Federated Identity & Access Mgmt for Higher Education

Transcription

1 Federated Identity & Access Mgmt for Higher Education Dr. Erik Vullings Program Manager Macquarie University s s E-Learning E Centre of Excellence (MELCOE) Erik.Vullings@melcoe.mq.edu.au 1/23/2006 1

2 Backing Australia s s Ability DEST founded ARIIC to guide: Australian Digital Thesis (ADT) Australian Partnership for Sustainable Repositories (APSR) Australian Research Repositories Online to the World (ARROW) Meta Access Management System (MAMS) Financed by DEST till the end of 2006 ($4.2 million) FRODO (Federated Repositories of Digital Objects) 1/23/2006 2

3 Access Control Legacy plug-ins Provisioning Federated search Federated Identity Mgmt Single Sign-On Digital Identity Mgmt 1/23/2006 3

4 Identity Provider Manages and asserts (to trusted SPs) user s attributes securely and accurately. Federation Manager Manages trust between Manages parties. trust between Auditing. parties. Auditing? User Belongs to an organisation which manages their identity (personal attributes) Has privacy concerns. Service Provider Provides services to internal and external users via the web. Want to focus on core business & avoid risks of managing users confidential info. 1/23/2006 4

5 Requirements Gathering 1. Single Sign-On (authn( strength) 2. Repository Access & DRM 3. Federations (search) & policies 4. Virtual organizations Attribute management 57 Temporary voting results among 148 persons from the IT, E-Learning, and Library communities. Grid/HPC to be done. 1/23/2006 5

6 Deliverables 1. Single Sign-On (authn( strength) Launch of Shib-based based Federation in AU (400k users) Easy-install CD Mini-grant projects 2. Repository Access & DRM 3. Federations (search) & policies 4. Virtual organizations 5. Attribute management 1/23/2006 6

7 Shibboleth-based based Federation 1/23/2006 7

8 Easy Install CD One stop shop for deploying an IdP Simplifies installation of complex components Customised version of Knoppix Contains preinstalled: Debian Linux, Apache, Tomcat, Java infrastructure Shibboleth 1.3c IdP WebShARPE Installation scripts Federation registration 1/23/2006 8

9 Deliverables 1. Single Sign-On (authn( strength) 2. Repository Access & DRM Shibbolized DSpace, Zope/Plone,, Fedora Fine-grained Access Control with XACML 3. Federations (search) & policies 4. Virtual organizations 5. Attribute management 1/23/2006 9

10 Federated Repositories: DSpace 1/23/

11 Fun with XACML Request JOE wants to EDIT the POLICY PLAN Policy Enforcement Point (PEP) Create XACML request Respond with Permit/deny/obligation Retrieve Policies Retrieve Information Policy Access Point (PAP) Policy Decision Point (PDP) Policy Information Point (PIP) 1/23/

12 Access Control with XACML Policy Set Policy Comb. Alg. Target Subject JOE wants to Action EDIT the POLICY Resource Any Policy Plan Condition Staff member Policy Rule Comb. Alg. Rule I accept the copyrights Obligation Show copyrights If any Effect Permit 1/23/

13 Federated Repositories: Fedora 1 1/23/

14 Federated Repositories: Fedora 2 1/23/

15 Deliverables 1. Single Sign-On (authn( strength) 2. Repository Access & DRM 3. Federations (search) & policies 3-levelled federation: test, technically sound, legally sound Authenticated Federated Search for Shibbolized repositories Makes use of SP description files: defines SP s s services, service levels and required attribute names & values Fed2Fed interaction via Claim Transformation Service 4. Virtual organizations 5. Attribute management 1/23/

16 Authenticated Federated Search 1 1/23/

17 Authenticated Federated Search 2 1/23/

18 AFS Preliminary Architecture Directory IdP SAML assertions SP Registry <<SP>> AFS XACML policy store SRU/SRW Opaque UID1 Adaptor Retrieve i/f Shibboleth <<SP>> Repository 1 Redirect to Repository via IdP with opaque UID1 Query: Google/DC Client Browser DC metadata Adaptor Shibboleth <<SP>> Repository 2 1/23/

19 Fed2Fed SSO 1 IdP IdP Federation A (Fa) SP 2 7 User from Federation B SP IdP WAYF 3 CTS: Claim Transformation Service WAYF: Where Are You From IdP: Identity Provider SP: Service Provider CTS WAYF 6 5 SP CTS 4 IdP Federation B (Fb) IdP SP IdP 1/23/

20 Usage Scenario: User in Fb accessing a SP in Fa 1. The user visits SP_Fa. 2. The user is redirected to the WAYF of Fa [cookie] 3. The user selects (the WAYF of) Fb [cookie] 4. The user selects its IdP and logs in [cookie] 5. The IdP will ask her to confirm the release of her personal attributes to the CTS in Fa [optionally, only first time]. 6. The CTS in Fa will convert it to the format necessary for CTS in Fb 7. The CTS in Fb will convert it to the format necessary for the SP [ask user to confirm release of attributes, and which set of attributes, i.e. which business card ]. 1/23/

21 CTS characteristics Act as an IdP within the Federation Includes defining default ARP for a certain SP Act as an SP to external CTS services in other trusted federations Specifies the attribute schema it expects to receive and which external CTS services need to supply Extend the WAYF Needs to include selection of other Federations 1/23/

22 Deliverables 1. Single Sign-On (authn( strength) 2. Repository Access & DRM 3. Federations (search) & policies 4. Virtual organizations Shibbolizing GridSphere (Flash demo) Shibbolizing MyProxy (work in progress) 5. Attribute management 1/23/

23 Shibbolizing MyProxy (with Jim Basney) Users logs in via Shibboleth to GridSphere User selects Login via Shib in MyProxy portlet Portlet redirects user to new Shibbolized MyProxy servlet via IdP with opaque UID MyProxy servlet verifies SAML assertion MyProxy portlet gets proxy certificate from MyProxy server using opaque UID 1/23/

24 Deliverables 1. Single Sign-On (authn( strength) 2. Repository Access & DRM 3. Federations (search) & policies 4. Virtual organizations 5. User Attribute management Autograph, based on business card metaphor 1/23/

25 Attribute Release Policies When I visit an SP, how do I present myself? Reference # Staff at Macquarie Uni Erik Vullings Staff at Macquarie Uni Erik Vullings Erik@mq.edu.au Staff at Macquarie Uni +61-(0) MQ 1/23/

26 Different cards open different doors Services & Service Level Reference # Staff at Macquarie Uni Enables access to repository Erik Vullings Staff at Macquarie Uni Allows me to rank material Erik Vullings Staff at Macquarie Uni +61-(0) MQ Allows me to add comments 1/23/

27 1/23/

28 1/23/

29 1/23/

30 Preserving My Privacy Service Provider Descriptions allow to: Hide non user-related related attributes Only show the available service (levels) Automatically select a business card based on user preferences + 1 st time confirmation High: Preserve my privacy at all costs Medium: Release my name, but not my Low: Give me maximum service Automatically perform attribute mapping 1/23/

31 What will the Future bring? Increasing the value of the Federation: Get more IdP and SP in the Federation Organize Federation/Shib workshops for developers People picker tool Simplify Shib mgmt: auto ARP configuration Expanding the Institutional Repository demonstrator: Fedora & XACML for resource protection and RBAC Virtual Librarian/helpdesk: Shibbolized chat Easy-to to-use XACML policy editor/validator validator/gui for IR Strengthen links to Grid middleware: With E-Security E project: build/use Australian CA Shibbolize MyProxy Increase VO functionality: act as IdP too, col-laboratories laboratories 1/23/