Shibboleth Development and Support Services SAML Protected Resources The theory and practice of granularity and management data Ed Dee EDINA

Shibboleth Development and Support Services

SAML Protected Resources

The theory and practice of

granularity and

management data

Ed Dee

EDINA


JIBS User Group 16 June 2010 2

EDINA

• Service provider

– Digimap, Film & Sound Online, etc…

• Identity provider

– Various

• Federated Access

– SDSS Federation

– UKAMF: Metadata Management & Tech. Support



Where lies the guilt

• Service providers

• Identity providers

• UK Access Management

Federation

• User Community

Granularity and lack of management data from SAML protected resources

• 50%

• 30%

• 10%

• 10%



SAML

• Security Assertion Markup Language

• Standard for Exchanging authentication and authorisation information

• Identity Provider • Service Provider



The Questions

Pussy cat pussy cat where have you been?“I’ve been down to London to visit at the Queen.”Pussy cat pussy cat what did you there“I frightened a little mouse under her chair.”



Shibboleth flow diagram



Technical stuff

Identity

Provider

Service

Provider

Resource

FederationMetadata

User

SAMLDialogue

AttributeDatabase

AuthorisationDatabase

FederationMetadata



SAML Dialogue

• Uninteresting (to us):

– Initiation/Termination

– Security

• Interesting (to us):

– Scope information

Institution/Service ‘who are you’

– Attributes

User-specific information



Q1: Pussy cat pussy cat where have you been?

• From the IdP:

– What resource are being used

– Who is using them

• Shibb 2x IdPs only

– Not outsourced IdPs

– Not non-Shibb IdPs

– Not Shibb 1.3 IdPs

eosl date 30 June 2010



Q1: Pussy cat pussy cat where have you been?

• Shibb 2 IdP Audit log Who (ePPN)

When (time stamp)

What (relying party id) • https://spaces.internet2.edu/display/SHIB2/IdPLogging

Analysis

Application

FederationMetadata

AttributeDatabase

AuditLog(s)

AccessReports



Tools

• Project Raptor

– Software toolkit for reporting e-resource usage statistics

– Shibboleth 2 IdPs & EZproxy

– http://iam.cf.ac.uk/trac/RAPTOR

– JISC + Cardiff University + Kidderminster College

– V1.0 due Feb 2011



Q2: Pussy cat pussy cat what did you there?

• Cannot come from IdP

• Must come from SP

– What does SP know about user

Service

Provider

ResourceUser

Identity

ProviderAttribute

DatabaseAttributes



Attributes: EduPerson Object Class

– Core Targeted ID

Principal name

[Scoped] Affiliation

Entitlement

– Other Nick name

Org [Unit] DN

http://middleware.internet2.edu/eduperson/docs/internet2-mace-dir-eduperson-200604.html



Granularity: Core Attributes

– [Scoped] Affiliation

Scope

Member | {Staff | Student | Employee | Affiliate |

Alum | library-walk-in}

– Entitlement

Service - User Specific conditions

• urn:mace:dir:entitlement:common-lib-terms



On Passing Attributes

Photo: Library of Virginia / Flikr



EDINA Digimap

– [Scoped] Affiliation

– Targeted ID

– Principal Name

– Title

– Givenname

– Sn [surname]

– O [organisation]

– Ou [organisational unit]

– Mail

http://www.ukfederation.org.uk/content/Documents/AttributeUsage



Reality

Identity

Provider

Service

Provider

Attribute Release Policy



Reality

• Most IdPs give out only:– [Scoped] Affiliation

Organisational affiliation (ePSA)• SP cannot determine department etc.

• ePSA often just [email protected]

– Targeted Id Service-specific, opaque ID (ePTI)

• SP cannot determine user

• SP cannot correlate usage between services.

• Many IdPs cannot handle entitlement



“No one really asks us much for

ARP changes”IdP administrator



Why?

• IdPs

– Fear of Data Protection legislation

– No inclination; No capabilities

– No SPs ask for it

• SPs

– Not available from IdPs

– No use for data



Stable Deadlock

Too hard to ask,so SPs don’t

IdPs get no requests, think all is well



What Do SPs Do

• Personalisation

– Registration system

– Registration database

• Usage Statistics

– Merge logs and registration details

• EDINA Digimap

– Users / Status / Department



Attribute Release Progression

Basic

Attributes

Extended

Attributes

Personal

Attributes



Towards agreement

• Forums

– Small scale

– Application-area specific

– Agree what is desirable

– Agree what is possible

– Experiment, agree, deploy, not theorise:

• No Top-down Dictate



NESLi2

• JISC Statistics Portal

– Cranfield, Birmingham City University, MIMAS

– Database/Journal/article level reporting

– Oct 2009 – Dec 2010

– "one-stop shop"

could go to view and download their own usage reports from NESLi2 publishers

– http://www.jusp.mimas.ac.uk/



Granularity & Management Data

• Technically Capabilities exist

• “Natural restful inertia” - problem large

– UKAMF

800+ members

• 440 + SPs

• 630 + IdPs

• User Driven

• Tackle from the bottom up