Your SlideShare is downloading. ×
SAML protected resources: the theory and practice of granularity and management data.
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

SAML protected resources: the theory and practice of granularity and management data.

1,221
views

Published on

Presented by Ed Dee at JIBS/Eduserv seminar - Where now for resource licensing? London, 16 June 2010

Presented by Ed Dee at JIBS/Eduserv seminar - Where now for resource licensing? London, 16 June 2010

Published in: Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,221
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA
  • 2. EDINA
    • Service provider
      • Digimap, Film & Sound Online, etc…
    • Identity provider
      • Various
    • Federated Access
      • SDSS Federation
      • UKAMF: Metadata Management & Tech. Support
  • 3. Where lies the guilt
    • Service providers
    • Identity providers
    • UK Access Management Federation
    • User Community
    Granularity and lack of management data from SAML protected resources
    • 50%
    • 30%
    • 10%
    • 10%
  • 4. SAML
    • Security Assertion Markup Language
    • Standard for Exchanging authentication and authorisation information
    • Identity Provider
    • Service Provider
  • 5. The Questions Pussy cat pussy cat where have you been? “ I’ve been down to London to visit at the Queen.” Pussy cat pussy cat what did you there “ I frightened a little mouse under her chair.”
  • 6. Shibboleth flow diagram
  • 7. Technical stuff Identity Provider Service Provider User SAML Dialogue Resource Federation Metadata Attribute Database Authorisation Database Federation Metadata
  • 8. SAML Dialogue
    • Uninteresting (to us):
      • Initiation/Termination
      • Security
    • Interesting (to us):
      • Scope information
        • Institution/Service ‘who are you’
      • Attributes
        • User-specific information
  • 9. Q1: Pussy cat pussy cat where have you been?
    • From the IdP:
      • What resource are being used
      • Who is using them
    • Shibb 2x IdPs only
      • Not outsourced IdPs
      • Not non-Shibb IdPs
      • Not Shibb 1.3 IdPs
        • eosl date 30 June 2010
  • 10. Q1: Pussy cat pussy cat where have you been?
    • Shibb 2 IdP Audit log
        • Who (ePPN)
        • When (time stamp)
        • What (relying party id)
          • https://spaces.internet2.edu/display/SHIB2/IdPLogging
    Analysis Application Federation Metadata Attribute Database Audit Log(s) Access Reports
  • 11. Tools
    • Project Raptor
      • Software toolkit for reporting e-resource usage statistics
      • Shibboleth 2 IdPs & EZproxy
      • http://iam.cf.ac.uk/trac/RAPTOR
      • JISC + Cardiff University + Kidderminster College
      • V1.0 due Feb 2011
  • 12. Q2: Pussy cat pussy cat what did you there?
    • Cannot come from IdP
    • Must come from SP
      • What does SP know about user
    Service Provider User Identity Provider Attributes Resource Attribute Database
  • 13. Attributes: EduPerson Object Class
      • Core
        • Targeted ID
        • Principal name
        • [Scoped] Affiliation
        • Entitlement
      • Other
        • Nick name
        • Org [Unit] DN
    http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html
  • 14. Granularity: Core Attributes
      • [Scoped] Affiliation
        • Scope
        • Member | {Staff | Student | Employee | Affiliate | Alum | library-walk-in}
      • Entitlement
        • Service - User Specific conditions
          • urn:mace:dir:entitlement:common-lib-terms
  • 15. On Passing Attributes Photo: Library of Virginia / Flikr
  • 16. EDINA Digimap
      • [Scoped] Affiliation
      • Targeted ID
      • Principal Name
      • Title
      • Givenname
      • Sn [surname]
      • O [organisation]
      • Ou [organisational unit]
      • Mail
    http://www.ukfederation.org.uk/content/Documents/AttributeUsage
  • 17. Reality Identity Provider Service Provider Attribute Release Policy
  • 18. Reality
    • Most IdPs give out only:
      • [Scoped] Affiliation
        • Organisational affiliation (ePSA)
          • SP cannot determine department etc.
          • ePSA often just member @xxx.ac.uk
      • Targeted Id
        • Service-specific, opaque ID (ePTI)
          • SP cannot determine user
          • SP cannot correlate usage between services.
    • Many IdPs cannot handle entitlement
  • 19. “ No one really asks us much for ARP changes” IdP administrator
  • 20. Why?
    • IdPs
      • Fear of Data Protection legislation
      • No inclination; No capabilities
      • No SPs ask for it
    • SPs
      • Not available from IdPs
      • No use for data
  • 21. Stable Deadlock Too hard to ask, so SPs don’t IdPs get no requests, think all is well
  • 22. What Do SPs Do
    • Personalisation
      • Registration system
      • Registration database
    • Usage Statistics
      • Merge logs and registration details
    • EDINA Digimap
      • Users / Status / Department
  • 23. Attribute Release Progression Basic Attributes Extended Attributes Personal Attributes
  • 24. Towards agreement
    • Forums
      • Small scale
      • Application-area specific
      • Agree what is desirable
      • Agree what is possible
      • Experiment, agree, deploy, not theorise:
    • No Top-down Dictate
  • 25. NESLi2
    • JISC Statistics Portal
      • Cranfield, Birmingham City University, MIMAS
      • Database/Journal/article level reporting
      • Oct 2009 – Dec 2010
      • "one-stop shop"
        • could go to view and download their own usage reports from NESLi2 publishers
      • http://www.jusp.mimas.ac.uk/
  • 26. Granularity & Management Data
    • Technically Capabilities exist
    • “Natural restful inertia” - problem large
      • UKAMF
        • 800+ members
          • 440 + SPs
          • 630 + IdPs
    • User Driven
    • Tackle from the bottom up