126/02/2016 meta access management system a ship on the grid interoperability between shibboleth...
DESCRIPTION
326/02/2016 META ACCESS MANAGEMENT SYSTEM Single Sign-On Digital Identity Mgmt Federated Identity Mgmt Access Control Provisioning Federated search Legacy plug-insTRANSCRIPT
06/05/2306/05/23META ACCESS MANAGEMENT SYSTEM
11
A Ship on the Grid– Interoperability between Shibboleth and the Grid –
Dr. Erik VullingsDr. Erik VullingsProgramme ManagerProgramme Manager
Macquarie University E-Learning Centre of Excellence (MELCOE)Macquarie University E-Learning Centre of Excellence (MELCOE)AustraliaAustralia
[email protected]@melcoe.mq.edu.au
05/06/2305/06/23 22META ACCESS MANAGEMENT SYSTEM
Backing Australia’s AbilityBacking Australia’s AbilityDEST founded ARIIC to guide the first round of SII projects:DEST founded ARIIC to guide the first round of SII projects: Australian Digital Thesis (ADT)Australian Digital Thesis (ADT) Australian Partnership for Sustainable Repositories (APSR)Australian Partnership for Sustainable Repositories (APSR) Australian Research Repositories Online to the World (ARROW)Australian Research Repositories Online to the World (ARROW) Meta Access Management System (MAMS)Meta Access Management System (MAMS)
Financed by DEST till the end of 2006 (3y, $4.2 million ~ €2,7m)Financed by DEST till the end of 2006 (3y, $4.2 million ~ €2,7m)
FRODO (Federated Repositories of Digital Objects)
05/06/2305/06/23 33META ACCESS MANAGEMENT SYSTEM
Single Sign-OnDigital Identity Mgmt
Federated Identity Mgmt
Access Control
Provisioning
Federated search
Legacy plug-ins
05/06/2305/06/23 44META ACCESS MANAGEMENT SYSTEM
Projects I won’t spend a slide on…Projects I won’t spend a slide on…
Australian Inqueu-like FederationAustralian Inqueu-like Federation Easy Install CD, incl. registrationEasy Install CD, incl. registration Mini-grant program: Shibbolizing SPsMini-grant program: Shibbolizing SPs Shibbolizing Shibbolizing GridSphereGridSphere, DSpace, Zope/Plone, Wiki..., DSpace, Zope/Plone, Wiki...
Institutional Repository WebGUIInstitutional Repository WebGUI Fedora with XACMLFedora with XACML
Virtual Librarian ServiceVirtual Librarian Service Use Shibboleth to validate IM serviceUse Shibboleth to validate IM service
XACML editor for repository policiesXACML editor for repository policies XML-free interfaceXML-free interface
05/06/2305/06/23 55META ACCESS MANAGEMENT SYSTEM
Attribute Release PoliciesAttribute Release Policies
When I visit an SP, how do I present myself?When I visit an SP, how do I present myself?
Reference #123456Staff at Macquarie Uni
Erik VullingsStaff at Macquarie Uni
Erik [email protected]
Staff at Macquarie Uni+61-(0)2-9850.6537
MQ
05/06/2305/06/23 66META ACCESS MANAGEMENT SYSTEM
Different cards open different doorsDifferent cards open different doors – Attributes give access to Features – – Attributes give access to Features –
Reference #123456Staff at Macquarie Uni
Erik VullingsStaff at Macquarie Uni
Erik [email protected]
Staff at Macquarie Uni+61-(0)2-9850.6537
MQ
Enables access to repository
Allows me to rank material
Allows me to add comments
05/06/2305/06/23 77META ACCESS MANAGEMENT SYSTEM
Different cards open different doorsDifferent cards open different doors – Services & Service Level – – Services & Service Level –
05/06/2305/06/23 88META ACCESS MANAGEMENT SYSTEM
Multiple Attribute AuthorityMultiple Attribute Authority(Join SAML assertions as SP)(Join SAML assertions as SP)
Visit other IdP/AA and return
05/06/2305/06/23 99META ACCESS MANAGEMENT SYSTEM
AuthNAuthN federated Search (AFS) federated Search (AFS)(Delegated SAML Profile?)(Delegated SAML Profile?)
UniversityStaff member
FS
IdP
<<SP>>
R<<WS>>
S
<<SP>>
AFS
<<SP>>
R<<WS>>
S <<SP>>
Repositoryi
<<WS>>
Search
1Login via
WAYF & IdP
Access
Query
2aCreate UserShib session
(bypass WAYF)
3Query +
SessionID
<<SP>>
Repositoryi
<<Servlet>>
Attribute Mngr
<<WS>>
Search
2bTarget=SessionMngr/SessionID
OldNew
05/06/2305/06/23 1010META ACCESS MANAGEMENT SYSTEM
Shibbolizing MyProxyShibbolizing MyProxy(with Jim Basney & Von Welch)(with Jim Basney & Von Welch)
UniversityStaff member
IdP
1Login via
WAYF & IdP
2aCreate UserShib session
(bypass WAYF)
2bTarget=SessionMngr/SessionID
<<SP>>
GS Portal<<Portlet>>
MyProxy3
Get proxy cert + SessionID
MyProxy Server
<<SP>>
Attribute Mngr
MyProxy Server
GS Portal<<Portlet>>
MyProxyOldNew
Login withUsername1 & pwd1
Username2 & pwd2
05/06/2305/06/23 1111META ACCESS MANAGEMENT SYSTEM
Virtual OrganisationVirtual Organisation(Attribute Authority)(Attribute Authority)
1
UniversityStaff member
SP
Usersession
AttributeRequester
3 IdP
LDAPdirectory
AttributeAuthority
CredentialsRequestaccess
VO AAWAYF
VO members2
Redirect
Notes:1. At step 4 and 5, mapping of attr.
names and values can take place.2. Typical VO attr. are entitlements,
such as ethnicity, IEEE fellow, etc.3. Extendable between federations
4IdP
attributes
SPAR
5IdP+VO
attributes
IdPAA
LDAP(session)
ClaimTransformation
Service(CTS)
05/06/2305/06/23 1212META ACCESS MANAGEMENT SYSTEM
Federation A (Fa)
Federation B (Fb)IdP
IdP
IdP
IdP
IdP
IdP
SP
SP
SP
SP
CTSWAYF
CTS
WAYF
1
2
3
4
5
6
7
CTS: Claim Transformation ServiceWAYF: Where Are You FromIdP: Identity ProviderSP: Service Provider
Fed2Fed SSOFed2Fed SSO