1. Location Assertion Nicole Harris FAM12 6th November 2012
2. From Where Are You From to Where Are You Now?
3. Problem Statement• Original requirement from the Schools Sector;• SP Business Case: – Primary market is individual home users; – Secondary sales to schools for pupils ‘on network’;• Need to distinguish these cases;• Desire to move from SP recognising IP to IdP asserting location.
4. Why not IP authentication?• Often not granular enough;• Easy to ‘fake’;• Difficult to maintain accurately;• Prone to keying errors;• Low tech implementations.
5. Location Assertion Extension• Extension to Shibboleth;• Downloadable and implementable now;(https://github.com/ukf/ua-attribute-idp- ext);• Creates attributes at the time of authentication based on IP address of the user agent;• SP can make decisions based on known location as well as other assertions.
6. What Does it Look Like?New Subsidiary attribute and use of eduPersonEntitlementresolver:DataConnector id=”userAgentAttributes”xsi:type=”uadc:UserAgentMappedAttributes”uadc:Mapping cidrBlock=”22.214.171.124/16″attributeId=”userAgent”attributeValue=”http://iay.org.uk/networks/zenInternet”/uadc:Mapping cidrBlock=”126.96.36.199/14″attributeId=”userAgent”attributeValue=”http://iay.org.uk/networks/zenInternet”/uadc:Mapping cidrBlock=”192.168.117.19/32″attributeId=”eduPersonEntitlement”attributeValue=”http://iay.org.uk/entitlements/kestrel”/
7. Solving Walk-in?• Allows Walk-in with BYOD;• Easy to provision guest accounts that don’t work outside the institutional boundary;• Able to configure walk-in at a granular level for SPs that don’t allow.BUT…
8. Service Provider ImplementationPublishers have to actually consume and react to the attributes being passed.
9. More informationBlog post:• http://access.jiscinvolve.org/wp/wayrn2/The code:• https://github.com/ukf/ua-attribute-idp-ext