Shibboleth Development and Support Services
SAML Protected Resources
The theory and practice of
granularity and
management data
Ed Dee
EDINA
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 2
EDINA
• Service provider
– Digimap, Film & Sound Online, etc…
• Identity provider
– Various
• Federated Access
– SDSS Federation
– UKAMF: Metadata Management & Tech. Support
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 3
Where lies the guilt
• Service providers
• Identity providers
• UK Access Management
Federation
• User Community
Granularity and lack of management data from SAML protected resources
• 50%
• 30%
• 10%
• 10%
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 4
SAML
• Security Assertion Markup Language
• Standard for Exchanging authentication and authorisation information
• Identity Provider • Service Provider
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 5
The Questions
Pussy cat pussy cat where have you been?“I’ve been down to London to visit at the Queen.”Pussy cat pussy cat what did you there“I frightened a little mouse under her chair.”
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 6
Shibboleth flow diagram
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 7
Technical stuff
Identity
Provider
Service
Provider
Resource
FederationMetadata
User
SAMLDialogue
AttributeDatabase
AuthorisationDatabase
FederationMetadata
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 8
SAML Dialogue
• Uninteresting (to us):
– Initiation/Termination
– Security
• Interesting (to us):
– Scope information
Institution/Service ‘who are you’
– Attributes
User-specific information
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 9
Q1: Pussy cat pussy cat where have you been?
• From the IdP:
– What resource are being used
– Who is using them
• Shibb 2x IdPs only
– Not outsourced IdPs
– Not non-Shibb IdPs
– Not Shibb 1.3 IdPs
eosl date 30 June 2010
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 10
Q1: Pussy cat pussy cat where have you been?
• Shibb 2 IdP Audit log Who (ePPN)
When (time stamp)
What (relying party id) • https://spaces.internet2.edu/display/SHIB2/IdPLogging
Analysis
Application
FederationMetadata
AttributeDatabase
AuditLog(s)
AccessReports
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 11
Tools
• Project Raptor
– Software toolkit for reporting e-resource usage statistics
– Shibboleth 2 IdPs & EZproxy
– http://iam.cf.ac.uk/trac/RAPTOR
– JISC + Cardiff University + Kidderminster College
– V1.0 due Feb 2011
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 12
Q2: Pussy cat pussy cat what did you there?
• Cannot come from IdP
• Must come from SP
– What does SP know about user
Service
Provider
ResourceUser
Identity
ProviderAttribute
DatabaseAttributes
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 13
Attributes: EduPerson Object Class
– Core Targeted ID
Principal name
[Scoped] Affiliation
Entitlement
– Other Nick name
Org [Unit] DN
http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 14
Granularity: Core Attributes
– [Scoped] Affiliation
Scope
Member | {Staff | Student | Employee | Affiliate |
Alum | library-walk-in}
– Entitlement
Service - User Specific conditions
• urn:mace:dir:entitlement:common-lib-terms
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 15
On Passing Attributes
Photo: Library of Virginia / Flikr
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 16
EDINA Digimap
– [Scoped] Affiliation
– Targeted ID
– Principal Name
– Title
– Givenname
– Sn [surname]
– O [organisation]
– Ou [organisational unit]
http://www.ukfederation.org.uk/content/Documents/AttributeUsage
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 17
Reality
Identity
Provider
Service
Provider
Attribute Release Policy
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 18
Reality
• Most IdPs give out only:– [Scoped] Affiliation
Organisational affiliation (ePSA)• SP cannot determine department etc.
• ePSA often just [email protected]
– Targeted Id Service-specific, opaque ID (ePTI)
• SP cannot determine user
• SP cannot correlate usage between services.
• Many IdPs cannot handle entitlement
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 19
“No one really asks us much for
ARP changes”IdP administrator
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 20
Why?
• IdPs
– Fear of Data Protection legislation
– No inclination; No capabilities
– No SPs ask for it
• SPs
– Not available from IdPs
– No use for data
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 21
Stable Deadlock
Too hard to ask,so SPs don’t
IdPs get no requests, think all is well
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 22
What Do SPs Do
• Personalisation
– Registration system
– Registration database
• Usage Statistics
– Merge logs and registration details
• EDINA Digimap
– Users / Status / Department
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 23
Attribute Release Progression
Basic
Attributes
Extended
Attributes
Personal
Attributes
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 24
Towards agreement
• Forums
– Small scale
– Application-area specific
– Agree what is desirable
– Agree what is possible
– Experiment, agree, deploy, not theorise:
• No Top-down Dictate
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 25
NESLi2
• JISC Statistics Portal
– Cranfield, Birmingham City University, MIMAS
– Database/Journal/article level reporting
– Oct 2009 – Dec 2010
– "one-stop shop"
could go to view and download their own usage reports from NESLi2 publishers
– http://www.jusp.mimas.ac.uk/
Shibboleth Development and Support Services
JIBS User Group 16 June 2010 26
Granularity & Management Data
• Technically Capabilities exist
• “Natural restful inertia” - problem large
– UKAMF
800+ members
• 440 + SPs
• 630 + IdPs
• User Driven
• Tackle from the bottom up