1345 1400 Fiona Cullock Edina Case Study


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

1345 1400 Fiona Cullock Edina Case Study

  1. 1. Case Study - EDINA Fiona Culloch, EDINA JISC Services Briefing Day, Birmingham, 28 September 2007
  2. 2. EDINA Services <ul><li>EDINA develops and hosts services based on licensed data content: </li></ul><ul><ul><li>Geographic (Digimap, UKBORDERS, …) </li></ul></ul><ul><ul><li>Bibliographic (Times Index, CAB Abstracts, LLL) </li></ul></ul><ul><ul><li>Multimedia (Film & Sound Online, EIG) </li></ul></ul><ul><ul><li>Repositories (JORUM, The Depot) </li></ul></ul><ul><li>Customer institutions take out subscriptions </li></ul><ul><li>Authentication by IP address, Athens, UK federation </li></ul>
  3. 8. The Authorisation Decision <ul><li>IP address: </li></ul><ul><ul><li>EDINA maintains own list of valid address ranges corresponding to each subscribing institution </li></ul></ul><ul><li>Athens: </li></ul><ul><ul><li>Eduserv central table of institutions vs services; they tell us whether a user is authorised for our service </li></ul></ul><ul><li>UK federation: </li></ul><ul><ul><li>How do we decide if user is from a subscribing org? </li></ul></ul><ul><ul><li>It’s our problem (like with IP, not like Athens) </li></ul></ul>
  4. 9. What You Can’t Assume <ul><li>Just because someone has an ID within the federation: </li></ul><ul><ul><li>Doesn’t mean they are necessarily entitled to use your service (may be from non-subscribing institution) </li></ul></ul><ul><ul><li>They may not even be from “the community” (e.g., anyone can get a ProtectNetwork or TypeKey ID) </li></ul></ul><ul><ul><li>They may not be an identifiable real-world person: only true if identity provider claims user accountability </li></ul></ul><ul><li>So it’s up to you to check all this. How? </li></ul>
  5. 10. Identifying User’s Organisation <ul><li>eduPersonScopedAffiliation attribute (in env. var.): </li></ul><ul><ul><li>student @ ed.ac.uk </li></ul></ul><ul><li>Scope ( ed.ac.uk ), a.k.a. “security domain,” is: </li></ul><ul><ul><li>Restricted by federation policy to be a DNS name belonging to a real-world member organisation </li></ul></ul><ul><ul><li>Published in federation metadata for those IdPs that may use it; other IdPs can’t (enforced by SP s/w) </li></ul></ul><ul><ul><li>Intended for use by SPs to discover user’s org. </li></ul></ul><ul><ul><li>Easily referenced within a licence agreement </li></ul></ul>
  6. 11. Affiliations in HE/FE <ul><li>Affiliation ( student ): user’s relation to organisation. </li></ul><ul><li>Maps to categories in JISC Model Licence: </li></ul>Not authorised alum Not authorised affiliate Authorised member Authorised employee Authorised faculty Authorised staff Authorised student
  7. 12. Authorisation, Organisation Tables <ul><li>EDINA login scripts (perl) implement business rules for access, using file that maps scopes to authorised services: </li></ul><ul><ul><li>ed.ac.uk: eig jorum media statacc … leeds.ac.uk: eig media mediamedical … ox.ac.uk: jorum media </li></ul></ul><ul><li>If you already have internal customer codes, you need a mapping from scopes to those, e.g.: </li></ul><ul><ul><li>ed.ac.uk: edu leeds.ac.uk: lee ox.ac.uk: oxu </li></ul></ul><ul><li>Service providers must invent these wheels themselves. Neither Shibboleth nor the federation can do it for you. </li></ul>
  8. 13. EDINA Experience <ul><li>Initially, we generated these scope mapping files by hand </li></ul><ul><li>But we had an existing DB of subscription info., keyed by internal org. code (cam, dur, liv, …) </li></ul><ul><li>This DB happened to contain e-mail addresses of local contacts at these organisations (and therefore DNS names) </li></ul><ul><li>So we now automatically generate scope to licences and org code mappings from this DB and the federation metadata (with manual approval of changes in case of accidents) </li></ul><ul><li>You may not be so lucky and may need to change existing DBs (and populate) to include federation scope info. </li></ul>
  9. 14. User Accountability <ul><li>This is a property of the IdP, not of individual users; therefore, it’s not a user attribute </li></ul><ul><li>Only need to worry if you care about traceability </li></ul><ul><li>Proposal with Shibboleth core team for attributes about IdPs (expressed in metadata, distinguishable from user attributes), possibly in Shibboleth 2.x </li></ul><ul><li>Mean time, must write own XSLT transform to extract entityIDs with <AccountableUsers> label from metadata (Digimap will do this). </li></ul>
  10. 15. Contacts <ul><li>http://www.ukfederation.org.uk/ </li></ul><ul><li>http://shibboleth.internet2.edu/ </li></ul><ul><li>[email_address] </li></ul>
  11. 16. UK Federation Core Attributes User ID only when essential (fculloch@ed.ac.uk). Data protection issues eduPerson PrincipalName Extensible list of URIs intended to list entitlements to access specific resources eduPerson Entitlement Opaque, persistent ID allows personalisation without SP knowing user’s real identity. Each SP sees different value of this for same user eduPerson TargetedID member@ed.ac.uk (or student, staff, faculty, alum). Identifies user’s status & organisation. Required by most SPs eduPerson ScopedAffiliation