GakuNin VO Platform GakuNin mAP - Takeshi NISHIMURA (GakuNin, NII, - - PowerPoint PPT Presentation
GakuNin VO Platform GakuNin mAP - Takeshi NISHIMURA (GakuNin, NII, Japan) TERENA VAMP workshop, Utrecht 2012.09.07 is an academic access federation in Japan, since 2010. *1 Current status: # of IdPs 42, # of IDs ~ 50k # of
Takeshi NISHIMURA (GakuNin, NII, Japan) TERENA VAMP workshop, Utrecht 2012.09.07
Current status:
Continuously extending federation functionality
*1 – https://www.gakunin.jp/en/
Our VO Platform: GakuNin mAP
Provides membership information of groups to
It is only one entity in the federation.
Each university does not have own entity of mAP.
(Though it is not forcible, just recommended)
All groups are stored in this entity.
It accepts any request of all SPs in the federation.
various SPs, including unknown/unfamiliar SPs
Currently it has no connector for external LDAP etc.
For example,
E-book services which have contracts with small
Mailing list provider for various groups File sharing service for communities
e.g. laboratories in universities,
Used by various SPs (groupware, e-Journal, …)
each SP has a different aim collaboration works are usually so complicated
Traditional federation contains only IdPs and
Access control is basically based on the attributes
source of ID group information
IdP-led groups
constructible by the information which IdP has
SP-led groups
constructible by the information which SP has theoretically possible but with much cost
Third-party led groups
constructible by the information which another entity has
e.g. eduPersonAffiliation and organizationalUnitName
e.g. members of a laboratory, a joint research project, ...
Goal of our VO platform:
1.
2.
SimpleAggregation (Shibboleth SP built-in)
back-channel communication just after authn. by
just adding a few lines into SP’s configuration file
People API / Group API (optional)
for e.g. mailing list service
Which user ID do we use?
ePPN (eduPersonPrincipalName)
Which group ID do we use?
specific URI
e.g.
“gakuninhelp” group in GakuNin mAP
= https://map.gakunin.nii.ac.jp/gr/gakuninhelp
administrators of “gakuninhelp” group
(is virtually a group) = https://map.gakunin.nii.ac.jp/gr/gakuninhelp/admin
VOOT-like simple protocol to retrieve member /
People API Group API
But using TLS client certificate authentication
SP’s certificate in metadata Even openssl command can be used to retrieve
*2 - https://meatwiki.nii.ac.jp/confluence/x/lwic (in Japanese)
https://map.gakunin.nii.ac.jp/api/people/@me/GROUPID[?lang= NN] https://map.gakunin.nii.ac.jp/api/groups/@me?[lang= NN]
To avoid unintentional information disclosure
Much information confuses user. The flow of the membership information should
Then users do consent for limited number of SPs on
avoids back-channel consent issue
provides membership information of groups to
SP P
IdP A
SP operator Group admin
IdP B
IdP C Group 1 Group 2 Group 3
services
SP Q
User X isMemberOf: SID-P, GID-2 Access to SP P
SP Connector Q SP Connector P
To avoid privacy issues
GakuNin mAP sends minimum information of groups
The connection is built when Group admin and SP
Then each member does the consent.
Users
SP SP SP
Member attribute requester Member attribute authority Group management UI
connections
membership info
1.
“meatwiki” from NII General Wiki service to share information in an arbitrary group
2.
“shibosuke” from a private company Scheduling service among arbitrary group members
3.
“youzan” from Yamagata University Communications service for sharing academic information
4.
“meatmail” from NII Mailing list service
5.
“ARCADE” from Kanazawa University File sharing with group permission
IdPs in Japan do not want to release ePPN to
Contract-base SPs does not need ePPN. Read access on Wiki does not need ePPN.
instead of SimpleAggregation * needs Shibboleth SP modification
Inserts second authentication request just after
Each SP needs no NameID.
SP mAP(IdP) mAP(SP) University IdP
second authn. request IdP’s entityID isMemberOf retrieve group info. ePPN (for mAP) second authn. request from mAP