Guanxi L U O e H x e I d s Guanxi TERENA, Barcelona - PowerPoint PPT Presentation

Guanxi L U O e H x e I d s Guanxi TERENA, Barcelona September 8th 2005 Alistair Young Sean Mehan Senior Software Engineer Guanxi Project Manager Àrd-Innleadair air Bathar-bog sean@smo.uhi.ac.uk UHI@Sabhal Mòr Ostaig

Guanxi L U O e H x e I d s Guanxi - Summary and Current State Technical Description Some Analysis of the Situation WAFFLE More information Demonstration / ?s

Guanxi The Guanxi Project L U O e H x e I d s Who is GuanXi? (i.e., who to blame...)

Guanxi The Guanxi Project L U O e H x e I d s UK JISC funded Core Middleware Project Collaboration: University of the Highlands and Islands (lead partner) University of Leeds University of Oxford Core Guanxi SAML IdP SP WAYF SAMUEL

Guanxi What is Guanxi? L U O e H x “...you scratch my back, I’ll scratch yours” e I d s In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another Guanxi has three main objectives: To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE To extend and develop intra/inter-institutional AA functions To create and use Shibboleth federations, based upon Bodington usage.

Guanxi The Guanxi Project L U O e H x e I d s Guanxi is composed of two strands: Integration of the Shibboleth reference implementation within the Bodington VLE - but now uses the GuanXi alternative. Alternative implementation of the Shibboleth protocol, in an eLearning context

Guanxi Bodington L U O e H x e I d Standard s login Shibboleth 1 user@org1 Target login org2 VLE 1 org1 VLE Authentication Store user@org1 LDAP Authentication Store 2 JDBC 3 internal to Bodington 4 Authorisation Store Webauth 5 resource.htm internal to Bodington

Guanxi Strand 2 L U O e H x e I Standard d login Shibboleth s 1 user@org1 SP Policy <samlp:AttributeQuery> map <saml:Assertion> 3 5 login org1 GX IdP 1 org2 GX SP 2 user@org1 4 6 Attribute store 1 Policy map Attribute store 2 Attribute store n org2 VLE 7 resource.htm

JISC IE JISC funded Institutional External contend providers Content providers contend providers authentication / authorization services n o i s i service registries v o r p terminology services catalogues brokers aggregators indices metadata schema registries resolvers n o i media learning s u OpenURL institutional subject f specific management intitutional + user profiling resolvers portals portals portals systems services n o i t a t n e s e r p shared infrastructure end-user client

Guanxi Guanxi & SAMUEL L U O e H x e I d s Shibboleth is a profile of SAML1.1 and also the default implementation openSAML is the Internet2 partial implementation of the SAML1.1 spec Shibboleth, the app, uses openSAML to implement the profile Shibboleth openSAML Profile space SAMUEL SAMl Used in E Learning Guanxi Guanxi is an alternative implementation of the Shibboleth profile SAMUEL is the Guanxi partial implementation of the SAML1.1. spec Guanxi uses SAMUEL to implement the profile

Guanxi SAMUEL L U O e H x e I d s SAMl Used in ELearning Standalone Java SAML toolkit Partial implementation of SAML1.1 Partial implementation of SAML2 Metadata Metadata extensions for distributed Service Provider Available as separate download

Guanxi Bodington + Guanxi L U O e H x A Shibboleth compatible Virtual Learning Environment e I d s Bodington VLE with embedded Guanxi IdP Guanxi SP True SSO Athens Bodington as Gx Shibb Gateway IdP Shibboleth Minimal configuration - self-signed certs are SP auto generated Very fine-grained user permission system, exposed as bodington_member attribute by Guanxi Can login to your IdP to create users and manage their access rights

Guanxi Web Service Enabled Service Provider L U O e H x e I d Federation server s 6 Institutional user@org1 accesses resource at org2 1 SP 2 8 2 Filter sets up WS-Callback with SP 3 3 Filter redirects to federation WAYF WAYF Filter 9 Webapp 1 User’s SSO authenticates them 4 4 SSO replies to federation SP 5 Resource specific Federation SP requests attributes on 6 modules behalf of filter (A/C) User’s AA sends attributes to org 2 Server 7 federation SP org1 IdP 8 Federation SP invokes WS-Callback to filter which retrieves it’s attribute request data 5 SSO Filter makes access decision based on 9 7 attributes gathered by the federation SP AA Distributed architecture Institutional SAML Server, satellite Guards Can scale SAML servers to balance load

Guanxi Guanxi IdP & SP L U O Extra-institutional learning material access based on e H x e I hierarchical, aggregated attributes from multiple sources d s UHI Leeds Shibboleth Guanxi IdP Guanxi SP Bodington SITS eDirectory Bodington UHI - MA Cake Munching, Year 1, Cake Eating Etiquette module Leeds have supplemental material for hopeless cake munchers Student added to “No hopers” cohort in UHI Bodington Course assertion comes from SITS, cohort assertion from Bodington

Guanxi Attribute Scatter L U O e H x e I d s Attribute Acceptance Policies are defined by federations, not Shibboleth Although only relevant attributes are supposed to be released, this doesn’t happen in the field Lack of AttributeDesignator elements from an SP mean “give me everything you know about the user” Everything allowed by the ARP is released to the SP , whether it’s relevant to the resource or not Very difficult to determine in what capacity the user is accessing the resource. Are they staff who happen to also be a student? Blunderbuss approach to attributes makes user role almost impossible to determine...

Guanxi Scoping the user L U O e H x e I The secret is in properly scoped resources d s Recent talk about user roles - staff and student - how to identify via eduPersonScopedAffiliation Turn it on it’s head - how to populate eduPersonScopedAffiliation via a user’s role Users choose roles by accessing properly scoped resources If you access bodington.org/studentunion/chat.jsp then you’re “pretending” to be a student The SP guarding chat.jsp should be configured to ask for eduCourse or similar. Not a blanket request for all attributes IdP backs up user’s claim to be a student by returning eduCourse type thingy eduPersonScopedAffiliation comes out naturally once the user’s role in the current access session is determined

Guanxi WUN WAFFLE L U O e H x e I d Have another acronym. Don’t mind if I do! s Wide Area Freely Federated Learning Environment Worldwide Universities Network 9 EU universities - Bergen, Bristol, Leeds, Manchester, Oslo, Sheffield, Southhampton, Utrecht, York 5 US universities - UIUC, Penn State, Washington- Seattle, Wisconsin-Madison, UCSD 3 Chinese universities - Nanjing, Zhejiang

Guanxi Collaborative Online Course L U O e H x e I d s MSc Bioinformatics - Leeds, Manchester, UCSD MSc Geographical Information Systems - Leeds, Southampton, Penn State Need to securely share learning resources with SSO. Ideal test bed for Shibboleth compatible systems in real eLearning

Guanxi Information L U O e H x e I d s Guanxi project website - http://guanxi.sourceforge.net/ Guanxi mailing list - guanxi-development@lists.sourceforge.net Email the team - alistair@smo.uhi.ac.uk, sean@smo.uhi.ac.uk, antony@smo.uhi.ac.uk, a.g.booth@leeds.ac.uk Why does Alistair talk about cakes a lot? http://www.weblogs.uhi.ac.uk/sm00ay/?p=40

Guanxi Demo & Questions L U O e H x e I d s