Title: Scheming
1Scheming
- How to extract lots of money from JISC
- (see next years OLDRoPe project)
- How to really annoy people from Eduserv
- (lets call the next shared service Carthage?)
- How to get paid to go to lots of interesting
foreign places - John Paschoud
- LSE Library
2Schemas
- John Paschoud
- LSE Library
3What
- Person description schemas
- LDAP compliant / usable
- (Lightweight Directory Access Protocol)
- Of relevance to use of Shibboleth, and services
around it - by a .AC.UK
4Why
- Interoperability
- Interoperability
- Interoperability
- so we all know what student means
- Because its an essential foundation for
production-scale IAM
5Enterprise Directories
network login users (only)
1 try AuthN
MS-specific classes
2 try AuthN
3 get role attribs
all users
- Split user AuthN between AD and LDAP
- Requires AuthBroker mware to emulate a single
AuthN directory service to IdP - Possible time penalty (waiting for 1st failed
AuthN)
generic classes
6Privacy Issues
- User staff student trust with Inst
- Inst contracts with resource vendors
- Third parties (like Eduserv-Athens)
- Inst ARPs
- Personal ARPs, informed consent
- SHARPE (cf. Alex Reid) or other UIs for ARP
control - How many users will take the trouble?
- How can dynamic ARP be least intrusive to the
processes of using info resources?
7Authorisation Issues
- What user attributes do current SPs expect?
- or require?
- Whatever you can reasonably give us!
- Chris Shillum, Technical Director, ScienceDirect
- (not a verbatim quote, but reflective of the
attitudes of sensible commercial resource
vendors, as expressed by CS)
8eduPerson
- (Michael Gettes, DukeU Internet2, USA)
- Phoenix, AZ airport, February 2000
(Hazelton,Gettes) - Designed for US higher-education
- with Shibboleth type needs in mind
- Adopted by Educause
- Based largely on inetPerson, inetOrg
9eduPerson examples
- PrincipalName (ePPN)
- PrimaryAffiliation
- ScopedAffiliation
- Entitlement
- TargettedID
10(eduOrg)
- eduOrg Basic X.520 attributes
- eduOrgHomePageURI, eduOrgIdentityAuthNPolicyURI,
eduOrgLegalName, - Could extend to include URIs for common instl
services - OpenURL-resolver, ShibIdentityProvider
- Potential for an IEIR (Info Environment
Institution Registry)??? - paralleling the IESR ???
- a super-WAYF ???
11UKeduPerson
- Output of JISC scoping study, Jun-2004
- Strawman schema maintained (Feb-2005)
- Informed by a range of instl consultation, plus
existing documentation, - e.g. JISC Scoping study into Institutional
Profiling and Terms Conditions services - www.angel.ac.uk/UKeduPerson
12UKeduPerson example
13SCHAC
- (Diego Lopez, RedIRIS, Spain)
- SCHema for Academia
- Designed to support country-level IAM federations
(AAIs) - allowing for other cross-domain uses
- PKI, Grids, VOs
- Yellow White pages
- Mail, IM, VidConf, Lists
- TERENA EMC2 under development / comment
- www.terena.nl/tech/task-forces/tf-emc2/schac.html
14SCHAC examples
- Personal characteristics
- MotherTongue (ISO 639) Gender DateOfBirth
CountryOfCitizenship (ISO 3166) - PersonalPosition (urnSCHACPREFIXpositionumk.pl
programmer) - Contact information
- HomeOrganization (domain name, RFC3035)
- HomeOrganizationType (urnSCHACPREFIXhomeOrgType
chvho) - UserPresenceID (urnSCHACPREFIXpresencesipjose.
perez_at_univx.es) - Student / Employee information
- Linkage identifiers
- PersonalUniqueID (urnSCHACPREFIXuniqueIDseNIN
31241312L) - UUID (urnuuid550E8400-E29B-11D4-A716-44665544000
0) - Confidentiality
- UserPrivateAttribute
15Problems of Implementing
- Whats in the real LDAP?
- Whos going to look after this IdP?
- better give them an Owners Manual!
- and is it fail-safe
- enough (whats enough?)
- When we mess with LDAP attributes for roles,
whats gonna break? - Especially if the LDAP was reallythere for a
special purpose,like MS-Exchange - Once you give it to users,it had better not
break!
16Quick Fixes
- Existing production directories dont have to
include eduPerson, for a Shib IdP to work - Minimum required attributes can be mapped /
transformed, using IdP config - as long as the source data is somewhere in the
existing directory
17IdP config (resolver.xml)
ltAttributeResolver    ltSimpleAttributeDefinit
ion id"urnmacedirattribute-defeduPersonE
ntitlement"gt  ltDataConnectorDependency
requires"directory"/gt  lt/SimpleAttributeDefiniti
ongt  ...more unscoped attributes...  ltSimpleAttr
ibuteDefinition id"urnmacedirattribute-de
feduPersonPrincipalName smartScope"lse.ac.u
k" sourceName"name"gt    ltDataConnectorDependency
requires"directory"/gt  lt/SimpleAttributeDefinit
iongt  ... more scoped attributes ...  lt!--
Persistent ID attribute based on player number
--gt      ltPersistentIDAttributeDefinition
id"urnmacedirattribute-defeduPersonTargetedID
" scope"lse.ac.uk" sourceName"employeeID"gtÂ
   ltDataConnectorDependency requires"directory"/gt
    ltSalt keyStorePath"file///etc/shibboleth/pe
rsistent.jks" keyStoreKeyAlias"shib-salt"
keyStorePassword"shibhs"
keyStoreKeyPassword"shibhs"/gt  lt/PersistentIDAtt
ributeDefinitiongt  ltJNDIDirectoryDataConnector
id"directory"gt  ltSearch filter"cnPRINCIPAL
"gt    ltControls searchScope"SUBTREE_SCOPE
returningObjects"false" /gt    lt/Searchgt    ltPro
perty name"java.naming.factory.initial"
value"com.sun.jndi.ldap.LdapCtxFactory"
/gt    ltProperty name"java.naming.provider.url"
value"ldap//ad4.lse.ac.uk/cnUsers,dclse,d
cac,dcuk" /gt    ltProperty name"java.naming.sec
urity.principal" value"cnshibaccount,cnUs
ers,dclse,dcac,dcuk" /gt    ltProperty
name"java.naming.security.credentials
value"pwd" /gt  lt/JNDIDirectoryDataConnectorgtlt/A
ttributeResolvergt
Example page from Shib for SysAdmins guide
18Towards (UK) Federation
- Who should be involved (consulted) in refining
and implementing the draft UKeduPerson? - For technical input?
- To engage their participation?
- How must the UKeduPerson draft be extended to
support Grid applications? - What set of user attributes will be required of
IdPs wanting to join a UK production federation? - 2006-08 longer-term?
- (ideally) based on a simple subset of eduPerson
- Over to you
19Well???
20Credits
- Michael Gettes, Duke U Internet2
- Diego Lopez, RedIRIS
- Simon McLeish, LSE Library
- Chris Shillum, Elsevier
- Masha Garibyan, LSE Library
- The IT infrastructure maintainers-on-the-wing,
LSE - Alan Robiette, JISC (retired)
- Questions, suggestions, afterthoughts
- j.paschoud_at_LSE.ac.uk