Your SlideShare is downloading. ×
Canarie CAF- Shibboleth Workshop Topics
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Canarie CAF- Shibboleth Workshop Topics

904
views

Published on

Additional material as well as value propositions regarding Shibboleth

Additional material as well as value propositions regarding Shibboleth

Published in: Technology, Business

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
904
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • One service is good, but many using the same ‘infrastructure’ is better:Common approach to governance & oversightGenerally coordinating with with same point of contactsBuild both for traversal up and downwards
  • Conscription of users
  • Conscription of users
  • Transcript

    • 1. Canadian Access Federation
      ShibbolethWorkshop
      Aug,2011
      Chris Phillips –chris.phillips@canarie.ca
    • 2. Material
      Past Presentations:
      This presentation builds on CANHEIT 2010:
      Prezi on Building federated applications:
      http://bit.ly/fedapps
      2
    • 3. Use Case – New Employee Access to Online Resources
      Without Shibboleth
      User arrives, needs to have access to web resource for
      Active Directory
      Twiki.canarie.ca
      Staff.canarie.ca
      Collaborate.canarie.ca
      Shared online resources in 3rd party wiki
      Needs to talk to staff for each service to get credential in each system created and a password set
      User waits for account for each service
      User uses known password, signs into each service and sets a password
      When user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)
      Each service deletes account(right?)
      Done
      With Shibboleth
      User arrives, needs to have access to web resource for
      Active Directory
      Twiki.canarie.ca
      Staff.canarie.ca
      Collaborate.canarie.ca
      Shared online resources in 3rd party wiki
      IT staff creates central account and assigns privileges to access resources centrally.
      User waits for account
      User changes password and all services rely on this password.
      When user leaves the organization, this one account should be notified for deletion (right?)
      Done
      3
    • 4. Shib Value Proposition
      Game changer for integration effort with shib ready services
      Reduces integration from customization to configuration
      Avoid weeks of custom project integration and then maintenance until, well, forever 
      Lowers cost of doing business – do better with less.
      Establishes a centralized policy enforcement point and easier auditability
      For new work, establishes publicly accepted framework to implement to & not your own homegrown framework
      4
    • 5. Rightsize Your Information Sharing
      Log in, share NetID+attr.
      Log in, share Opaque ID
      Log in, share NetID
      Log in, share nothing
      Wireless
      External
      Website
      personal-
      ization
      is desired
      Internal
      Website
      personal-
      ization
      is desired
      linkage
      elsewhere
      desired
      Internal
      Website
      personal-
      ization
      is desired
      linkage
      elsewhere
      desired
      Data
      needed
      (ghosted)‏
      SAML as conduit for Information release
    • 6. Unified View Leverages Infrastructure(aka internal/nested/layered trust groups)
      The ‘Federation’
      SP
      Idp
      Idp
      SP
      Idp
      SP
      Special Interest Trust Groups
      SP
      • The Federation. sets POP/FOP requirements.
      • 7. Serves as the base inherited elements for local or SITG activity to enhance or build upon
      • 8. Most efficient way to insure least effort for SP/IdP to participate any way they want, including promotion to eduGain
      • 9. Local Fed. can haveneed their own isolated SP/IdPs
      • 10. Encourages organic growth on path to full Federation involvement.
      • 11. The Federation enables SITG to form their own special metadata sourced from the core metadata
      SP
      Idp
      Higher Assurance
      Local Fed
      Local Fed
      Idp
      SP
      Idp
      SP
      SP
      SP
      Idp
    • 12. My App Can’t Be Federated in CAF Because…
      It is limited to regionally/specific identities
      Reply: No problem! This is a Virtual Organization
      A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.
      VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.
      Primary purpose is to pursue the shared topic or topics.
      7
    • 13. Virtual Organization pt 2
      CAF is an environment where VO’s flourish:
      Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participate
      Autonomy is retained by the VO & it’s members to focus on the topic 
      -CAF focus is on the  ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements
      –Examples in Canada are:
      •Regional Learning Management Systems
      •Transcript or Application management
      Research 'desktops' that aggregate tools for researchers
      Techniques to implement on SP end:
      Use the Shib2.xml & other configurations to whitelist participants[1]
      Consider using eduPersonEntitlement to express fine grain filtering at the application level:
      eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
      eduPersonEntitlement: http://publisher.example.com/contract/GL12
      [1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter
      8
    • 14. My App Can’t Be Federated in CAF Because…
      I need to exchange special attributes
      Reply: No Problem!
      CAF’s default is shared nothing
      eduPerson is the default attributes set
      Where insufficient, the SP should work out the details with it’s partners on what extra elements it needs
      CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes
      OIDs provide uniqueness, but us humans like text names that are unique too.
      9
    • 15. Enhancing Attribute Exchanges
      Shared nothing today, but uses eduPerson schema
      Finding that this may be paradox of choice
      Very interesting space to explore, but keep in mind principles:
      Low friction to participate (ie, simplicity is good)
      Scalable and high degree of relevancy and utility
      Don’t punish the end user or IdP owner.
      Interop across Canada and internationally
      Many areas to explore
      Use SHAC[1] technique for attributes?
      "urn:schac:dom.ain:Attribute:value”
      UseAustralian[2] approach for precise control and strong typing and vocabulary?
      Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?
      Hybrid??
      [1] http://www.terena.org/mail-archives/schac/msg00371.html
      [2] http://www.aaf.edu.au/technical/aaf-core-attributes/
      10
    • 16. My App Can’t Be Federated in CAF Because…
      I need a Higher Level of Assurance for a user
      Reply: OK, we want this too, what are your requirements?
      Challenge is how do you want to express it and what are your criteria for the higher level of assurance?
      Part of a larger conversation
      What is the yardstick?
      NIST 800-63?
      NSTIC, OIX, KANTARA audit requirements
      Audit of SP against their own statements?
      If you want to be part of this conversation see Chris Phillips & or join mailing list.
      11
    • 17. My App Can’t Be Federated in CAF Because…
      I need to sign in on the command line
      Reply: Ok, we want this too.
      Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions
      Live CD’s of the sample dev environment available from Chris.
      Also ECP plugin to Shib can accomplish this, but in a slightly different way.
      If you want to be part of this conversation see Chris Phillips & or join mailing list.
      12
    • 18. My App Can’t Be Federated in CAF Because…
      I need to sign in Social identities (Google, OpenID)
      Reply: No problem, it can be done
      Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]
      Certain gateways exist from uPenn & Sweden [2]
      Many unquantified risks at this time, but does work
      User behind keyboard is unknown
      Attributes are self asserted
      No knowledge of value of the account to the person
      This is an active area of conversation.
      [1] https://spaces.internet2.edu/display/socialid/Handling+Both+Social+and+SAML+Identities
      [2] https://tnc2011.terena.org/getfile/558
      13
    • 19. My App Can’t Be Federated in CAF Because…
      I don’t think the CAF has as highly available as I want them to be
      Reply: OK, did you know the following?
      CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover
      What are your service criteria so we may understand them better?
      14
    • 20. Your Turn…
      Looking for more conversation and discussion?
      Join the CAF-Shib technical list to discuss the topics:
      CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA
      15