Your SlideShare is downloading. ×
0
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Sakai Amsterdam 130607
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sakai Amsterdam 130607

996

Published on

Guanxi Shibb Kit (GSK) presentation at the Sakai conference, Amsterdam, 2007

Guanxi Shibb Kit (GSK) presentation at the Sakai conference, Amsterdam, 2007

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
996
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Guanxi LUO eHx eI d s Federation With The Guanxi Shibb Kit Sakai Conference, Amsterdam June 13th 2007 Alistair Young Senior Software Engineer Àrd-Innleadair air Bathar-bog UHI@Sabhal Mòr Ostaig
  • 2. Wear the fox hat?
  • 3. Guanxi On the menu today LUO “I hope sir is hungry” eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 4. Guanxi Hors d’oeuvres LUO “who are those strange users in my system?” eHx shibboleth admin eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 5. Guanxi What is Guanxi? LUO eHx “...you scratch my back, I’ll scratch yours” eI d s In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another Guanxi has three main objectives: To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE To extend and develop intra/inter-institutional AA functions To create and use Shibboleth federations
  • 6. Guanxi The Guanxi Project LUO eHx eI d s UK JISC funded Core Middleware Project Collaboration: UHI Millennium Institute (lead partner) University of Leeds University of Oxford Core Guanxi IdP SP WAYF
  • 7. Guanxi The Guanxi Project LUO eHx eI d Who is GuanXi? (i.e., who to blame...) s
  • 8. Guanxi A Wee Bit Of Grammar LUO “To Shibb or not to Shibb, that is the question...” eHx Shakespeare, apparently eI d s Introducing the verb, to shibb To bang one’s head repeatedly against a hard surface To age prematurely To curse PKI To hallucinate and drool for a metadata editor Finally, to let anyone and their dog into your systems!
  • 9. Guanx Web Service Enabled Service LUO i Provider eHx eI Federation server d s 6 Institutional user@org1 accesses resource at org2 1 SP 2 8 Filter sets up WS-Callback with SP 2 3 Filter redirects to federation WAYF 3 WAYF Filter 9 Webapp 1 User’s SSO authenticates them 4 4 SSO replies to federation SP 5 Resource specific Federation SP requests attributes on 6 modules behalf of filter (A/C) User’s AA sends attributes to org 2 Server 7 federation SP org1 IdP Federation SP invokes WS-Callback to 8 filter which retrieves it’s attribute request data 5 SSO Filter makes access decision based on 9 7 attributes gathered by the federation SP AA Distributed architecture Institutional SAML Server, satellite Guards Can scale SAML servers to balance load
  • 10. Guanxi Starter LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 11. Guanxi Identity Provider LUO “I am, therefore my IdP knows about me...” eHx Famous philosopher eI d s It’s the Identity Provider’s job to: Get you authenticated, somehow, anyhow Release attributes about you, affiliation, membership etc. Authentication is out of scope of the Shibboleth profile Do it any way you want! LDAP, JDBC, Secret handshake while standing on one leg with trouser leg rolled up! Attributes can be gathered from multiple stores Get them from eDirectory, Active Directory, VLE Guanxi aggregates and “SAMLises” them Only released subject to Attribute Release Policy (ARP)
  • 12. Guanxi What is integration? LUO “how many webapps can a web.xml withstand?” eHx 17th century childrens rhyme eI d s IdP can be standalone, linked to backend systems SP oriented. Users authenticate when they access a remote, shibbed resource Confusing if they have already logged in to institutional portal or VLE. Why authenticate twice? Or it can be embedded in an institutional application... ...VLE, Portal, Identity Management System etc. IdP oriented. Users authenticate once, in the VLE and access shibbed resources seamlessly VLE already linked to backend systems Introduces the concept of “logging in to your IdP” Log in first thing, ready to shibb all day
  • 13. Guanxi Mapping attributes LUO eHx “You’re not putting that in there...” eI our Novell admin d JISC UK federation mandates use of eduPerson s But we don’t have eduPerson support in our eDirectory Our admin jumps up and down when we ask for it “oh yes, you’re asking for it allright”, he shouts! Not to worry. Guanxi IdP will map any attribute to any other An example is Athens “userRole” attribute. We don’t have it in eDirectory either. So we map our users’ LDAP DN to their userRole Bodington uses the Guanxi IdP to map it’s internal membership roles to eduPerson Sakai can now map its User object to eduPerson attributes and release them
  • 14. Guanxi Sakai + Guanxi LUO eHx A Shibboleth compatible Virtual Learning Environment eI d s Sakai VLE with embedded Guanxi IdP Guanxi SP True SSO Athens Sakai as Gx Shibb Gateway IdP Shibboleth Minimal configuration - self-signed certs are SP auto generated User and Group information exposed as eduPerson attributes by Guanxi Can login to your IdP to create users and manage their access rights
  • 15. Guanxi Single Sign On LUO “I have too many passwords!” eHx a user eI d s SSO means different things to different people Used to mean Single username/password. Still had to authenticate multiple times Starting to mean just what it says on the tin Login once and middleware takes care of the multiple authentication problem But you need an integrated IdP to get true SSO Shibboleth disappears. Users never see the IdP. All they see is their VLE or Portal login page, once
  • 16. Guanxi Main course LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 17. Guanxi Guanxi Shibb Kit (GSK) LUO eHx eI d s Shibboleth is complementary to normal Sakai operation Works with Sakai 2.4+ Self contained in /portal-shibb portal Does not replace any Sakai authentication/authorisation features Shibb portal is a holding area while users are authenticated by their Identity Provider and their attributes retrieved from their Attribute Authority When they pass muster, a Pod is constructed with their SAML attributes and acts as a store for Guanxi UserDirectoryProvider and GroupProvider Pods are persisted so shibb user always “there” in Sakai, subject to SAML attribute lifetimes
  • 18. Guanxi Promotion to /portal LUO eHx eI d s Once a user has a valid Pod, the Shibb portal “logs them in” to Sakai and redirects them to the main portal The Shibb portal requires the main Sakai to be using the federated versions of the User and Group providers: FilterUserDirectoryProvider FilterGroupProvider Pod acts as a UserDirectoryProvider and GroupProvider, using it’s SAML attributes and their TTLs Once the user is kitted out with a Sakai profile courtesy of the GSK, they are free to wander around Sakai as normal, with their Pod acting as their information provider
  • 19. Guanxi One stop shibb shop LUO say that when you’re drunk! eHx eI d s /portal-shibb Service Provider Guard Engine IdP WAYF All Shibboleth functionality in one place Enabled/disabled by setting in sakai.properties Shibb portal contains everything Sakai needs to work in a Shibboleth federation Does not require Apache, only a servlet container e.g. Tomcat
  • 20. Guanxi GSK Architecture LUO eHx Authenticate eI IdP d Attributes s Guard Engine /portal-shibb Remote user PodUserDirectoryProvider PodGroupProvider Browser redirects Guanxi LDAPUserDirectoryProvider LDAPGroupProvider Normal Sakai FilterUserDirectoryProvider FilterGroupProvider /portal worksite tools Normal Sakai User
  • 21. Guanxi Embedded IdP LUO eHx Attribute queries /portal-shibb/AA IdP eI Auth requests d /portal-shibb/SSO s SakaiCookieHandler SakaiAuthenticator SakaiAttributor mapper SakaiAuthenticator delegates to Sakai authentication system SakaiAttributor uses Sakai for user information SakaiCookieHandler traps authentication requests Only need to login once to access multiple SPs IdP’s mapper changes Sakai attributes to any other attributes
  • 22. Guanxi Embedded SP LUO eHx Sakai #1 eI d /portal-shibb/gx User requests s Guard /portal-shibb/guard.* Authn Sakai #2 WAYF Attributes WAYF? Authz Engine /portal-shibb/engine.* Fully self contained. Sakai has a Guard and Engine Guard blocks requests to /portal-shibb/gx Guard is a holding pen for users while they are authenticated by their IdP, which could be another Sakai. SAML Engine takes care of all Shibboleth and SAML functionality
  • 23. Guanxi External SAML Engine LUO eHx http://sakaiproject.org/samlengine eI d s Guanxi SAML Engine Normal Sakai Guard Guard Guard Guard Sakai Sakai Sakai Sakai Rather than each Sakai instance having its own SAML Engine with its maintenance and configuration overhead Central SAML Engine, hosted by sakaiproject Each Sakai Guard configured to talk to sakaiproject.org Engine Sakai instances do not need to know about SAML or Shibboleth
  • 24. Guanxi Pudding - indigestion LUO eHx eI d s The Guanxi Project overview What does integration mean for an IdP? The Guanxi Shibb Kit Wrapping up Questions
  • 25. Guanxi In the pipeline LUO eHx eI d s Shibboleth tool to provide configuration GUI Expose individual Sakai tools as Shibboleth Service Providers Allow tools to specify which attributes they require for access Enhance the Sakai providers to allow proper internal federation Each UDP knows which users belong to it No need to search the chain of providers
  • 26. Guanxi Chucking out time LUO one more waffer theen meent, sir? eHx eI d s Guanxi project website - http://www.guanxi.uhi.ac.uk/wiki GSK documentation - http://www.guanxi.uhi.ac.uk/drguanxi/index.php/ Sakai_Guanxi_Shibb_Kit The GSK is in contrib Guanxi mailing list - guanxi-development@lists.sourceforge.net Email - alistair@smo.uhi.ac.uk

×