Location Assertions Ian A.Young TAG meeting, January 19th, 2012
Problem Statement• Initial use case is from Schools sector• SP business model: • Primary market is individual home users • Secondary sales to schools for pupils at school: “on network” • Need to distinguish these cases • Want to move from IP recognition at SP to IdP asserting network location
Solution Components• Attribute proﬁle • Which attributes? • Which values?• Implementation • Independent of attribute proﬁle
Attribute Considerations• User may be “on” multiple networks at once: attribute must be multi-value• Simple values imply central registry; URI values allow anyone to extend• Existing attribute is easier to conﬁgure in some cases, but isn’t use case speciﬁc• New subsidiary attribute would be our ﬁrst!
eduPersonEntitlement• Existing core attribute (TRP §7.3)• Anyone can deﬁne “on network X” values• We could curate agreed values for the NEN use cases• Can be tricky to merge ePE values from multiple sources within the IdP
ukfNetworkLocation• New subsidiary attribute (TRP §7.3)• We’d have to deﬁne the attribute• Fixed vocabulary: • slightly easier to use • needs central registry that we’d have to administer• Or URI values: • No need for central registry, but again we could curate common values.
Initial Implementation • Operator will commission implementation • For latest Shibboleth 2.X IdP only • not simpleSAMLphp, not Shib 1.3 • Shipped as an extension • extended UsernamePassword login handler • either a data connector or attribute deﬁnitionMost Schools IdPs (14) are Shibboleth 2.somethingSome may not be up to date, but probably close enoughSome (3) are simpleSAMLphp
Initial Implementation• Will work for either attribute proﬁle• Conﬁguration: • Attribute name (urn:oid:...) • Attribute value (http://.../) • Set of IPv4 and IPv6 CIDR blocks • 220.127.116.11/24 • 2001:630::/48
Shibboleth V3• Will commission update of implementation for Shibboleth V3.0 APIs• Implementation will then be donated to Shibboleth project• Deploying an extension no longer required
Security Note• Known issue with back-channel attribute queries• http://shibboleth.internet2.edu/secadv/ secadv_20110718.txt• Bottom line: you can attack this if you’re sly. We’re assuming this edge case isn’t important.