SAML protected resources: the theory and practice of granularity and management data.


Published on

Presented by Ed Dee at JIBS/Eduserv seminar - Where now for resource licensing? London, 16 June 2010

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SAML protected resources: the theory and practice of granularity and management data.

  1. 1. SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA
  2. 2. EDINA <ul><li>Service provider </li></ul><ul><ul><li>Digimap, Film & Sound Online, etc… </li></ul></ul><ul><li>Identity provider </li></ul><ul><ul><li>Various </li></ul></ul><ul><li>Federated Access </li></ul><ul><ul><li>SDSS Federation </li></ul></ul><ul><ul><li>UKAMF: Metadata Management & Tech. Support </li></ul></ul>
  3. 3. Where lies the guilt <ul><li>Service providers </li></ul><ul><li>Identity providers </li></ul><ul><li>UK Access Management Federation </li></ul><ul><li>User Community </li></ul>Granularity and lack of management data from SAML protected resources <ul><li>50% </li></ul><ul><li>30% </li></ul><ul><li>10% </li></ul><ul><li>10% </li></ul>
  4. 4. SAML <ul><li>Security Assertion Markup Language </li></ul><ul><li>Standard for Exchanging authentication and authorisation information </li></ul><ul><li>Identity Provider </li></ul><ul><li>Service Provider </li></ul>
  5. 5. The Questions Pussy cat pussy cat where have you been? “ I’ve been down to London to visit at the Queen.” Pussy cat pussy cat what did you there “ I frightened a little mouse under her chair.”
  6. 6. Shibboleth flow diagram
  7. 7. Technical stuff Identity Provider Service Provider User SAML Dialogue Resource Federation Metadata Attribute Database Authorisation Database Federation Metadata
  8. 8. SAML Dialogue <ul><li>Uninteresting (to us): </li></ul><ul><ul><li>Initiation/Termination </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><li>Interesting (to us): </li></ul><ul><ul><li>Scope information </li></ul></ul><ul><ul><ul><li>Institution/Service ‘who are you’ </li></ul></ul></ul><ul><ul><li>Attributes </li></ul></ul><ul><ul><ul><li>User-specific information </li></ul></ul></ul>
  9. 9. Q1: Pussy cat pussy cat where have you been? <ul><li>From the IdP: </li></ul><ul><ul><li>What resource are being used </li></ul></ul><ul><ul><li>Who is using them </li></ul></ul><ul><li>Shibb 2x IdPs only </li></ul><ul><ul><li>Not outsourced IdPs </li></ul></ul><ul><ul><li>Not non-Shibb IdPs </li></ul></ul><ul><ul><li>Not Shibb 1.3 IdPs </li></ul></ul><ul><ul><ul><li>eosl date 30 June 2010 </li></ul></ul></ul>
  10. 10. Q1: Pussy cat pussy cat where have you been? <ul><li>Shibb 2 IdP Audit log </li></ul><ul><ul><ul><li>Who (ePPN) </li></ul></ul></ul><ul><ul><ul><li>When (time stamp) </li></ul></ul></ul><ul><ul><ul><li>What (relying party id) </li></ul></ul></ul><ul><ul><ul><ul><li> </li></ul></ul></ul></ul>Analysis Application Federation Metadata Attribute Database Audit Log(s) Access Reports
  11. 11. Tools <ul><li>Project Raptor </li></ul><ul><ul><li>Software toolkit for reporting e-resource usage statistics </li></ul></ul><ul><ul><li>Shibboleth 2 IdPs & EZproxy </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>JISC + Cardiff University + Kidderminster College </li></ul></ul><ul><ul><li>V1.0 due Feb 2011 </li></ul></ul>
  12. 12. Q2: Pussy cat pussy cat what did you there? <ul><li>Cannot come from IdP </li></ul><ul><li>Must come from SP </li></ul><ul><ul><li>What does SP know about user </li></ul></ul>Service Provider User Identity Provider Attributes Resource Attribute Database
  13. 13. Attributes: EduPerson Object Class <ul><ul><li>Core </li></ul></ul><ul><ul><ul><li>Targeted ID </li></ul></ul></ul><ul><ul><ul><li>Principal name </li></ul></ul></ul><ul><ul><ul><li>[Scoped] Affiliation </li></ul></ul></ul><ul><ul><ul><li>Entitlement </li></ul></ul></ul><ul><ul><li>Other </li></ul></ul><ul><ul><ul><li>Nick name </li></ul></ul></ul><ul><ul><ul><li>Org [Unit] DN </li></ul></ul></ul>
  14. 14. Granularity: Core Attributes <ul><ul><li>[Scoped] Affiliation </li></ul></ul><ul><ul><ul><li>Scope </li></ul></ul></ul><ul><ul><ul><li>Member | {Staff | Student | Employee | Affiliate | Alum | library-walk-in} </li></ul></ul></ul><ul><ul><li>Entitlement </li></ul></ul><ul><ul><ul><li>Service - User Specific conditions </li></ul></ul></ul><ul><ul><ul><ul><li>urn:mace:dir:entitlement:common-lib-terms </li></ul></ul></ul></ul>
  15. 15. On Passing Attributes Photo: Library of Virginia / Flikr
  16. 16. EDINA Digimap <ul><ul><li>[Scoped] Affiliation </li></ul></ul><ul><ul><li>Targeted ID </li></ul></ul><ul><ul><li>Principal Name </li></ul></ul><ul><ul><li>Title </li></ul></ul><ul><ul><li>Givenname </li></ul></ul><ul><ul><li>Sn [surname] </li></ul></ul><ul><ul><li>O [organisation] </li></ul></ul><ul><ul><li>Ou [organisational unit] </li></ul></ul><ul><ul><li>Mail </li></ul></ul>
  17. 17. Reality Identity Provider Service Provider Attribute Release Policy
  18. 18. Reality <ul><li>Most IdPs give out only: </li></ul><ul><ul><li>[Scoped] Affiliation </li></ul></ul><ul><ul><ul><li>Organisational affiliation (ePSA) </li></ul></ul></ul><ul><ul><ul><ul><li>SP cannot determine department etc. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ePSA often just member </li></ul></ul></ul></ul><ul><ul><li>Targeted Id </li></ul></ul><ul><ul><ul><li>Service-specific, opaque ID (ePTI) </li></ul></ul></ul><ul><ul><ul><ul><li>SP cannot determine user </li></ul></ul></ul></ul><ul><ul><ul><ul><li>SP cannot correlate usage between services. </li></ul></ul></ul></ul><ul><li>Many IdPs cannot handle entitlement </li></ul>
  19. 19. “ No one really asks us much for ARP changes” IdP administrator
  20. 20. Why? <ul><li>IdPs </li></ul><ul><ul><li>Fear of Data Protection legislation </li></ul></ul><ul><ul><li>No inclination; No capabilities </li></ul></ul><ul><ul><li>No SPs ask for it </li></ul></ul><ul><li>SPs </li></ul><ul><ul><li>Not available from IdPs </li></ul></ul><ul><ul><li>No use for data </li></ul></ul>
  21. 21. Stable Deadlock Too hard to ask, so SPs don’t IdPs get no requests, think all is well
  22. 22. What Do SPs Do <ul><li>Personalisation </li></ul><ul><ul><li>Registration system </li></ul></ul><ul><ul><li>Registration database </li></ul></ul><ul><li>Usage Statistics </li></ul><ul><ul><li>Merge logs and registration details </li></ul></ul><ul><li>EDINA Digimap </li></ul><ul><ul><li>Users / Status / Department </li></ul></ul>
  23. 23. Attribute Release Progression Basic Attributes Extended Attributes Personal Attributes
  24. 24. Towards agreement <ul><li>Forums </li></ul><ul><ul><li>Small scale </li></ul></ul><ul><ul><li>Application-area specific </li></ul></ul><ul><ul><li>Agree what is desirable </li></ul></ul><ul><ul><li>Agree what is possible </li></ul></ul><ul><ul><li>Experiment, agree, deploy, not theorise: </li></ul></ul><ul><li>No Top-down Dictate </li></ul>
  25. 25. NESLi2 <ul><li>JISC Statistics Portal </li></ul><ul><ul><li>Cranfield, Birmingham City University, MIMAS </li></ul></ul><ul><ul><li>Database/Journal/article level reporting </li></ul></ul><ul><ul><li>Oct 2009 – Dec 2010 </li></ul></ul><ul><ul><li>&quot;one-stop shop&quot; </li></ul></ul><ul><ul><ul><li>could go to view and download their own usage reports from NESLi2 publishers </li></ul></ul></ul><ul><ul><li> </li></ul></ul>
  26. 26. Granularity & Management Data <ul><li>Technically Capabilities exist </li></ul><ul><li>“Natural restful inertia” - problem large </li></ul><ul><ul><li>UKAMF </li></ul></ul><ul><ul><ul><li>800+ members </li></ul></ul></ul><ul><ul><ul><ul><li>440 + SPs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>630 + IdPs </li></ul></ul></ul></ul><ul><li>User Driven </li></ul><ul><li>Tackle from the bottom up </li></ul>