Development of Attribute Provider p for GakuNin Federation (to - - PowerPoint PPT Presentation

development of attribute provider p for gakunin federation
SMART_READER_LITE
LIVE PREVIEW

Development of Attribute Provider p for GakuNin Federation (to - - PowerPoint PPT Presentation

Nov 29, 2023 258 likes •440 views

1 Development of Attribute Provider p for GakuNin Federation (to provide VO information) (to provide VO information) 2011.02.24 @ APAN Honk Kong 2011.02.24 @ APAN Honk Kong Motonori Nakamura National Institute of Informatics, Japan i l i f

slide-1
SLIDE 1

1

Development of Attribute Provider p for GakuNin Federation

(to provide VO information) (to provide VO information)

2011.02.24 @ APAN Honk Kong 2011.02.24 @ APAN Honk Kong Motonori Nakamura i l i f f i National Institute of Informatics, Japan

slide-2
SLIDE 2

2

Realize “Single Sign On” by separation

  • f authentication information from SPs
  • To share ID/PW information among SPs

– Users are required to remember only one ID/PW

  • “Federation” is an architecture to utilize the SSO

technology among organizations

SP P SP Q SP P SP Q

ID/PW ID/PW

AuthN ID X1

  • Univ. A

IdP

  • Univ. B IdP

Access ID X1 ID Y2 ID Y2

IdP A IdP B

User Y User X User Y User X

ID Y2

ID/PW ID/PW

slide-3
SLIDE 3

3

Using Attribute Provider to separate Group information from SPs

T h i f ti

  • To share a group information

among SPs

– For authorization

SP P SP Q

Mash‐up

– For collaborative service

  • To avoid “provider lock‐in” and

promote mash‐up

Attribute

isMemberOf: Grp‐G [Attribute]

p p

Grp

Provider

Group

isMemberOf: Grp G [Attribute] isMemberOf: Grp‐G

Group

SP P SP Q

Group Group

G Group Admin

Register R i t

Group

Register Register

  • Univ. A

IdP

  • Univ. B IdP

Register

IdP IdP

Register Register Register Register

IdP A IdP B

User Y User X

IdP A IdP B

User Y User X

slide-4
SLIDE 4

4

(1) Simple model only with IdP (SSO)

[Service model transition]

(1) Simple model only with IdP (SSO)

University A University B University C IdP University A IdP Register Register University B University C Campus Campus Identification Identification IdP IdP issue of ID/PW issue of Register Use ID/PW AuthN Use Use AuthN AuthN SP

Universities can provide t id tifi ti f exact identification of users

slide-5
SLIDE 5

5

(2) Introducing CC-IdP to support all users (Classic Model)

University A University B University C IdP IdP Register Register University A University B University C Campus Campus Register IdP IdP issue of ID/PW issue of ID/PW Register Register issue of Register CC Computer Center ID/PW Register i f Register IdP issue of ID/PW issue of ID/PW AuthN Identification CC SP

Computer Center provides N ti l/R i l i

AuthN

National/Regional service for other universities

slide-6
SLIDE 6

6

(3) Introducing Attribute Provider (3) Introducing Attribute Provider

University A University B University C IdP IdP University A University B University C Register Register Campus Campus Identification Identification IdP IdP issue of ID/PW issue of ID/PW Register Register CC CC Computer Center Register IdP IdP Application Identification issue of ID/PW Application Application A thN CC User Grp Attribute CC SP Application Attribute Application Application AuthN

Attribute Provider is

  • perated by federation

Grp Provider Admin Attribute Authorization

  • perated by federation
slide-7
SLIDE 7

7

(4) Introducing Shared IdP (4) Introducing Shared IdP

University A University B University C IdP IdP University A University B University C Register Register Campus Campus Identification Identification IdP IdP issue of ID/PW issue of Register ID/PW Computer Center Application Application Application Register issue of ID/PW AuthN CC User Grp IdP CC SP Shared ID/PW Attribute Attribute Grp Identification Attribute Admin Provider Authorization

slide-8
SLIDE 8

8

Related Works

to provide group (VO) information

( )

  • Grouper (Internet2)

– http://www.internet2.edu/grouper/

  • Provides group management in a IdP
  • COmanage (Internet2)

g ( )

– http://www.internet2.edu/comanage/

  • In progress

p og ess

  • VO system (SWITCH)

http://www switch ch/vo – http://www.switch.ch/vo

  • In progress
slide-9
SLIDE 9

9

Grouper Grouper

slide-10
SLIDE 10

10

COmanage COmanage

slide-11
SLIDE 11

11

SWITCH VO SWITCH VO

slide-12
SLIDE 12

12

Propagation VO information in Shibboleth

i d b hibb l h d / l

  • is supported by Shibboleth IdP/SP 2.2 or later

– An SP can send requests to Attribute Providers to get attribute information about an accessed user (as well as to an IdP)

  • AP is specified by configuration of the SP

– Basic concept is described in a document about VO S t b SWITCH VO System by SWITCH

  • http://www.switch.ch/aai/support/tools/vo‐concept/

f d l

  • User Interface and Internal Data Structure are
  • ut of scope of Shibboleth/SAML
slide-13
SLIDE 13

13

User Interfaces to utilize Attribute Provider

SP

SAML

AP System

Attrib

AP V SP V

bute (Pers User Interface

  • f AP System

SAML sonal)

IdP

Admin of a group U SAML User

slide-14
SLIDE 14

14

Privacy Issue on Simple Model Privacy Issue on Simple Model

SP P SP Q

  • Group info is also sent to
  • ther SPs since Group is

Attribute Provider

i M b Of G G G H

not bound to a specific SP

i M b Of G G G H

Grp

isMemberOf: Grp‐G, Grp‐H

Grp

Request of Group Request of Group isMemberOf: Grp‐G, Grp‐H

Grp G Group X Admin Grp H

q p Info on User Y q p Info on User Y Application

  • Univ. A

IdP

  • Univ. B

IdP

  • Univ. C IdP

Application Application Application

IdP A IdP B IdP C

User Z User Y User X

slide-15
SLIDE 15

15

Another Style of Group Administration Another Style of Group Administration

SP P

  • Consortium of Faculties,

Laboratories, etc.

P

Attribute Provider

  • Separation of Responsibility

Request of Group isMemberOf: Grp‐G, Grp‐A

Grp G

Request of Group Info on User X

Law Faculty Federation

Grp A Grp C Grp B Admin of Consortium

Faculty of Law Faculty of Law Faculty of Law

A li ti A li ti A li ti

  • Univ. A

IdP

  • Univ. B

IdP

  • Univ. C IdP

Application Application Application

IdP A

Admin

IdP B IdP C

User Z User Y User X

Admin Admin

slide-16
SLIDE 16

16

Issues on Membership Administration Issues on Membership Administration

H t k ID f b b d i ?

  • How to know ID of a member by group admin?

– Search? Direct communication? – eduPersonPrincipalName for a user? eduPersonPrincipalName for a user?

  • How to know group name to join by a member?
  • How to define namespace for groups

How to define namespace for groups

  • How to know SP related to the group?
  • Does membership registration have to be confirmed by

p g y a member to be added?

  • How is automatic service subscription supported?
  • Is reuse of a group name possible?

– A group should not be replaced cilently

slide-17
SLIDE 17

17

Future Plan Future Plan

i i f ib id

  • Basic Design of Attribute Provider

– Implementation (1Q of 2011) – Evaluation with some simple SPs

  • Consideration to apply SPs which provide

Consideration to apply SPs which provide contents with contract

– e‐journal e‐book etc – e‐journal, e‐book, etc.

  • Apply to collaboration services which require

i f ti more information

– Mailing Lists, SNS, etc.