Guanxi L U O e H x e I d s Guanxi TERENA, Barcelona - - PowerPoint PPT Presentation
Guanxi L U O e H x e I d s Guanxi TERENA, Barcelona September 8th 2005 Alistair Young Sean Mehan Senior Software Engineer Guanxi Project Manager rd-Innleadair air Bathar-bog sean@smo.uhi.ac.uk UHI@Sabhal Mr Ostaig Guanxi L
U H I O x L e e d s
Àrd-Innleadair air Bathar-bog
U H I O x L e e d s
More information Technical Description Demonstration / ?s Guanxi - Summary and Current State Some Analysis of the Situation WAFFLE
U H I O x L e e d s
Who is GuanXi? (i.e., who to blame...)
U H I O x L e e d s
UK JISC funded Core Middleware Project Collaboration: University of the Highlands and Islands (lead partner) University of Leeds University of Oxford
U H I O x L e e d s
Guanxi has three main objectives: To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE To extend and develop intra/inter-institutional AA functions To create and use Shibboleth federations, based upon Bodington usage. In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another “...you scratch my back, I’ll scratch yours”
Guanxi is composed of two strands: Integration of the Shibboleth reference implementation within the Bodington VLE - but now uses the GuanXi alternative. Alternative implementation of the Shibboleth protocol, in an eLearning context
U H I O x L e e d s
U H I O x L e e d s
5 resource.htm
2 3 4 1 login user@org1
Authentication Store
internal to Bodington
Authorisation Store
internal to Bodington
Authentication Store
LDAP JDBC Webauth
1 login user@org1
Standard Shibboleth Target
U H I O x L e e d s
3
7 resource.htm 1 login user@org1
2 4
Attribute store 1 Attribute store 2 Attribute store n Policy map <samlp:AttributeQuery> <saml:Assertion> 1 login user@org1
Standard Shibboleth SP
5 6 Policy map
authentication / authorization services service registries terminology services metadata schema registries resolvers intitutional + user profiling services
end-user client
JISC funded contend providers Institutional Content providers External contend providers brokers aggregators catalogues indices OpenURL resolvers media specific portals institutional portals subject portals learning management systems
shared infrastructure p r e s e n t a t i
f u s i
p r
i s i
U H I O x L e e d s
Shibboleth is a profile of SAML1.1 and also the default implementation Shibboleth, the app, uses openSAML to implement the profile
Guanxi is an alternative implementation of the Shibboleth profile Guanxi uses SAMUEL to implement the profile SAMUEL is the Guanxi partial implementation of the SAML1.1. spec
Shibboleth SAMUEL Guanxi
SAMl Used in E Learning
U H I O x L e e d s
Partial implementation of SAML1.1 Partial implementation of SAML2 Metadata Standalone Java SAML toolkit Available as separate download SAMl Used in ELearning Metadata extensions for distributed Service Provider
U H I O x L e e d s
A Shibboleth compatible Virtual Learning Environment Guanxi SP Athens Shibb Gateway Shibboleth SP
Bodington as IdP Bodington VLE with embedded Guanxi IdP Minimal configuration - self-signed certs are auto generated True SSO Very fine-grained user permission system, exposed as bodington_member attribute by Guanxi Can login to your IdP to create users and manage their access rights
U H I O x L e e d s
user@org1 accesses resource at org2 1 Filter sets up WS-Callback with SP 2 Filter redirects to federation WAYF 3 User’s SSO authenticates them 4 SSO replies to federation SP 5 Federation SP requests attributes on behalf of filter 6 User’s AA sends attributes to federation SP 7 Federation SP invokes WS-Callback to filter which retrieves it’s attribute request data 8 Filter makes access decision based on attributes gathered by the federation SP 9
Webapp Filter Resource specific modules (A/C) 1 AA SSO
Institutional SP WAYF Federation server 2 3 4 5 6 7 8 9
Distributed architecture Institutional SAML Server, satellite Guards Can scale SAML servers to balance load
U H I O x L e e d s
UHI - MA Cake Munching, Year 1, Cake Eating Etiquette module Leeds have supplemental material for hopeless cake munchers Student added to “No hopers” cohort in UHI Bodington Course assertion comes from SITS, cohort assertion from Bodington
Extra-institutional learning material access based on hierarchical, aggregated attributes from multiple sources
U H I O x L e e d s
Attribute Acceptance Policies are defined by federations, not Shibboleth Although only relevant attributes are supposed to be released, this doesn’t happen in the field Lack of AttributeDesignator elements from an SP mean “give me everything you know about the user” Everything allowed by the ARP is released to the SP , whether it’s relevant to the resource or not Very difficult to determine in what capacity the user is accessing the
Blunderbuss approach to attributes makes user role almost impossible to determine...
U H I O x L e e d s
Recent talk about user roles - staff and student - how to identify via eduPersonScopedAffiliation Turn it on it’s head - how to populate eduPersonScopedAffiliation via a user’s role Users choose roles by accessing properly scoped resources If you access bodington.org/studentunion/chat.jsp then you’re “pretending” to be a student The SP guarding chat.jsp should be configured to ask for eduCourse or
IdP backs up user’s claim to be a student by returning eduCourse type thingy eduPersonScopedAffiliation comes out naturally once the user’s role in the current access session is determined The secret is in properly scoped resources
U H I O x L e e d s
9 EU universities - Bergen, Bristol, Leeds, Manchester, Oslo, Sheffield, Southhampton, Utrecht, York 5 US universities - UIUC, Penn State, Washington- Seattle, Wisconsin-Madison, UCSD 3 Chinese universities - Nanjing, Zhejiang Worldwide Universities Network Wide Area Freely Federated Learning Environment Have another acronym. Don’t mind if I do!
U H I O x L e e d s
MSc Bioinformatics - Leeds, Manchester, UCSD MSc Geographical Information Systems - Leeds, Southampton, Penn State Need to securely share learning resources with SSO. Ideal test bed for Shibboleth compatible systems in real eLearning
U H I O x L e e d s
Guanxi project website - http://guanxi.sourceforge.net/ Guanxi mailing list - guanxi-development@lists.sourceforge.net Email the team - alistair@smo.uhi.ac.uk, sean@smo.uhi.ac.uk, antony@smo.uhi.ac.uk, a.g.booth@leeds.ac.uk Why does Alistair talk about cakes a lot? http://www.weblogs.uhi.ac.uk/sm00ay/?p=40
U H I O x L e e d s