Attribute Authentication Description

eduPersonPrincipalName yes login id

eduPersonAffiliation yes groups/ roles

eduPersonTargetedID yes unique id

mail no email address

givenName no given name

postalAddress no address

telephoneNumber no phone number

sn no surname

cn no common name

Current list of common attributes of the EDIT federation

Single Sign-On for the EDIT platformLutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller²

1 Freie Universität Berlin, Department of Computer Science, Networked Information Systems (http://www.ag-nbi.de)

2 Freie Universität Berlin, Botanic Garden and Botanical Museum Berlin-Dahlem (BGBM)

Find more information at http://www.e-taxonomy.eu or contact Lutz Suhrbier (suhrbier@inf.fu-berlin.de)

Picture copyrights (top-left corner):© Copyright Person The following pictures are under Creative Commons 3.0: XXXX 2005

Protects and provides access to all EDIT platform components• Built up on the Security Assertion Markup Language

(SAML) web profile (e.g. Shibboleth, OpenSSO)• Only a single identity per user required

• only one user id and password to remember

accounts at home institution can be reused

Attribute Based Access Control (ABAC) for service providers• considerably reduced administrative costs• definition of individual access control policies

EDIT's Community Single Sign-On (CSSO) security infrastructure

EDIT federation

• Abides organisations by a common set of policies & practices• operational procedures and security mechanisms• attributes & entitlements to be exchanged (eduPerson)• identical attribute interpretation (role/group assignment)• Legal issues like Intellectual Property Rights and privacy

• Enables trusted interaction without bilateral agreements• Open to all biodiversity institutions or service contributors

• as Identity Provider(IdP) and/or Service Provider(SP)• Vision: Build up a biodiversity community federation

The EDIT platform provides a multitude of web-based taxonomic applications and services.

The diversity of service providers reflects the highly distributed, cross-national organisational infrastructure of biodiversity institutions and collections in general

• Result is a problem of identity management

system administrators have to register users and maintain several access control lists for each service individually

users have to remember a variety of login/password combinations to access all these different services

• Need for a comfortable single sign-on (SSO) solution

reflecting the specifics of biodiversity infrastructures

Why Community Single Sign-On ?

Source: http://switch.ch/aai/about/federation/

Join the federation as IdP and/or SP

• Identity Provider (IdP) is responsible for an organisation's• secure user login and attribute delivery to SPs

integration of existing identity management solutions• data privacy management for user attributes

• Service Provider (SP) provides cross-organisational access• to EDIT web resources for federated users

based on individual access control policies for resources• Support and demo installations available

dedicated server and hosted web space environments

Integration of Drupal, Spring, Trac, etc. • Looking for further application scenarios

Information flow of the CSSO login procedure

Typical SAML-based federation infrastructure