際際滷

際際滷Share a Scribd company logo

Canarie CAF- Shibboleth Workshop Topics

Download as PPTX, PDF
Chris Phillips
Chris Phillips

This presentation discusses how the Canadian Access Federation (CAF) uses Shibboleth to enable single sign-on access to online resources. It provides examples of how Shibboleth streamlines user access and account management. The presentation addresses common concerns about integrating applications with CAF, such as only wanting to support specific identities, needing special attributes, or requiring a higher level of assurance. It explains that CAF supports virtual organizations and is working on initiatives like social identity integration and command line access. The presentation encourages further discussion by joining the CAF technical mailing list.

1 of 15
Download to read offline
Canadian Access FederationShibbolethWorkshopAug,2011Chris Phillips chris.phillips@canarie.ca
Material Past Presentations:This presentation builds on CANHEIT 2010:Prezi on Building federated applications:http://bit.ly/fedapps2
Use Case New Employee Access to Online ResourcesWithout ShibbolethUser arrives, needs to have access to web resource for Active DirectoryTwiki.canarie.caStaff.canarie.caCollaborate.canarie.caShared online resources in 3rd party wikiNeeds to talk to staff for each service to get credential in each system created and a password setUser waits for account for each serviceUser uses known password, signs into each service and sets a passwordWhen user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)Each service deletes account(right?)DoneWith Shibboleth User arrives, needs to have access to web resource for Active DirectoryTwiki.canarie.caStaff.canarie.caCollaborate.canarie.caShared online resources in 3rd party wikiIT staff creates central account and assigns privileges to access resources centrally.User waits for accountUser changes password and all services rely on this password.When user leaves the organization, this one account should be notified for deletion (right?)Done3
Shib Value PropositionGame changer for integration effort with shib ready servicesReduces integration from customization to configurationAvoid weeks of custom project integration and then maintenance until, well, forever Lowers cost of doing business do better with less.Establishes a centralized policy enforcement point and easier auditabilityFor new work, establishes publicly accepted framework to implement to & not your own homegrown framework4
Rightsize Your Information SharingLog in, share NetID+attr.Log in, share Opaque IDLog in, share NetIDLog in, share nothingWirelessExternalWebsitepersonal-izationis desiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredData needed(ghosted)SAML as conduit for Information release
Unified View Leverages Infrastructure(aka internal/nested/layered trust groups)The FederationSPIdpIdpSPIdpSPSpecial Interest Trust GroupsSPThe Federation. sets POP/FOP requirements.
Serves as the base inherited elements for local or SITG activity to enhance or build upon
Most efficient way to insure least effort for SP/IdP to participate any way they want, including promotion to eduGain
Local Fed. can haveneed their own isolated SP/IdPs
Encourages organic growth on path to full Federation involvement.
The Federation enables SITG to form their own special metadata sourced from the core metadataSPIdpHigher Assurance Local FedLocal FedIdpSPIdpSPSPSPIdp
My App Cant Be Federated in CAF BecauseIt is limited to regionally/specific identitiesReply: No problem! This is a Virtual OrganizationA Virtual Organization (VO) is anycollective groupthat operates in a coordinated wayto enableshared activities on one ormore topicswith common tools or governance.VOs can exist within institutionalboundaries butare most effective when constitutedto operateacross and to unify participantsin differentphysical or institutionallimits.Primarypurpose is to pursue theshared topicor topics.7
Virtual Organization pt 2CAF is an environment where VOsflourish:Virtual Organizations typically form around Service Provider(s) withIdPsproviding consumers & complying to attribute profiles to participateAutonomy is retained by the VO & its members to focus on the topic-CAF focus is on the dialtone infrastructure for collaboration IdP&Spmanagement practices and operations and middleware elementsExamplesin Canada are:Regional Learning Management SystemsTranscript or Application managementResearch 'desktops' that aggregate tools for researchersTechniques to implement on SP end:Use the Shib2.xml & other configurations to whitelist participants[1]Consider using eduPersonEntitlement to express fine grain filtering at the application level:eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscopeeduPersonEntitlement:http://publisher.example.com/contract/GL12[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter8
My App Cant Be Federated in CAF BecauseI need to exchange special attributesReply: No Problem!CAFs default is shared nothingeduPerson is the default attributes setWhere insufficient, the SP should work out the details with its partners on what extra elements it needsCAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributesOIDs provide uniqueness, but us humans like text names that are unique too.9
Enhancing Attribute ExchangesShared nothing today, but uses eduPerson schemaFinding that this may be paradox of choiceVery interesting space to explore, but keep in mind principles:Low friction to participate (ie, simplicity is good)Scalable and high degree of relevancy and utilityDont punish the end user or IdP owner.Interop across Canada and internationallyMany areas to exploreUse SHAC[1] technique for attributes?"urn:schac:dom.ain:Attribute:valueUseAustralian[2] approach for precise control and strong typing and vocabulary?Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?Hybrid??[1] http://www.terena.org/mail-archives/schac/msg00371.html[2] http://www.aaf.edu.au/technical/aaf-core-attributes/10

More Related Content

Canarie CAF- Shibboleth Workshop Topics

  • 2. Material Past Presentations:This presentation builds on CANHEIT 2010:Prezi on Building federated applications:http://bit.ly/fedapps2
  • 3. Use Case New Employee Access to Online ResourcesWithout ShibbolethUser arrives, needs to have access to web resource for Active DirectoryTwiki.canarie.caStaff.canarie.caCollaborate.canarie.caShared online resources in 3rd party wikiNeeds to talk to staff for each service to get credential in each system created and a password setUser waits for account for each serviceUser uses known password, signs into each service and sets a passwordWhen user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)Each service deletes account(right?)DoneWith Shibboleth User arrives, needs to have access to web resource for Active DirectoryTwiki.canarie.caStaff.canarie.caCollaborate.canarie.caShared online resources in 3rd party wikiIT staff creates central account and assigns privileges to access resources centrally.User waits for accountUser changes password and all services rely on this password.When user leaves the organization, this one account should be notified for deletion (right?)Done3
  • 4. Shib Value PropositionGame changer for integration effort with shib ready servicesReduces integration from customization to configurationAvoid weeks of custom project integration and then maintenance until, well, forever Lowers cost of doing business do better with less.Establishes a centralized policy enforcement point and easier auditabilityFor new work, establishes publicly accepted framework to implement to & not your own homegrown framework4
  • 5. Rightsize Your Information SharingLog in, share NetID+attr.Log in, share Opaque IDLog in, share NetIDLog in, share nothingWirelessExternalWebsitepersonal-izationis desiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredData needed(ghosted)SAML as conduit for Information release
  • 6. Unified View Leverages Infrastructure(aka internal/nested/layered trust groups)The FederationSPIdpIdpSPIdpSPSpecial Interest Trust GroupsSPThe Federation. sets POP/FOP requirements.
  • 7. Serves as the base inherited elements for local or SITG activity to enhance or build upon
  • 8. Most efficient way to insure least effort for SP/IdP to participate any way they want, including promotion to eduGain
  • 9. Local Fed. can haveneed their own isolated SP/IdPs
  • 10. Encourages organic growth on path to full Federation involvement.
  • 11. The Federation enables SITG to form their own special metadata sourced from the core metadataSPIdpHigher Assurance Local FedLocal FedIdpSPIdpSPSPSPIdp
  • 12. My App Cant Be Federated in CAF BecauseIt is limited to regionally/specific identitiesReply: No problem! This is a Virtual OrganizationA Virtual Organization (VO) is anycollective groupthat operates in a coordinated wayto enableshared activities on one ormore topicswith common tools or governance.VOs can exist within institutionalboundaries butare most effective when constitutedto operateacross and to unify participantsin differentphysical or institutionallimits.Primarypurpose is to pursue theshared topicor topics.7
  • 13. Virtual Organization pt 2CAF is an environment where VOsflourish:Virtual Organizations typically form around Service Provider(s) withIdPsproviding consumers & complying to attribute profiles to participateAutonomy is retained by the VO & its members to focus on the topic-CAF focus is on the dialtone infrastructure for collaboration IdP&Spmanagement practices and operations and middleware elementsExamplesin Canada are:Regional Learning Management SystemsTranscript or Application managementResearch 'desktops' that aggregate tools for researchersTechniques to implement on SP end:Use the Shib2.xml & other configurations to whitelist participants[1]Consider using eduPersonEntitlement to express fine grain filtering at the application level:eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscopeeduPersonEntitlement:http://publisher.example.com/contract/GL12[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter8
  • 14. My App Cant Be Federated in CAF BecauseI need to exchange special attributesReply: No Problem!CAFs default is shared nothingeduPerson is the default attributes setWhere insufficient, the SP should work out the details with its partners on what extra elements it needsCAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributesOIDs provide uniqueness, but us humans like text names that are unique too.9
  • 15. Enhancing Attribute ExchangesShared nothing today, but uses eduPerson schemaFinding that this may be paradox of choiceVery interesting space to explore, but keep in mind principles:Low friction to participate (ie, simplicity is good)Scalable and high degree of relevancy and utilityDont punish the end user or IdP owner.Interop across Canada and internationallyMany areas to exploreUse SHAC[1] technique for attributes?"urn:schac:dom.ain:Attribute:valueUseAustralian[2] approach for precise control and strong typing and vocabulary?Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?Hybrid??[1] http://www.terena.org/mail-archives/schac/msg00371.html[2] http://www.aaf.edu.au/technical/aaf-core-attributes/10
  • 16. My App Cant Be Federated in CAF BecauseI need a Higher Level of Assurance for a userReply: OK, we want this too, what are your requirements?Challenge is how do you want to express it and what are your criteria for the higher level of assurance?Part of a larger conversationWhat is the yardstick? NIST 800-63?NSTIC, OIX, KANTARA audit requirementsAudit of SP against their own statements?If you want to be part of this conversation see Chris Phillips & or join mailing list.11
  • 17. My App Cant Be Federated in CAF BecauseI need to sign in on the command lineReply: Ok, we want this too.Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertionsLive CDs of the sample dev environment available from Chris.Also ECP plugin to Shib can accomplish this, but in a slightly different way.If you want to be part of this conversation see Chris Phillips & or join mailing list.12
  • 18. My App Cant Be Federated in CAF BecauseI need to sign in Social identities (Google, OpenID)Reply: No problem, it can be doneAlready participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]Certain gateways exist from uPenn & Sweden [2]Many unquantified risks at this time, but does workUser behind keyboard is unknownAttributes are self assertedNo knowledge of value of the account to the personThis is an active area of conversation.[1] https://spaces.internet2.edu/display/socialid/Handling+Both+Social+and+SAML+Identities[2] https://tnc2011.terena.org/getfile/55813
  • 19. My App Cant Be Federated in CAF BecauseI dont think the CAF has as highly available as I want them to beReply: OK, did you know the following?CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failoverWhat are your service criteria so we may understand them better?14
  • 20. Your TurnLooking for more conversation and discussion?Join the CAF-Shib technical list to discuss the topics:CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA15

Editor's Notes

  • #7: One service is good, but many using the same infrastructure is better:Common approach to governance & oversightGenerally coordinating with with same point of contactsBuild both for traversal up and downwards
  • #14: Conscription of users
  • #15: Conscription of users