMENT SYSTEM
Policy Filter
Different types of Policy Filter, extendible design
Filter on different types of ARPFilter on simple access control for the ARP
(create, read, update, delete)create is slightly difficult to enforce
Combination of filters and chaining
META ACCESS MANAGEMENT SYSTEM
Design PolicyFilter
META ACCESS MANAGEMENT SYSTEM
PolicyFilter Processing
For each activity identified as For each activity identified as create, read, create, read, update, delete update, delete on the policyon the policy
Calls registered PolicyFiltersCalls registered PolicyFiltersArp’ = PolicyFilter(Arp)Arp’ = PolicyFilter(Arp)The resultant policy is given back to the The resultant policy is given back to the
systemsystemAll active policies to be used by the All active policies to be used by the
system are processed prior being usedsystem are processed prior being used
META ACCESS MANAGEMENT SYSTEM
Activating PolicyFilter
<ReleasePolicyEngine><ReleasePolicyEngine> <ArpRepository <ArpRepository
implementation=“implementation=“......provider.MAMSFileSystemArpReposiprovider.MAMSFileSystemArpRepositorytory“>“>
<<PolicyFilterPolicyFilter
implementation=“implementation=“....provider.PolicyTypeFilterprovider.PolicyTypeFilter””>>
<<PolicyTypePolicyType>sitePolicy</PolicyType>>sitePolicy</PolicyType> <PolicyType><PolicyType>useruserPolicy</PolicyType>Policy</PolicyType> </PolicyFilter></PolicyFilter> … …
META ACCESS MANAGEMENT SYSTEM