canarie caf- shibboleth workshop topics
DESCRIPTION
Additional material as well as value propositions regarding ShibbolethTRANSCRIPT
Material
• Past Presentations:– This presentation builds on CANHEIT 2010:
• Prezi on Building federated applications:– http://bit.ly/fedapps
2
Use Case – New Employee Access to Online Resources
Without Shibboleth• User arrives, needs to have access to web
resource for – Active Directory– Twiki.canarie.ca– Staff.canarie.ca– Collaborate.canarie.ca– Shared online resources in 3rd party wiki
• Needs to talk to staff for each service to get credential in each system created and a password set– User waits for account for each service– User uses known password, signs into each
service and sets a password– When user leaves the organization, each
service should be notified to delete account and terminate access everywhere (right?)
– Each service deletes account(right?)– Done
With Shibboleth • User arrives, needs to have access to
web resource for – Active Directory– Twiki.canarie.ca– Staff.canarie.ca– Collaborate.canarie.ca– Shared online resources in 3rd party wiki
• IT staff creates central account and assigns privileges to access resources centrally.– User waits for account– User changes password and all services
rely on this password.– When user leaves the organization, this
one account should be notified for deletion (right?)
– Done
3
Shib Value Proposition
• Game changer for integration effort with shib ready services– Reduces integration from customization to configuration– Avoid weeks of custom project integration and then
maintenance until, well, forever – Lowers cost of doing business – do better with less.
• Establishes a centralized policy enforcement point and easier auditability
• For new work, establishes publicly accepted framework to implement to & not your own homegrown framework
4
Rightsize Your Information Sharing
Wireless
Log in, sh
are nothing
Log in, sh
are Opaque ID
SAML as conduit for Information release
ExternalWebsite
personal-izationis desired
Log in, sh
are NetID
InternalWebsite
personal-izationis desired
linkageelsewheredesired
Log in, sh
are NetID
+attr.
InternalWebsite
personal-izationis desired
linkageelsewheredesired
Data needed(ghosted)
Unified View Leverages Infrastructure(aka internal/nested/layered trust groups)
The ‘Federation’
Local FedIdp SP
SP
Local FedIdp SP
SP Idp
SP
Special Interest Trust Groups
IdpIdp
Idp
• The Federation. sets POP/FOP requirements. • Serves as the base inherited elements for local
or SITG activity to enhance or build upon• Most efficient way to insure least effort for
SP/IdP to participate any way they want, including promotion to eduGain
• Local Fed. can have need their own isolated SP/IdPs
• Encourages organic growth on path to full Federation involvement.
• The Federation enables SITG to form their own special metadata sourced from the core metadata
SPSP
SP
SP Idp
Higher Assurance
My App Can’t Be Federated in CAF Because…
• It is limited to regionally/specific identities– Reply: No problem! This is a Virtual Organization
• A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.
• VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.
• Primary purpose is to pursue the shared topic or topics.
7
Virtual Organization pt 2
• CAF is an environment where VO’s flourish:– Virtual Organizations typically form around Service Provider(s) with IdPs providing
consumers & complying to attribute profiles to participate– Autonomy is retained by the VO & it’s members to focus on the topic
• -CAF focus is on the ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements– –Examples in Canada are:
• •Regional Learning Management Systems• •Transcript or Application management• Research 'desktops' that aggregate tools for researchers
• Techniques to implement on SP end:– Use the Shib2.xml & other configurations to whitelist participants[1]– Consider using eduPersonEntitlement to express fine grain filtering at the application
level:– eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope– eduPersonEntitlement: http://publisher.example.com/contract/GL12
[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter
8
My App Can’t Be Federated in CAF Because…
• I need to exchange special attributes– Reply: No Problem!– CAF’s default is shared nothing– eduPerson is the default attributes set– Where insufficient, the SP should work out the details
with it’s partners on what extra elements it needs• CAF recommends that the SP have proper OIDs (can be
registered with IANA for free) for their attributes• OIDs provide uniqueness, but us humans like text names that
are unique too.
9
Enhancing Attribute Exchanges
• Shared nothing today, but uses eduPerson schema• Finding that this may be paradox of choice• Very interesting space to explore, but keep in mind principles:
– Low friction to participate (ie, simplicity is good)– Scalable and high degree of relevancy and utility– Don’t punish the end user or IdP owner.– Interop across Canada and internationally
• Many areas to explore– Use SHAC[1] technique for attributes?
• "urn:schac:dom.ain:Attribute:value”
– Use Australian[2] approach for precise control and strong typing and vocabulary?– Require full participation in various attribute sets (ie MUST populate all fields) but in different
categories of SPs (category 1, 2,3 etc)?– Hybrid??
[1] http://www.terena.org/mail-archives/schac/msg00371.html
[2] http://www.aaf.edu.au/technical/aaf-core-attributes/
10
My App Can’t Be Federated in CAF Because…
• I need a Higher Level of Assurance for a user– Reply: OK, we want this too, what are your requirements?– Challenge is how do you want to express it and what are
your criteria for the higher level of assurance?
• Part of a larger conversation– What is the yardstick?
• NIST 800-63?• NSTIC, OIX, KANTARA audit requirements• Audit of SP against their own statements?
• If you want to be part of this conversation see Chris Phillips & or join mailing list.
11
My App Can’t Be Federated in CAF Because…
• I need to sign in on the command line– Reply: Ok, we want this too.
• Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions
• Live CD’s of the sample dev environment available from Chris.
• Also ECP plugin to Shib can accomplish this, but in a slightly different way.
• If you want to be part of this conversation see Chris Phillips & or join mailing list.
12
My App Can’t Be Federated in CAF Because…
• I need to sign in Social identities (Google, OpenID)– Reply: No problem, it can be done
• Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]
• Certain gateways exist from uPenn & Sweden [2]– Many unquantified risks at this time, but does work
• User behind keyboard is unknown• Attributes are self asserted• No knowledge of value of the account to the person
• This is an active area of conversation.
[1] https://spaces.internet2.edu/display/socialid/Handling+Both+Social+and+SAML+Identities
[2] https://tnc2011.terena.org/getfile/558
13
My App Can’t Be Federated in CAF Because…
• I don’t think the CAF has as highly available as I want them to be– Reply: OK, did you know the following?– CAF services reside in 3 provinces (Ontario, BC, and
Quebec), and have redundant DNS entries with live failover
– What are your service criteria so we may understand them better?
14
Your Turn…
• Looking for more conversation and discussion?– Join the CAF-Shib technical list to discuss the topics:
15