SlideShare a Scribd company logo

20041117: SDSS Project Summary

iay
iay

17th November 2004, London

TechnologyEducation
1 of 21
Download to read offline
SDSS Project Summary Ian A. Young, EDINA ian@iay.org.uk 17th November 2004 17-Nov-2004
SDSS Project Shibboleth Development and Support  Services Goal is to provide a basic national  infrastructure for use by other projects – Operate a development Shibboleth federation – Provide Shibboleth access to EDINA services – General support – Technology watch 17-Nov-2004 2
Federation Defined A grouping of identity providers and  service providers following defined rules. More a social construct than a technical  one. Components:  – Participant agreement → trust – Federation signup → metadata service – WAYF service (optional) 17-Nov-2004 3
SDSS Federation Overview Not like InQueue:  – Takes all comers, no guarantees of any kind Not full production:  – Requires defined level of service guarantees – May require stronger participant guarantees – Administration scalable to all UK institutions SDSS is somewhere in between:  – Sufficient trust to support delivery of licensed services – Few entry hurdles for development projects 17-Nov-2004 4
SDSS Federation Policy Agreement:  – Best practices – Best efforts – Privacy protection X.509 Certificates  – GlobalSign certificates required – Temporary SDSS CA certificates available 17-Nov-2004 5
SDSS Federation Policy V1.0 All members of the federation must:  – Observe best practice in the handling and use of your digital certificates and private keys All identity providers (origins) must:  – Make reasonable attempts to ensure that only members of your institution are provided with credentials permitting authentication to your handle server, and that the assertions made to service providers by your attribute authority are correct. All service providers (targets) must:  – Agree not to aggregate, or disclose to other parties, attributes supplied by identity providers. 17-Nov-2004 X
SDSS Federation Membership Identity providers: 5  – SDSS tests: 3 – Other projects: 2 – Institutional: 1 Service providers: 11  – SDSS tests: 4 – Other projects: 1 – Pending EDINA services: 4 – Live EDINA services: 2 17-Nov-2004 6
Biosis Login Page
Biosis Search Result
eduPersonScopedAffiliation MACE-Dir eduPerson attribute  Example: member@ed.ac.uk  Gives subject’s relationship to a security  domain Semantics: member of institution  Many resources licensed on these terms  Definition a little vague; working with  MACE-Dir on this. 17-Nov-2004 9
eduPersonEntitlement MACE-Dir eduPerson attribute  Examples:  – urn:mace:ac.uk:sdss.ac.uk:entitlement:resource – http://provider.co.uk/resource/contract.html Claims subject’s entitlement to a particular  resource Service provider must trust identity  provider to issue any particular entitlement Good fine grained fall-back approach.  17-Nov-2004 X
Update Login Page
Update Search Results
Update Saved Searches
eduPersonTargetedID MACE-Dir eduPerson attribute  Example: sObw8cK7JJ6qqwj2v9O1tpidV4U=@ed.ac.uk  
 
 
 

 
 
  

 
 
 

 
 
 Value is an opaque string  Allows personalisation and saved state  without compromising privacy Issues about stored vs. generated forms.  17-Nov-2004 13
SDSS Federation Collateral Web site: http://sdss.ac.uk/  – Policies and procedures – Installation documentation – Registries: • URN registry • OID registry – Wiki (living documentation) – Metadata service – Root and signing certificates 17-Nov-2004 14
To-do List More external providers  More EDINA services  Convert to final certificates  Continue to improve documentation and  packaging Encapsulate experience with authorisation:  – Suggested service attribute requirements – Suggested attribute release policies Collate service information  17-Nov-2004 15
EDINA Contacts Talk: ian@iay.org.uk  Project: http://sdss.ac.uk/  – Project manager: sandy.shaw@ed.ac.uk – Technical: ian@iay.org.uk – Technical: Fiona.Culloch@btinternet.com 17-Nov-2004 16
Scoped Attributes This is a MACE-Dir concept, embodied in the  eduPerson specification. Scoped attributes have two parts:  – Scope = security domain – Value relative to that scope Example: member@ed.ac.uk  A principal may have multiple attribute values:  – within the same scope – in different scopes. Definitely not the answer to all questions of  attribute scoping; work continues. 17-Nov-2004 X
Scoped Attributes in Shibboleth Shibboleth 1.1 uses an informal attribute profile.  Scoped Attributes assert a value within a security domain.  In the directory, they are just a DirectoryString.  Scoped attributes have XML structure in this profile.  “Scope” XML attribute expresses security domain.  <Attribute  AttributeName=quot;urn:mace:dir:attribute-def:eduPersonPrincipalNamequot; AttributeNamespace=quot;urn:mace:shibboleth:1.0:attributeNamespace:uriquot;> <AttributeValue Scope=quot;iay.org.ukquot;>iay</AttributeValue> </Attribute> Shibboleth filters such assertions using federation metadata.  17-Nov-2004 X
SAML 2 LDAP Attribute Profile SAML 2.0 adds a standardised profile for  encoding all X.500/LDAP attributes. Switch to standardised profile essential for  interoperability. <Attribute  NameFormat=quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uriquot; Name=quot;urn:oid:1.3.6.1.4.1.5923.1.1.1.6quot;> <AttributeValue>iay@iay.org.uk</AttributeValue> </Attribute> No XML structure in encoding of these attributes  in this profile. Shibboleth will still filter according to federation  metadata. 17-Nov-2004 X

Recommended

Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsExploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsKingsley Uyi Idehen
 
Exploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerExploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerKingsley Uyi Idehen
 
Exploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessExploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessKingsley Uyi Idehen
 
Identity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolIdentity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolSSIMeetup
 
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCUsing SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCKingsley Uyi Idehen
 
Accessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCAccessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCKingsley Uyi Idehen
 
Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Kingsley Uyi Idehen
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized IdentifiersMarkus Sabadello
 

Recommended

Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsExploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsKingsley Uyi Idehen
 
Exploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerExploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerKingsley Uyi Idehen
 
Exploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessExploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessKingsley Uyi Idehen
 
Identity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolIdentity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolSSIMeetup
 
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCUsing SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCKingsley Uyi Idehen
 
Accessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCAccessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCKingsley Uyi Idehen
 
Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Kingsley Uyi Idehen
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized IdentifiersMarkus Sabadello
 
Had Iraq won the war.......
Had Iraq won the war.......Had Iraq won the war.......
Had Iraq won the war.......mariasinha81
 
PražSké PovstáNí Pps
PražSké PovstáNí PpsPražSké PovstáNí Pps
PražSké PovstáNí Ppsguest039948
 
Logistics Management
Logistics Management Logistics Management
Logistics Management mariasinha81
 
PražSké PovstáNí 2
PražSké PovstáNí 2PražSké PovstáNí 2
PražSké PovstáNí 2guest039948
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managersmariasinha81
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basicvane1989
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Boltsiay
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguestd9aa5
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguru122
 
20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributesiay
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data TutorialMichael Hausenblas
 
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic waymakker_nl
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Cisco DevNet
 
X Aware Ajax World V1
X Aware Ajax World V1X Aware Ajax World V1
X Aware Ajax World V1rajivmordani
 
Nuxeo JavaOne 2007
Nuxeo JavaOne 2007Nuxeo JavaOne 2007
Nuxeo JavaOne 2007Stefane Fermigier
 
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesDemystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesVMware Tanzu
 
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreConnector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreFilipe Silva
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aaOracleIDM
 
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Eelco Visser
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElasticsearch
 
20171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v120171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v1Ivan Ma
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 

More Related Content

Viewers also liked

Had Iraq won the war.......
Had Iraq won the war.......Had Iraq won the war.......
Had Iraq won the war.......mariasinha81
 
PražSké PovstáNí Pps
PražSké PovstáNí PpsPražSké PovstáNí Pps
PražSké PovstáNí Ppsguest039948
 
Logistics Management
Logistics Management Logistics Management
Logistics Management mariasinha81
 
PražSké PovstáNí 2
PražSké PovstáNí 2PražSké PovstáNí 2
PražSké PovstáNí 2guest039948
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managersmariasinha81
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basicvane1989
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Boltsiay
 

Viewers also liked (7)

Had Iraq won the war.......
Had Iraq won the war.......Had Iraq won the war.......
Had Iraq won the war.......
 
PražSké PovstáNí Pps
PražSké PovstáNí PpsPražSké PovstáNí Pps
PražSké PovstáNí Pps
 
Logistics Management
Logistics Management Logistics Management
Logistics Management
 
PražSké PovstáNí 2
PražSké PovstáNí 2PražSké PovstáNí 2
PražSké PovstáNí 2
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managers
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basic
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts
 

Similar to 20041117: SDSS Project Summary

Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguestd9aa5
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguru122
 
20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributesiay
 
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic waymakker_nl
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Cisco DevNet
 
X Aware Ajax World V1
X Aware Ajax World V1X Aware Ajax World V1
X Aware Ajax World V1rajivmordani
 
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesDemystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesVMware Tanzu
 
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreConnector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreFilipe Silva
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aaOracleIDM
 
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Eelco Visser
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElasticsearch
 
20171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v120171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v1Ivan Ma
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apexEnkitec
 
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdfConfigure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdfddghh
 
The Data Web and PLM
The Data Web and PLMThe Data Web and PLM
The Data Web and PLMKoneksys
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 

Similar to 20041117: SDSS Project Summary (20)

Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data Tutorial
 
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
 
X Aware Ajax World V1
X Aware Ajax World V1X Aware Ajax World V1
X Aware Ajax World V1
 
Nuxeo JavaOne 2007
Nuxeo JavaOne 2007Nuxeo JavaOne 2007
Nuxeo JavaOne 2007
 
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesDemystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
 
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreConnector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aa
 
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ Cisco
 
20171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v120171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v1
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apex
 
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdfConfigure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
 
The Data Web and PLM
The Data Web and PLMThe Data Web and PLM
The Data Web and PLM
 
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

20041117: SDSS Project Summary

  • 1. SDSS Project Summary Ian A. Young, EDINA ian@iay.org.uk 17th November 2004 17-Nov-2004
  • 2. SDSS Project Shibboleth Development and Support  Services Goal is to provide a basic national  infrastructure for use by other projects – Operate a development Shibboleth federation – Provide Shibboleth access to EDINA services – General support – Technology watch 17-Nov-2004 2
  • 3. Federation Defined A grouping of identity providers and  service providers following defined rules. More a social construct than a technical  one. Components:  – Participant agreement → trust – Federation signup → metadata service – WAYF service (optional) 17-Nov-2004 3
  • 4. SDSS Federation Overview Not like InQueue:  – Takes all comers, no guarantees of any kind Not full production:  – Requires defined level of service guarantees – May require stronger participant guarantees – Administration scalable to all UK institutions SDSS is somewhere in between:  – Sufficient trust to support delivery of licensed services – Few entry hurdles for development projects 17-Nov-2004 4
  • 5. SDSS Federation Policy Agreement:  – Best practices – Best efforts – Privacy protection X.509 Certificates  – GlobalSign certificates required – Temporary SDSS CA certificates available 17-Nov-2004 5
  • 6. SDSS Federation Policy V1.0 All members of the federation must:  – Observe best practice in the handling and use of your digital certificates and private keys All identity providers (origins) must:  – Make reasonable attempts to ensure that only members of your institution are provided with credentials permitting authentication to your handle server, and that the assertions made to service providers by your attribute authority are correct. All service providers (targets) must:  – Agree not to aggregate, or disclose to other parties, attributes supplied by identity providers. 17-Nov-2004 X
  • 7. SDSS Federation Membership Identity providers: 5  – SDSS tests: 3 – Other projects: 2 – Institutional: 1 Service providers: 11  – SDSS tests: 4 – Other projects: 1 – Pending EDINA services: 4 – Live EDINA services: 2 17-Nov-2004 6
  • 10. eduPersonScopedAffiliation MACE-Dir eduPerson attribute  Example: member@ed.ac.uk  Gives subject’s relationship to a security  domain Semantics: member of institution  Many resources licensed on these terms  Definition a little vague; working with  MACE-Dir on this. 17-Nov-2004 9
  • 11. eduPersonEntitlement MACE-Dir eduPerson attribute  Examples:  – urn:mace:ac.uk:sdss.ac.uk:entitlement:resource – http://provider.co.uk/resource/contract.html Claims subject’s entitlement to a particular  resource Service provider must trust identity  provider to issue any particular entitlement Good fine grained fall-back approach.  17-Nov-2004 X
  • 15. eduPersonTargetedID MACE-Dir eduPerson attribute  Example: sObw8cK7JJ6qqwj2v9O1tpidV4U=@ed.ac.uk  
 
 
 

 
 
  

 
 
 

 
 
 Value is an opaque string  Allows personalisation and saved state  without compromising privacy Issues about stored vs. generated forms.  17-Nov-2004 13
  • 16. SDSS Federation Collateral Web site: http://sdss.ac.uk/  – Policies and procedures – Installation documentation – Registries: • URN registry • OID registry – Wiki (living documentation) – Metadata service – Root and signing certificates 17-Nov-2004 14
  • 17. To-do List More external providers  More EDINA services  Convert to final certificates  Continue to improve documentation and  packaging Encapsulate experience with authorisation:  – Suggested service attribute requirements – Suggested attribute release policies Collate service information  17-Nov-2004 15
  • 18. EDINA Contacts Talk: ian@iay.org.uk  Project: http://sdss.ac.uk/  – Project manager: sandy.shaw@ed.ac.uk – Technical: ian@iay.org.uk – Technical: Fiona.Culloch@btinternet.com 17-Nov-2004 16
  • 19. Scoped Attributes This is a MACE-Dir concept, embodied in the  eduPerson specification. Scoped attributes have two parts:  – Scope = security domain – Value relative to that scope Example: member@ed.ac.uk  A principal may have multiple attribute values:  – within the same scope – in different scopes. Definitely not the answer to all questions of  attribute scoping; work continues. 17-Nov-2004 X
  • 20. Scoped Attributes in Shibboleth Shibboleth 1.1 uses an informal attribute profile.  Scoped Attributes assert a value within a security domain.  In the directory, they are just a DirectoryString.  Scoped attributes have XML structure in this profile.  “Scope” XML attribute expresses security domain.  <Attribute  AttributeName=quot;urn:mace:dir:attribute-def:eduPersonPrincipalNamequot; AttributeNamespace=quot;urn:mace:shibboleth:1.0:attributeNamespace:uriquot;> <AttributeValue Scope=quot;iay.org.ukquot;>iay</AttributeValue> </Attribute> Shibboleth filters such assertions using federation metadata.  17-Nov-2004 X
  • 21. SAML 2 LDAP Attribute Profile SAML 2.0 adds a standardised profile for  encoding all X.500/LDAP attributes. Switch to standardised profile essential for  interoperability. <Attribute  NameFormat=quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uriquot; Name=quot;urn:oid:1.3.6.1.4.1.5923.1.1.1.6quot;> <AttributeValue>iay@iay.org.uk</AttributeValue> </Attribute> No XML structure in encoding of these attributes  in this profile. Shibboleth will still filter according to federation  metadata. 17-Nov-2004 X