Scheming - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Scheming

Description:

id='urn:mace:dir:attribute-def:eduPersonEntitlement' ... id='urn:mace:dir:attribute-def:eduPersonPrincipalName' smartScope='lse.ac.uk' sourceName='name' ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 21
Provided by: JohnPa82
Category:
Tags: annoy | mace | scheming

less

Transcript and Presenter's Notes

Title: Scheming


1
Scheming
  • How to extract lots of money from JISC
  • (see next years OLDRoPe project)
  • How to really annoy people from Eduserv
  • (lets call the next shared service Carthage?)
  • How to get paid to go to lots of interesting
    foreign places
  • John Paschoud
  • LSE Library

2
Schemas
  • John Paschoud
  • LSE Library

3
What
  • Person description schemas
  • LDAP compliant / usable
  • (Lightweight Directory Access Protocol)
  • Of relevance to use of Shibboleth, and services
    around it
  • by a .AC.UK

4
Why
  • Interoperability
  • Interoperability
  • Interoperability
  • so we all know what student means
  • Because its an essential foundation for
    production-scale IAM

5
Enterprise Directories
network login users (only)
1 try AuthN
MS-specific classes
2 try AuthN
3 get role attribs
all users
  • Split user AuthN between AD and LDAP
  • Requires AuthBroker mware to emulate a single
    AuthN directory service to IdP
  • Possible time penalty (waiting for 1st failed
    AuthN)

generic classes
6
Privacy Issues
  • User staff student trust with Inst
  • Inst contracts with resource vendors
  • Third parties (like Eduserv-Athens)
  • Inst ARPs
  • Personal ARPs, informed consent
  • SHARPE (cf. Alex Reid) or other UIs for ARP
    control
  • How many users will take the trouble?
  • How can dynamic ARP be least intrusive to the
    processes of using info resources?

7
Authorisation Issues
  • What user attributes do current SPs expect?
  • or require?
  • Whatever you can reasonably give us!
  • Chris Shillum, Technical Director, ScienceDirect
  • (not a verbatim quote, but reflective of the
    attitudes of sensible commercial resource
    vendors, as expressed by CS)

8
eduPerson
  • (Michael Gettes, DukeU Internet2, USA)
  • Phoenix, AZ airport, February 2000
    (Hazelton,Gettes)
  • Designed for US higher-education
  • with Shibboleth type needs in mind
  • Adopted by Educause
  • Based largely on inetPerson, inetOrg

9
eduPerson examples
  • PrincipalName (ePPN)
  • PrimaryAffiliation
  • ScopedAffiliation
  • Entitlement
  • TargettedID

10
(eduOrg)
  • eduOrg Basic X.520 attributes
  • eduOrgHomePageURI, eduOrgIdentityAuthNPolicyURI,
    eduOrgLegalName,
  • Could extend to include URIs for common instl
    services
  • OpenURL-resolver, ShibIdentityProvider
  • Potential for an IEIR (Info Environment
    Institution Registry)???
  • paralleling the IESR ???
  • a super-WAYF ???

11
UKeduPerson
  • Output of JISC scoping study, Jun-2004
  • Strawman schema maintained (Feb-2005)
  • Informed by a range of instl consultation, plus
    existing documentation,
  • e.g. JISC Scoping study into Institutional
    Profiling and Terms Conditions services
  • www.angel.ac.uk/UKeduPerson

12
UKeduPerson example
13
SCHAC
  • (Diego Lopez, RedIRIS, Spain)
  • SCHema for Academia
  • Designed to support country-level IAM federations
    (AAIs)
  • allowing for other cross-domain uses
  • PKI, Grids, VOs
  • Yellow White pages
  • Mail, IM, VidConf, Lists
  • TERENA EMC2 under development / comment
  • www.terena.nl/tech/task-forces/tf-emc2/schac.html

14
SCHAC examples
  • Personal characteristics
  • MotherTongue (ISO 639) Gender DateOfBirth
    CountryOfCitizenship (ISO 3166)
  • PersonalPosition (urnSCHACPREFIXpositionumk.pl
    programmer)
  • Contact information
  • HomeOrganization (domain name, RFC3035)
  • HomeOrganizationType (urnSCHACPREFIXhomeOrgType
    chvho)
  • UserPresenceID (urnSCHACPREFIXpresencesipjose.
    perez_at_univx.es)
  • Student / Employee information
  • Linkage identifiers
  • PersonalUniqueID (urnSCHACPREFIXuniqueIDseNIN
    31241312L)
  • UUID (urnuuid550E8400-E29B-11D4-A716-44665544000
    0)
  • Confidentiality
  • UserPrivateAttribute

15
Problems of Implementing
  • Whats in the real LDAP?
  • Whos going to look after this IdP?
  • better give them an Owners Manual!
  • and is it fail-safe
  • enough (whats enough?)
  • When we mess with LDAP attributes for roles,
    whats gonna break?
  • Especially if the LDAP was reallythere for a
    special purpose,like MS-Exchange
  • Once you give it to users,it had better not
    break!

16
Quick Fixes
  • Existing production directories dont have to
    include eduPerson, for a Shib IdP to work
  • Minimum required attributes can be mapped /
    transformed, using IdP config
  • as long as the source data is somewhere in the
    existing directory

17
IdP config (resolver.xml)
ltAttributeResolver     ltSimpleAttributeDefinit
ion id"urnmacedirattribute-defeduPersonE
ntitlement"gt   ltDataConnectorDependency
requires"directory"/gt  lt/SimpleAttributeDefiniti
ongt  ...more unscoped attributes...  ltSimpleAttr
ibuteDefinition id"urnmacedirattribute-de
feduPersonPrincipalName smartScope"lse.ac.u
k" sourceName"name"gt    ltDataConnectorDependency
requires"directory"/gt  lt/SimpleAttributeDefinit
iongt  ... more scoped attributes ...  lt!--
Persistent ID attribute based on player number
--gt      ltPersistentIDAttributeDefinition
id"urnmacedirattribute-defeduPersonTargetedID
" scope"lse.ac.uk" sourceName"employeeID"gt 
   ltDataConnectorDependency requires"directory"/gt
    ltSalt keyStorePath"file///etc/shibboleth/pe
rsistent.jks" keyStoreKeyAlias"shib-salt"
keyStorePassword"shibhs"
keyStoreKeyPassword"shibhs"/gt  lt/PersistentIDAtt
ributeDefinitiongt  ltJNDIDirectoryDataConnector
id"directory"gt   ltSearch filter"cnPRINCIPAL
"gt     ltControls searchScope"SUBTREE_SCOPE
returningObjects"false" /gt    lt/Searchgt    ltPro
perty name"java.naming.factory.initial"
value"com.sun.jndi.ldap.LdapCtxFactory"
/gt    ltProperty name"java.naming.provider.url"
value"ldap//ad4.lse.ac.uk/cnUsers,dclse,d
cac,dcuk" /gt    ltProperty name"java.naming.sec
urity.principal" value"cnshibaccount,cnUs
ers,dclse,dcac,dcuk" /gt    ltProperty
name"java.naming.security.credentials
value"pwd" /gt  lt/JNDIDirectoryDataConnectorgtlt/A
ttributeResolvergt
Example page from Shib for SysAdmins guide
18
Towards (UK) Federation
  • Who should be involved (consulted) in refining
    and implementing the draft UKeduPerson?
  • For technical input?
  • To engage their participation?
  • How must the UKeduPerson draft be extended to
    support Grid applications?
  • What set of user attributes will be required of
    IdPs wanting to join a UK production federation?
  • 2006-08 longer-term?
  • (ideally) based on a simple subset of eduPerson
  • Over to you

19
Well???
20
Credits
  • Michael Gettes, Duke U Internet2
  • Diego Lopez, RedIRIS
  • Simon McLeish, LSE Library
  • Chris Shillum, Elsevier
  • Masha Garibyan, LSE Library
  • The IT infrastructure maintainers-on-the-wing,
    LSE
  • Alan Robiette, JISC (retired)
  • Questions, suggestions, afterthoughts
  • j.paschoud_at_LSE.ac.uk
Write a Comment
User Comments (0)
About PowerShow.com