• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Access Management Technologies Update by Simon McLeish and John Paschoud
 

Access Management Technologies Update by Simon McLeish and John Paschoud

on

  • 3,091 views

This session looked at more innovative uses of federated access, such as use with virtual learning environments and repositories and use of tools for managing rights and roles.

This session looked at more innovative uses of federated access, such as use with virtual learning environments and repositories and use of tools for managing rights and roles.

Statistics

Views

Total Views
3,091
Views on SlideShare
3,091
Embed Views
0

Actions

Likes
0
Downloads
49
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Session B: Change Management for Libraries (11.00 – 12.00) Speakers: John Paschoud and Peter Spring, London School of Economics This session is aimed at institutional library staff and Athens administrators. Adopting federated access management will require a change to the way in which students are trained in using access management. This will have an impact on institutional libraries in a variety of ways: updating user guides, training staff to answer queries, updating electronic catalogue links etc. This presentation will be run by institutions that have already started that process, and give guidance on how to manage the necessary change.

Access Management Technologies Update by Simon McLeish and John Paschoud Access Management Technologies Update by Simon McLeish and John Paschoud Presentation Transcript

  • [AMP meeting title slide] Access Management Technologies Update  Simon McLeish London School of Economics Joint Information Systems Committee Supporting education and research Access Management Programme meeting, May 2007
  • [Overview]
    • 1) Areas of (potential/actual) development around Shib/FAM
    • 2) Outline of Shib v2 timetable and features
      • … according to the latest information available to us
      • (You may know different…???)
  • Shibboleth and Federated Access Management [1]
    • Increased Sophistication of Access Management
      • Use of attributes to give fine grained access
        • Signet http://middleware.internet2.edu/signet/
        • Grouper and others
      • Use of certificates to give fine grained access
        • PERMIS http://sec.cs.kent.ac.uk/permis/
      • [this is a fairly arbitrary distinction!]
    • Improved Shibboleth usage experience
      • User-editable attribute release policies
        • ShARPE http://federation.org.au/twiki/bin/view/Federation/ShARPE
        • with two interfaces, WebShARPE and Autograph
        • Also ARPViewer http://www.switch.ch/aai/support/tools/arpviewer.html
      • Federation management tools
        • Directory at http://www.rediris.es/wiki/tf-emc2/index.php/FederationTools
        • SWITCHaai Resource Registry http://www.switch.ch/aai/support/tools/resourceregistry.html
      • IdP and SP configuration and management tools (???)
  • Shibboleth and Federated Access Management [2]
    • Better Accounting
      • Using IdP and SP logs together to discover usage statistics
      • AAIEye http://www.csc.fi/english/institutions/haka/technology/aaieye
      • Not just technical work: requires agreement between IdP and SP
    • Wider Integration
      • Multi-federation work (also needs more than technical work here)
        • Feide Cross Federation Demonstration (this is not just Shib, it's PAPI and SUN Access Manager too!) http://rnd.feide.no/category/saml-20/
      • Adding Shibboleth support to wider range of tools
        • See list of software currently known to support Shib at http://www.protectnetwork.org/shib-sp.html
        • GridShib, the Athens gateway, and the ADFS extension fall into this category as well
    • ...things we haven't thought of or don't know about yet
  • Shib 2.0 Overview (The more techie picture) [1]
    • Extending support for SAML 2.0, particularly Web Browser Single Sign-on, Single Logout and (some of) Authentication Request profiles
      • for differences between SAML 1.1 (as used in Shib up to 1.3) and SAML 2.0 (as used for Shib metadata in 1.3 but not much elsewhere) see: https://spaces.internet2.edu/display/SHIB/SAMLDiffs
      • The Web Browser SSO profile combines the SAML 1.1 Browser/Artifact and Browser/POST profiles used in Shib 1.2 and 1.3
      • The Authentication Request Protocol provides support for SP-initiated web SSO exchanges. This protocol allows the SP to make requests to an IdP and potentially control various aspects of the user authentication at the IdP, the binding to be used to return the response message, the set of SAML attributes to be included in the resulting assertion, etc. As part of this request, the SP can also indicate the desire to dynamically establish a new federated identity for the user
      • The Single Logout Protocol supports near-simultaneous logout of sessions at (SAML-compliant) web SSO participants. Non-SAML applications that maintain session information independently of Shib (which includes the majority of web applications which allow Shib login) will need modification to handle logout requests, but it's not entirely determined how this will work in Shib 2.0. It is expected that logout will add considerably to the overheads of an IdP installation, so this is an optionally supported feature to make lightweight installations possible where the feature is not needed.
  • Shib 2.0 Overview (The more techie picture) [2]
    • Will be interoperable with Shib 1.3 and will not be interoperable with Shib 1.1
      • (we think) It will continue to interoperate with the gateway
    • Shib 1.2 interoperability will probably not be complete (1.2 IdP to 2.0 SP more so)
    • The Java SP will finally see the light of day
      • >2 years later than originally planned
      • Not identical in functionality to the C++ SP
    • The default mode of Attribute transfer will change to attribute push from the IdP to the SP
      • Uses changes in SAML 2.0 which allow encryption of the assertions in a different way.
      • This means that Shib will no longer be have to communicate attributes separately to the authentication assertion, as is done in 1.3 by default.
      • (Attribute push is supported, but not heavily used in 1.3.)
    • Increased modularisation of code
  • Shib 2.0 Changes (How existing installations might be affected)
    • IdP will now be able to handle authentication directly (to accommodate Authentication Request profile)
      • Likely to need reconfiguration as part of an upgrade to 2.0; or from-scratch installation may be easier
    • Certificates will need to be embedded directly in metadata (they can now be referred to by key name only)
      • Likely to affect about 2/3 of the entities listed in the UK federation
    • Enhancements to attribute resolution and release policy management
      • ShARPe itself won't be included; but code extensions needed to make it work will
    • New logout features may need some coding behind the scenes in SP protected resources
    • Export of attribute information by SP to the protected applications will be modified
      • Apache attribute export will be performed by default with subprocess environment variables rather than HTTP header variables
      • Will almost certainly require recoding for protected applications
    • DiscoveryModule (WAYF replacement) has multi-federation support
    • Enhancements to extension mechanisms may make integration easier (and hopefully won't require recoding of existing extensions!)
      • E.g. MS ADFS code more tightly integrated into Shib code
  • When?
    • Roadmap doesn't say
    • Some early versions of minor modules have already been released (e.g. WAYF replacement, the DiscoveryModule)
    • It won't be by the third quarter of 2006 ( http://edina.ac.uk/news/newsline11-1/allstories.shtml )!
    • Guestimate: by end of 2007 See https://spaces.internet2.edu/display/SHIB/ShibTwoRoadmap for an updated description.
  • [JISC Conf title slide] The End Joint Information Systems Committee Supporting education and research Access Management Technologies Update from / © www.thebricktestament.com
  • Links, Questions and Conclusions
    • JISC FAM Transition: www.jisc.ac.uk/federation.html
    • UK Federation: www.ukfederation.org.uk
    • Shibboleth: shibboleth.internet2.edu
    • Contact: [email_address] or JISC-ACCESS- [email_address]