SlideShare a Scribd company logo

20071214: An Identity Provider's Guide to the Core Attributes

iay
iay

The document discusses the core attributes that identity providers and service providers need to agree on when using federated access management with Shibboleth. It outlines some of the challenges identity providers face in balancing the needs of service providers with privacy and legal responsibilities. The document then provides guidance on technical implementation of core attributes like eduPersonScopedAffiliation, eduPersonTargetedID, and eduPersonEntitlement. It emphasizes finding a balance that satisfies requirements for many situations while protecting users' personal information.

TechnologyBusiness
1 of 21
Download to read offline
Shibboleth Development and Support Services An Identity Provider’s Guide to the Core Attributes Ian A. Young SDSS, EDINA, University of Edinburgh McShib meeting, 14th December 2007
Shibboleth Development and Support Services Problem Statement • Federated Access Management is all about the attributes released by the IdP to the SP • IdP and SP need to agree on: – attributes to exchange – their definitions – their quality • (more) easily resolved if IdP = SP – e.g., internal institutional applications • If they’re not the same party, this is hard McShib meeting 14th December 2007 2
Shibboleth Development and Support Services Festive Caricatures (1) • Service provider: I want a pony! – I’d like attributes A, B, C, and D through Z please – if you give me more, I can do more – if you give me attribute Y, my code will be easier to write – I’ve already written code that needs attribute X – Summary: as much as possible, please McShib meeting 14th December 2007 3
Shibboleth Development and Support Services Festive Caricatures (2) • Identity Provider: No, you can’t have a pony! – we don’t even have all of that information, we’d have to collect it – then we’d have to maintain it to make sure it was correct – we can’t release attribute X to you without talking to our lawyers – We don’t see why you have a real need for Y. – Summary: as little as possible, please McShib meeting 14th December 2007 4
Shibboleth Development and Support Services Where to Begin? • Some SPs tell us what they want: – http://tinyurl.com/2y92cj – this tends to encourage standardisation • Some SPs prefer to negotiate with IdPs • If you have more information, let us know! • Remember: information release is your responsibility so it’s your call McShib meeting 14th December 2007 5
Shibboleth Development and Support Services Finding a Balance • Core attributes: – minimal set of four very flexible attributes – chosen from eduPerson for interoperability – good enough for most situations – of course, not sufficient for all situations • SPs told: you may have problems if you ask for something outside this set • IdPs told: you may not be able to access some popular services if you can’t provide this set McShib meeting 14th December 2007 6
Shibboleth Development and Support Services Stored vs. Transmitted • The attributes you transmit don’t have to be the same attributes you have stored. • Attributes can be gathered from multiple sources. • Attributes can be transformed, e.g., by scripts you write. • So, no requirement to alter your directory schema. • Release only after positive policy decision. McShib meeting 14th December 2007 7
Shibboleth Development and Support Services eduPersonScopedAffiliation (ePSA) • Possibly the most important attribute in the UKf • Describes the subject’s relationship with their institution • What are they to you? • Example: member@ed.ac.uk • Only a few permissible values (this is good) • ... but even fewer see real use McShib meeting 14th December 2007 8
Shibboleth Development and Support Services ePSA Values (1) • student, staff, faculty, employee, member, affiliate, alum, library-walk-in • multi-valued attribute for each subject • value space has structure: • e.g., student@ implies member@ as well • only release what the service provider needs! • normally safe to release member@ to everyone McShib meeting 14th December 2007 9
Shibboleth Development and Support Services ePSA Values (2) • Most important value: member – “member in good standing of the ... community” – corresponds to most “authorised users” in the JISC model license – safe to release, adequate for many SPs • Er, that’s it... • Upcoming: library-walk-in – recently profiled by MACE-Dir for new eduPerson – corresponds to the other “authorised users” McShib meeting 14th December 2007 10
Shibboleth Development and Support Services Scripting eduPersonScopedAffiliation • Your directory says “role is student” in code • ... but you want ePSA = “student” • ePSA can be derived from “unscoped” ePA: <ScriptletAttributeDefinition id=quot;urn:mace:dir:attribute-def:eduPersonAffiliationquot;> <DataConnectorDependency requires=quot;directoryquot;/> <Scriptlet><![CDATA[ Attributes attributes = dependencies.getConnectorResolution(quot;directoryquot;); Attribute roles = attributes.get(quot;rolesquot;); if (roles.contains(quot;00142quot;)) { resolverAttribute.addValue(quot;studentquot;); } ]]></Scriptlet> </ScriptletAttributeDefinition> McShib meeting 14th December 2007 11
Shibboleth Development and Support Services eduPersonTargetedID (ePTI) • ePTI is a opaque, directed, persistent identifier for the user – opaque: doesn’t give the user’s identity away – directed: each SP sees a different value – persistent: the SP will see the same value every time the user comes back to them • Primary use is for personalisation • ePTI is not stored in your directory – options are storage-backed and computed McShib meeting 14th December 2007 12
Shibboleth Development and Support Services Storage-backed ePTI • Store opaque (e.g., random) tokens in a DB • Pro: – Supports more future SAML functionality – Supports ePTI revocation for privacy purposes – No problems with local identifier re-use • Con: – Not bundled with 1.x IdP, so not many examples  Basic implementation bundled with 2.0 IdP – Fully resilient implementation is more complex McShib meeting 14th December 2007 13
Shibboleth Development and Support Services Computed ePTI (1) • Mix (hash) together: – a secret – a unique (non-reassigned) local identifier  probably not the login name  most directories have some kind of UUID/GUID – the SP’s entity name • Pro: – No storage required – Implementation bundled with 1.x IdP McShib meeting 14th December 2007 14
Shibboleth Development and Support Services Computed ePTI (2) • Con: – Doesn’t support advanced SAML functionality – Doesn’t support revocability – If SHA-1 is broken, becomes insecure – Reuse of local identifier causes ePTI reuse  and SPs really don’t want that to happen, ever • Summary: computed ePTI is acceptable for now if carefully implemented • ... but expect to need to migrate McShib meeting 14th December 2007 15
Shibboleth Development and Support Services eduPersonEntitlement (ePE) • eduPersonGetOutOfJailFreeCard • Value is arbitrary URI (e.g., URN or URL) • Values can be agreed between IdP and SP • Can be used to delegate authorisation to IdP • E.g., “IdP says OK to access resource X” • Multi-valued: each user may have many • ... only release values appropriate to each SP McShib meeting 14th December 2007 16
Shibboleth Development and Support Services Scripting eduPersonEntitlement <ScriptletAttributeDefinition id=quot;urn:mace:dir:attribute-def:eduPersonEntitlementquot;> <DataConnectorDependency requires=quot;directoryquot;/> <AttributeDependency requires=quot;urn:mace:dir:attribute-def:eduPersonAffiliationquot; /> <Scriptlet><![CDATA[ Attributes attributes = dependencies.getConnectorResolution(quot;directoryquot;); Attribute entitlement = attributes.get(quot;eduPersonEntitlementquot;); // add values from directory for (int i = 0; entitlement != null && i < entitlement.size(); i++) { resolverAttribute.addValue(entitlement.get(i)); } // add common-lib-terms for staff and student Attribute attribute = attributes.get(quot;eduPersonAffiliationquot;); if (attribute.contains(quot;staffquot;) || attribute.contains(quot;studentquot;)) { resolverAttribute.addValue(quot;http://sp.example.com/contract0732quot;); } ]]> </Scriptlet> </ScriptletAttributeDefinition> McShib meeting 14th December 2007 17
Shibboleth Development and Support Services eduPersonPrincipalName (ePPN) • Usually scoped version of login name – my.name@ed.ac.uk • This counts as personal information • Privacy and legal concerns mean use as last resort • Can often be replaced by ePTI or ePE McShib meeting 14th December 2007 18
Shibboleth Development and Support Services Contacts • UK federation: http://www.ukfederation.org.uk/ • Technical Recommendations for Participants: – http://tinyurl.com/ywm895 • Recommendations for use of personal data: – http://tinyurl.com/2fud6b • Speaker: ian@iay.org.uk • And you’ve been good this year, so... McShib meeting 14th December 2007 19
...all right, you can have a pony photo © cc-by-2.0 by flickr user http://flickr.com/photos/jonmclean/
Shibboleth Development and Support Services Contacts • UK federation: http://www.ukfederation.org.uk/ • Technical Recommendations for Participants: – http://tinyurl.com/ywm895 • Recommendations for use of personal data: – http://tinyurl.com/2fud6b • Speaker: ian@iay.org.uk McShib meeting 14th December 2007 21

Recommended

Domain Driven Design Javaday Roma2007
Domain Driven Design Javaday Roma2007Domain Driven Design Javaday Roma2007
Domain Driven Design Javaday Roma2007
Antonio Terreno
 
20051114: WAYFs And Discovery
20051114: WAYFs And Discovery20051114: WAYFs And Discovery
20051114: WAYFs And Discovery
iay
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managers
mariasinha81
 
Logistics Management
Logistics Management Logistics Management
Logistics Management
mariasinha81
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts
iay
 
20041117: SDSS Project Summary
20041117: SDSS Project Summary20041117: SDSS Project Summary
20041117: SDSS Project Summary
iay
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basic
vane1989
 
5 EFFECTIVE WAYS FOR SUICIDE........
5 EFFECTIVE WAYS FOR SUICIDE........5 EFFECTIVE WAYS FOR SUICIDE........
5 EFFECTIVE WAYS FOR SUICIDE........
mariasinha81
 

Recommended

Domain Driven Design Javaday Roma2007
Domain Driven Design Javaday Roma2007Domain Driven Design Javaday Roma2007
Domain Driven Design Javaday Roma2007
Antonio Terreno
 
20051114: WAYFs And Discovery
20051114: WAYFs And Discovery20051114: WAYFs And Discovery
20051114: WAYFs And Discovery
iay
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managers
mariasinha81
 
Logistics Management
Logistics Management Logistics Management
Logistics Management
mariasinha81
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts
iay
 
20041117: SDSS Project Summary
20041117: SDSS Project Summary20041117: SDSS Project Summary
20041117: SDSS Project Summary
iay
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basic
vane1989
 
5 EFFECTIVE WAYS FOR SUICIDE........
5 EFFECTIVE WAYS FOR SUICIDE........5 EFFECTIVE WAYS FOR SUICIDE........
5 EFFECTIVE WAYS FOR SUICIDE........
mariasinha81
 
Java EE 7 from an HTML5 Perspective, JavaLand 2015
Java EE 7 from an HTML5 Perspective, JavaLand 2015Java EE 7 from an HTML5 Perspective, JavaLand 2015
Java EE 7 from an HTML5 Perspective, JavaLand 2015
Edward Burns
 
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New JerseyWCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
Irfan Ali
 
Spreadmart To Data Mart BISIG Presentation
Spreadmart To Data Mart BISIG PresentationSpreadmart To Data Mart BISIG Presentation
Spreadmart To Data Mart BISIG Presentation
Dan English
 
Achievo ATK, an Open Source project
Achievo ATK, an Open Source projectAchievo ATK, an Open Source project
Achievo ATK, an Open Source project
Ivo Jansch
 
If Web Services are the Answer, What's The Question
If Web Services are the Answer, What's The QuestionIf Web Services are the Answer, What's The Question
If Web Services are the Answer, What's The Question
Duncan Hull
 
Irl Web Strategy
Irl Web StrategyIrl Web Strategy
Irl Web Strategy
Lulu Pachuau
 
Hello Open World - The Web of Data for the Pragmatic Developer
Hello Open World - The Web of Data for the Pragmatic DeveloperHello Open World - The Web of Data for the Pragmatic Developer
Hello Open World - The Web of Data for the Pragmatic Developer
Alexandre Passant
 
Symfony for non-techies
Symfony for non-techiesSymfony for non-techies
Symfony for non-techies
Stefan Koopmanschap
 
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAsAn Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
Jim Czuprynski
 
Applications of the REST Principle
Applications of the REST PrincipleApplications of the REST Principle
Applications of the REST Principle
elliando dias
 
Building Killer Communities And Taking Confluence Social
Building Killer Communities And Taking Confluence SocialBuilding Killer Communities And Taking Confluence Social
Building Killer Communities And Taking Confluence Social
Atlassian
 
DPC2007 PDO (Lukas Kahwe Smith)
DPC2007 PDO (Lukas Kahwe Smith)DPC2007 PDO (Lukas Kahwe Smith)
DPC2007 PDO (Lukas Kahwe Smith)
dpc
 
From Beginners to Experts, Data Wrangling for All
From Beginners to Experts, Data Wrangling for AllFrom Beginners to Experts, Data Wrangling for All
From Beginners to Experts, Data Wrangling for All
DataWorks Summit
 
The Server Side of Responsive Web Design
The Server Side of Responsive Web DesignThe Server Side of Responsive Web Design
The Server Side of Responsive Web Design
Dave Olsen
 
Render Caching for Drupal 8
Render Caching for Drupal 8Render Caching for Drupal 8
Render Caching for Drupal 8
John Doyle
 
Postgres Foreign Data Wrappers
Postgres Foreign Data Wrappers Postgres Foreign Data Wrappers
Postgres Foreign Data Wrappers
EDB
 
Demo day
Demo dayDemo day
Demo day
DeepikaRana30
 
CA_Plex_SupportForModernizingIBM_DB2_for_i
CA_Plex_SupportForModernizingIBM_DB2_for_iCA_Plex_SupportForModernizingIBM_DB2_for_i
CA_Plex_SupportForModernizingIBM_DB2_for_i
George Jeffcock
 
Meandre Architecture
Meandre ArchitectureMeandre Architecture
Meandre Architecture
Loretta Auvil
 
Meandre Architecture Ws Apr 2009
Meandre Architecture Ws Apr 2009Meandre Architecture Ws Apr 2009
Meandre Architecture Ws Apr 2009
Loretta Auvil
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 

More Related Content

Similar to 20071214: An Identity Provider's Guide to the Core Attributes

Java EE 7 from an HTML5 Perspective, JavaLand 2015
Java EE 7 from an HTML5 Perspective, JavaLand 2015Java EE 7 from an HTML5 Perspective, JavaLand 2015
Java EE 7 from an HTML5 Perspective, JavaLand 2015
Edward Burns
 
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New JerseyWCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
Irfan Ali
 
Spreadmart To Data Mart BISIG Presentation
Spreadmart To Data Mart BISIG PresentationSpreadmart To Data Mart BISIG Presentation
Spreadmart To Data Mart BISIG Presentation
Dan English
 
Achievo ATK, an Open Source project
Achievo ATK, an Open Source projectAchievo ATK, an Open Source project
Achievo ATK, an Open Source project
Ivo Jansch
 
If Web Services are the Answer, What's The Question
If Web Services are the Answer, What's The QuestionIf Web Services are the Answer, What's The Question
If Web Services are the Answer, What's The Question
Duncan Hull
 
Irl Web Strategy
Irl Web StrategyIrl Web Strategy
Irl Web Strategy
Lulu Pachuau
 
Hello Open World - The Web of Data for the Pragmatic Developer
Hello Open World - The Web of Data for the Pragmatic DeveloperHello Open World - The Web of Data for the Pragmatic Developer
Hello Open World - The Web of Data for the Pragmatic Developer
Alexandre Passant
 
Symfony for non-techies
Symfony for non-techiesSymfony for non-techies
Symfony for non-techies
Stefan Koopmanschap
 
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAsAn Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
Jim Czuprynski
 
Applications of the REST Principle
Applications of the REST PrincipleApplications of the REST Principle
Applications of the REST Principle
elliando dias
 
Building Killer Communities And Taking Confluence Social
Building Killer Communities And Taking Confluence SocialBuilding Killer Communities And Taking Confluence Social
Building Killer Communities And Taking Confluence Social
Atlassian
 
DPC2007 PDO (Lukas Kahwe Smith)
DPC2007 PDO (Lukas Kahwe Smith)DPC2007 PDO (Lukas Kahwe Smith)
DPC2007 PDO (Lukas Kahwe Smith)
dpc
 
From Beginners to Experts, Data Wrangling for All
From Beginners to Experts, Data Wrangling for AllFrom Beginners to Experts, Data Wrangling for All
From Beginners to Experts, Data Wrangling for All
DataWorks Summit
 
The Server Side of Responsive Web Design
The Server Side of Responsive Web DesignThe Server Side of Responsive Web Design
The Server Side of Responsive Web Design
Dave Olsen
 
Render Caching for Drupal 8
Render Caching for Drupal 8Render Caching for Drupal 8
Render Caching for Drupal 8
John Doyle
 
Postgres Foreign Data Wrappers
Postgres Foreign Data Wrappers Postgres Foreign Data Wrappers
Postgres Foreign Data Wrappers
EDB
 
Demo day
Demo dayDemo day
Demo day
DeepikaRana30
 
CA_Plex_SupportForModernizingIBM_DB2_for_i
CA_Plex_SupportForModernizingIBM_DB2_for_iCA_Plex_SupportForModernizingIBM_DB2_for_i
CA_Plex_SupportForModernizingIBM_DB2_for_i
George Jeffcock
 
Meandre Architecture
Meandre ArchitectureMeandre Architecture
Meandre Architecture
Loretta Auvil
 
Meandre Architecture Ws Apr 2009
Meandre Architecture Ws Apr 2009Meandre Architecture Ws Apr 2009
Meandre Architecture Ws Apr 2009
Loretta Auvil
 

Similar to 20071214: An Identity Provider's Guide to the Core Attributes (20)

Java EE 7 from an HTML5 Perspective, JavaLand 2015
Java EE 7 from an HTML5 Perspective, JavaLand 2015Java EE 7 from an HTML5 Perspective, JavaLand 2015
Java EE 7 from an HTML5 Perspective, JavaLand 2015
 
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New JerseyWCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
WCAG- Go beyond and be creative by Irfan Ali from ETS Princeton New Jersey
 
Spreadmart To Data Mart BISIG Presentation
Spreadmart To Data Mart BISIG PresentationSpreadmart To Data Mart BISIG Presentation
Spreadmart To Data Mart BISIG Presentation
 
Achievo ATK, an Open Source project
Achievo ATK, an Open Source projectAchievo ATK, an Open Source project
Achievo ATK, an Open Source project
 
If Web Services are the Answer, What's The Question
If Web Services are the Answer, What's The QuestionIf Web Services are the Answer, What's The Question
If Web Services are the Answer, What's The Question
 
Irl Web Strategy
Irl Web StrategyIrl Web Strategy
Irl Web Strategy
 
Hello Open World - The Web of Data for the Pragmatic Developer
Hello Open World - The Web of Data for the Pragmatic DeveloperHello Open World - The Web of Data for the Pragmatic Developer
Hello Open World - The Web of Data for the Pragmatic Developer
 
Symfony for non-techies
Symfony for non-techiesSymfony for non-techies
Symfony for non-techies
 
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAsAn Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
 
Applications of the REST Principle
Applications of the REST PrincipleApplications of the REST Principle
Applications of the REST Principle
 
Building Killer Communities And Taking Confluence Social
Building Killer Communities And Taking Confluence SocialBuilding Killer Communities And Taking Confluence Social
Building Killer Communities And Taking Confluence Social
 
DPC2007 PDO (Lukas Kahwe Smith)
DPC2007 PDO (Lukas Kahwe Smith)DPC2007 PDO (Lukas Kahwe Smith)
DPC2007 PDO (Lukas Kahwe Smith)
 
From Beginners to Experts, Data Wrangling for All
From Beginners to Experts, Data Wrangling for AllFrom Beginners to Experts, Data Wrangling for All
From Beginners to Experts, Data Wrangling for All
 
The Server Side of Responsive Web Design
The Server Side of Responsive Web DesignThe Server Side of Responsive Web Design
The Server Side of Responsive Web Design
 
Render Caching for Drupal 8
Render Caching for Drupal 8Render Caching for Drupal 8
Render Caching for Drupal 8
 
Postgres Foreign Data Wrappers
Postgres Foreign Data Wrappers Postgres Foreign Data Wrappers
Postgres Foreign Data Wrappers
 
Demo day
Demo dayDemo day
Demo day
 
CA_Plex_SupportForModernizingIBM_DB2_for_i
CA_Plex_SupportForModernizingIBM_DB2_for_iCA_Plex_SupportForModernizingIBM_DB2_for_i
CA_Plex_SupportForModernizingIBM_DB2_for_i
 
Meandre Architecture
Meandre ArchitectureMeandre Architecture
Meandre Architecture
 
Meandre Architecture Ws Apr 2009
Meandre Architecture Ws Apr 2009Meandre Architecture Ws Apr 2009
Meandre Architecture Ws Apr 2009
 

Recently uploaded

"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 

Recently uploaded (20)

"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 

20071214: An Identity Provider's Guide to the Core Attributes

  • 1. Shibboleth Development and Support Services An Identity Provider’s Guide to the Core Attributes Ian A. Young SDSS, EDINA, University of Edinburgh McShib meeting, 14th December 2007
  • 2. Shibboleth Development and Support Services Problem Statement • Federated Access Management is all about the attributes released by the IdP to the SP • IdP and SP need to agree on: – attributes to exchange – their definitions – their quality • (more) easily resolved if IdP = SP – e.g., internal institutional applications • If they’re not the same party, this is hard McShib meeting 14th December 2007 2
  • 3. Shibboleth Development and Support Services Festive Caricatures (1) • Service provider: I want a pony! – I’d like attributes A, B, C, and D through Z please – if you give me more, I can do more – if you give me attribute Y, my code will be easier to write – I’ve already written code that needs attribute X – Summary: as much as possible, please McShib meeting 14th December 2007 3
  • 4. Shibboleth Development and Support Services Festive Caricatures (2) • Identity Provider: No, you can’t have a pony! – we don’t even have all of that information, we’d have to collect it – then we’d have to maintain it to make sure it was correct – we can’t release attribute X to you without talking to our lawyers – We don’t see why you have a real need for Y. – Summary: as little as possible, please McShib meeting 14th December 2007 4
  • 5. Shibboleth Development and Support Services Where to Begin? • Some SPs tell us what they want: – http://tinyurl.com/2y92cj – this tends to encourage standardisation • Some SPs prefer to negotiate with IdPs • If you have more information, let us know! • Remember: information release is your responsibility so it’s your call McShib meeting 14th December 2007 5
  • 6. Shibboleth Development and Support Services Finding a Balance • Core attributes: – minimal set of four very flexible attributes – chosen from eduPerson for interoperability – good enough for most situations – of course, not sufficient for all situations • SPs told: you may have problems if you ask for something outside this set • IdPs told: you may not be able to access some popular services if you can’t provide this set McShib meeting 14th December 2007 6
  • 7. Shibboleth Development and Support Services Stored vs. Transmitted • The attributes you transmit don’t have to be the same attributes you have stored. • Attributes can be gathered from multiple sources. • Attributes can be transformed, e.g., by scripts you write. • So, no requirement to alter your directory schema. • Release only after positive policy decision. McShib meeting 14th December 2007 7
  • 8. Shibboleth Development and Support Services eduPersonScopedAffiliation (ePSA) • Possibly the most important attribute in the UKf • Describes the subject’s relationship with their institution • What are they to you? • Example: member@ed.ac.uk • Only a few permissible values (this is good) • ... but even fewer see real use McShib meeting 14th December 2007 8
  • 9. Shibboleth Development and Support Services ePSA Values (1) • student, staff, faculty, employee, member, affiliate, alum, library-walk-in • multi-valued attribute for each subject • value space has structure: • e.g., student@ implies member@ as well • only release what the service provider needs! • normally safe to release member@ to everyone McShib meeting 14th December 2007 9
  • 10. Shibboleth Development and Support Services ePSA Values (2) • Most important value: member – “member in good standing of the ... community” – corresponds to most “authorised users” in the JISC model license – safe to release, adequate for many SPs • Er, that’s it... • Upcoming: library-walk-in – recently profiled by MACE-Dir for new eduPerson – corresponds to the other “authorised users” McShib meeting 14th December 2007 10
  • 11. Shibboleth Development and Support Services Scripting eduPersonScopedAffiliation • Your directory says “role is student” in code • ... but you want ePSA = “student” • ePSA can be derived from “unscoped” ePA: <ScriptletAttributeDefinition id=quot;urn:mace:dir:attribute-def:eduPersonAffiliationquot;> <DataConnectorDependency requires=quot;directoryquot;/> <Scriptlet><![CDATA[ Attributes attributes = dependencies.getConnectorResolution(quot;directoryquot;); Attribute roles = attributes.get(quot;rolesquot;); if (roles.contains(quot;00142quot;)) { resolverAttribute.addValue(quot;studentquot;); } ]]></Scriptlet> </ScriptletAttributeDefinition> McShib meeting 14th December 2007 11
  • 12. Shibboleth Development and Support Services eduPersonTargetedID (ePTI) • ePTI is a opaque, directed, persistent identifier for the user – opaque: doesn’t give the user’s identity away – directed: each SP sees a different value – persistent: the SP will see the same value every time the user comes back to them • Primary use is for personalisation • ePTI is not stored in your directory – options are storage-backed and computed McShib meeting 14th December 2007 12
  • 13. Shibboleth Development and Support Services Storage-backed ePTI • Store opaque (e.g., random) tokens in a DB • Pro: – Supports more future SAML functionality – Supports ePTI revocation for privacy purposes – No problems with local identifier re-use • Con: – Not bundled with 1.x IdP, so not many examples  Basic implementation bundled with 2.0 IdP – Fully resilient implementation is more complex McShib meeting 14th December 2007 13
  • 14. Shibboleth Development and Support Services Computed ePTI (1) • Mix (hash) together: – a secret – a unique (non-reassigned) local identifier  probably not the login name  most directories have some kind of UUID/GUID – the SP’s entity name • Pro: – No storage required – Implementation bundled with 1.x IdP McShib meeting 14th December 2007 14
  • 15. Shibboleth Development and Support Services Computed ePTI (2) • Con: – Doesn’t support advanced SAML functionality – Doesn’t support revocability – If SHA-1 is broken, becomes insecure – Reuse of local identifier causes ePTI reuse  and SPs really don’t want that to happen, ever • Summary: computed ePTI is acceptable for now if carefully implemented • ... but expect to need to migrate McShib meeting 14th December 2007 15
  • 16. Shibboleth Development and Support Services eduPersonEntitlement (ePE) • eduPersonGetOutOfJailFreeCard • Value is arbitrary URI (e.g., URN or URL) • Values can be agreed between IdP and SP • Can be used to delegate authorisation to IdP • E.g., “IdP says OK to access resource X” • Multi-valued: each user may have many • ... only release values appropriate to each SP McShib meeting 14th December 2007 16
  • 17. Shibboleth Development and Support Services Scripting eduPersonEntitlement <ScriptletAttributeDefinition id=quot;urn:mace:dir:attribute-def:eduPersonEntitlementquot;> <DataConnectorDependency requires=quot;directoryquot;/> <AttributeDependency requires=quot;urn:mace:dir:attribute-def:eduPersonAffiliationquot; /> <Scriptlet><![CDATA[ Attributes attributes = dependencies.getConnectorResolution(quot;directoryquot;); Attribute entitlement = attributes.get(quot;eduPersonEntitlementquot;); // add values from directory for (int i = 0; entitlement != null && i < entitlement.size(); i++) { resolverAttribute.addValue(entitlement.get(i)); } // add common-lib-terms for staff and student Attribute attribute = attributes.get(quot;eduPersonAffiliationquot;); if (attribute.contains(quot;staffquot;) || attribute.contains(quot;studentquot;)) { resolverAttribute.addValue(quot;http://sp.example.com/contract0732quot;); } ]]> </Scriptlet> </ScriptletAttributeDefinition> McShib meeting 14th December 2007 17
  • 18. Shibboleth Development and Support Services eduPersonPrincipalName (ePPN) • Usually scoped version of login name – my.name@ed.ac.uk • This counts as personal information • Privacy and legal concerns mean use as last resort • Can often be replaced by ePTI or ePE McShib meeting 14th December 2007 18
  • 19. Shibboleth Development and Support Services Contacts • UK federation: http://www.ukfederation.org.uk/ • Technical Recommendations for Participants: – http://tinyurl.com/ywm895 • Recommendations for use of personal data: – http://tinyurl.com/2fud6b • Speaker: ian@iay.org.uk • And you’ve been good this year, so... McShib meeting 14th December 2007 19
  • 20. ...all right, you can have a pony photo © cc-by-2.0 by flickr user http://flickr.com/photos/jonmclean/
  • 21. Shibboleth Development and Support Services Contacts • UK federation: http://www.ukfederation.org.uk/ • Technical Recommendations for Participants: – http://tinyurl.com/ywm895 • Recommendations for use of personal data: – http://tinyurl.com/2fud6b • Speaker: ian@iay.org.uk McShib meeting 14th December 2007 21