Entitlements at UMA.es first steps into centralised AuthR - - PowerPoint PPT Presentation

entitlements at uma es
SMART_READER_LITE
LIVE PREVIEW

Entitlements at UMA.es first steps into centralised AuthR - - PowerPoint PPT Presentation

Nov 09, 2023 504 likes •906 views

Background Usage Problems Entitlements at UMA.es first steps into centralised AuthR Victoriano Giralt Central ICT Services University of Mlaga Cork May 19th, 2009 (CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es Background

slide-1
SLIDE 1

Background Usage Problems

Entitlements at UMA.es

first steps into centralised AuthR Victoriano Giralt

Central ICT Services University of Málaga

Cork May 19th, 2009

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-2
SLIDE 2

Background Usage Problems

Entitlements

a definition

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-3
SLIDE 3

Background Usage Problems

Entitlements

a definition

What’s an entitlement?

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-4
SLIDE 4

Background Usage Problems

Entitlements

a definition

What’s an entitlement? according to Oxford English Dictionary

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-5
SLIDE 5

Background Usage Problems

Entitlements

a definition

What’s an entitlement? according to Oxford English Dictionary entitlement |en"tïtlm@nt| noun the fact of having a right to something : full entitlement to fees and maintenance should be

  • ffered | you should be fully aware of your legal

entitlements. the amount to which a person has a right : annual leave entitlement.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-6
SLIDE 6

Background Usage Problems

Entitlements

a definition

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-7
SLIDE 7

Background Usage Problems

Entitlements

a definition

What’s an entitlement?

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-8
SLIDE 8

Background Usage Problems

Entitlements

a definition

What’s an entitlement? according to the eduPerson specification

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-9
SLIDE 9

Background Usage Problems

Entitlements

a definition

What’s an entitlement? according to the eduPerson specification eduPersonEntitlement URI (either URN or URL) that indicates a set of rights to specific resources.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-10
SLIDE 10

Background Usage Problems

URNs

how do they look like

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-11
SLIDE 11

Background Usage Problems

URNs

how do they look like

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-12
SLIDE 12

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-13
SLIDE 13

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Assigns access rights to the designated application:

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-14
SLIDE 14

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Assigns access rights to the designated application: Function entitlement

the URN describes a right for a user or role

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-15
SLIDE 15

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Assigns access rights to the designated application: Function applAccess

kind of right, access to an application in this case.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-16
SLIDE 16

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Assigns access rights to the designated application: Function SolicitudGasto

application the right is granted on.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-17
SLIDE 17

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Assigns access rights to the designated application: Function LEVEL

granted access level, application specific: RUG, ROU, RGE

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-18
SLIDE 18

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage LDAP search

The application does a standard directory search to find out if the user that has been authenticated has the right to use it and the access level that has been granted to her.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-19
SLIDE 19

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage Query via web service

The application queries a web service with user and application identifier as inputs and

  • btains the access level or the absence of

the right to use.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-20
SLIDE 20

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage WebSSO AuthR assertion

The authentication server has information about the accessed resource, once the user is AuthN’d, retrieves application specific AuthR information from the entitlements in the user’s entry in the directory, and passes them onto the resource

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-21
SLIDE 21

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage Federation

We insert the appropriate entitlement values into the SAML assertions for the applications, as SPs, to consume.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-22
SLIDE 22

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage Advantages Unique authorisation point

All of an object’s authorisations, both explicit and implicit, are centrally kept in a directory entry.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-23
SLIDE 23

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage Advantages A sole authorisation model

URNs allow us to express all authorisation in a common form, with application specific semantics.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-24
SLIDE 24

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (by example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccess:SolicitudGasto:LEVEL Function Usage Advantages Agent-Function-Qualifier

Who can do What on Which object

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-25
SLIDE 25

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (a hairier example)

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-26
SLIDE 26

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (a hairier example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccessAdmin:rectorado_convenios Assigns permission granting rights in the designated application:

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-27
SLIDE 27

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (a hairier example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccessAdmin:rectorado_convenios Assigns permission granting rights in the designated application: Function entitlement

the URN describes a right for a user or role

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-28
SLIDE 28

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (a hairier example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccessAdmin:rectorado_convenios Assigns permission granting rights in the designated application: Function applAccessAdmin

kind of right, application access permission granting in this case.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-29
SLIDE 29

Background Usage Problems

URNs in Entitlements for AuthR

as it is in use at UMA (a hairier example)

irisUserEntitlement = urn:mace:rediris.es:uma.es: entitlement:applAccessAdmin:rectorado_convenios Assigns permission granting rights in the designated application: Function rectorado_convenios

application the permission can be granted upon.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-30
SLIDE 30

Background Usage Problems

Demo time

  • k?

like or not, it’s going to happen (CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-31
SLIDE 31

Background Usage Problems

On URN handling problems

  • r, more precisely, their absence

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-32
SLIDE 32

Background Usage Problems

On URN handling problems

  • r, more precisely, their absence

URNs usage problems are more perceived than real

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-33
SLIDE 33

Background Usage Problems

On URN handling problems

  • r, more precisely, their absence

URNs usage problems are more perceived than real Searching for URNs URN = text string

When properly indexed, LDAP shines for its speed in substring searching; regardless of length. (We have benchmarks to back this).

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-34
SLIDE 34

Background Usage Problems

On URN handling problems

  • r, more precisely, their absence

URNs usage problems are more perceived than real Searching for URNs Entitlement processing Entitlement = multivalued attribute

Processing is not more complex than any other multivalued attributes.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-35
SLIDE 35

Background Usage Problems

On URN handling problems

  • r, more precisely, their absence

URNs usage problems are more perceived than real Searching for URNs Entitlement processing URN processing URN = text string

Searching for information inside a URN is just string processing, most programming languages in use can easily accomplish.

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-36
SLIDE 36

Background Usage Problems

On URN handling problems

  • r, more precisely, their absence

URNs usage problems are more perceived than real Searching for URNs Entitlement processing URN processing Value control URNReg

A schema and application for registering URN values in a distributed fashion

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-37
SLIDE 37

Background Usage Problems

URNs

how do they look like

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-38
SLIDE 38

Background Usage Problems

URNs

how do they look like

(CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es

slide-39
SLIDE 39

Background Usage Problems

Thank you

Questions?

answers not assured (CC) BY - NC - SA Victoriano Giralt Entitlements at UMA.es