the shibboleth enabled webdav server used in esup portail
play

The Shibboleth-enabled WebDAV server used in ESUP-Portail and - PowerPoint PPT Presentation

Jun 01, 2023 •220 likes •627 views

The Shibboleth-enabled WebDAV server used in ESUP-Portail and ORI-OAI projects Raymond Bourges TERENA EuroCAMP 14 - 15 November 2007 Dubrovnik, Croatia Shibboleth-enabled WebDAV server 1) Context Demo (if it works) 2) Protocols

  1. The Shibboleth-enabled WebDAV server used in ESUP-Portail and ORI-OAI projects Raymond Bourges TERENA EuroCAMP 14 - 15 November 2007 Dubrovnik, Croatia

  2. Shibboleth-enabled WebDAV server � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  3. Context � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  4. Context � ESUP-Portail (since 2003) � ESUP-Portail is a consortium of French universities � Its goal is to provide a complete and open uPortal based solution to offer integrated access to services and information for students and staff � This includes user data storage with Sharing capacities provided by a WebDAV server

  5. Context 2 � ORI-OAI (since 2006) � The ORI-OAI project seeks to create an open system � Build in part on ESUP-Portail project experience � This system allows users to: � Manage all the digital resources produced by universities � Share these resources with other universities � Valorize these resources with high-quality indexing � Make these resources accessible according to well- defined access rules with a WebDAV server

  6. DEMO � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  7. I want to share a folder with users of another university

  12. WebDAV protocol � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  13. WebDAV � WebDAV (RFC 4918) is an extension of HTTP/1.1, which initial goal was to permit remote editing through HTTP. To do so, WebDAV adds the following concepts: � Documents are no longer data, but also metadata, called properties . The value of these properties can be controlled by the server (Live property), or enforced by clients’ requests (Dead property). � Ex: last file modification date, file display name � Document + metadata form a WebDAV resource � A resource can be locked by users for online editing

  14. Webdav � WebDAV introduces new HTTP methods: � PROPFIND/PROPPATCH respectively to get/set a property on a resource � LOCK/UNLOCK respectively to set/unset a lock on a resource � MKCOL to create a collection � As other HTTP application WebDAV can support different authentication mechanisms: � LDAP � SSO � Shibboleth

  15. WebDAV resources � WebDAV resources can be gathered into collections , much like files are gathered into folders within a file system. A collection is itself a resource, and thus can be moved, copied, deleted like another resource � Resources can be files and folders but may represent, as we will see with ACP, other concepts like Users or Groups. So a typical WebDAV hierarchy looks like this: / files/ users/ roles/

  16. Resources accessibility � A big feature of WebDAV is his accessibility form different clients over the web � Explorer OS integrated � Rich editing capacity � Simple Web explorer � Easy read access � Web application � For portal integration

  17. ACP protocol � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  18. ACP ACP WebDAV HTTP � Access Control Protocol (RFC 3744) � is an extension of WebDAV � All possible requestors are called principals in ACP RFC � A WebDAV server supporting ACP has to store a representation of each principal as a WebDAV resource � Principal can be: � A user resource with at list a displayname property � A group resource with the special group-member-set property which reference users as members � A group resource can be a collection and containing other subgroups

  19. ACP � ACP defines a new resource property called ACL ( A ccess C ontrol L ist) which contains ACE ( A ccess C ontrol E lement) � This property is typically used to define authorizations on files or folders � Each ACE represents a relation on the resource between a principal and a privilege � The relation can be to grant or to deny principal the use of the privilege � Privileges define actions allowed on resources. Example: � read, write, write-acl

  20. Slide WebDAV server � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  21. Slide � Open Source Java WebDAV server with ACP support from Apache software foundation � Extensible � J2EE filters compatibility � Used by ESUP-Portail project to provide LDAP, SSO (with CAS) or Shibboleth authentication capacities � Storage called Slide store � Used to plug different content and property storage implementations in different parts of the resources tree provided by the WebDAV server (files, users, roles) � Slide event mechanism � Used by ESUP-Portail project to provide an implementation of Quota for WebDAV (RFC 4331)

  22. Slide store � Out of the box you find � File system store � To store content as binary files and properties as XML files � Can also be used to store users or groups � LDAP store � Can be used to retrieve users and groups information from an LDAP directory � SQL Store � Can be used to store users, groups, properties but also files in a database

  23. Slide store in ESUP/ORI Projects � Naturally we used default Slide store: � Slide File system store is used for files and properties (files/) � Slide LDAP store is used for users (users/) � but this store was extended by ESUP/ORI for shibboleth needs � Slide SQL Store is not used / files/ users/ roles/

  24. Slide store in ESUP/ORI Projects � /roles branch is more complicated � /roles/local uses Slide file system store. It contains static technical groups like the admin one � /roles/uPortal uses a ESUP/ORI specific store (UPortalRoleStore) that exposes all uPortal managed groups with a Web Service mechanism for uPortal dialog � /roles/shib uses another ESUP/ORI specific store (ShibRoleStore) that allows groups definitions based on shibboleth attributes combinations

  25. Shibboleth integration � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  26. Shibboleth � Shibboleth provides mechanism to identify and authorize users over the web thanks to 3 components: � SP provide service (of course ☺ ) according to rules managed locally � IdP is based on the end user’s university and, after local authentication, gives chosen information (attributes) to the SP requested by the user � WAYF is used by SP to ask a user “Where Are You From” in order to interact with the right IdP

  27. Shibboleth (practical example) University A University B Shib WebDAV server Who is he ? A medical student of 2 nd year • Try to access document in university B • Query to university A « identity provider » • generally throw a WAYF • Response to university B « service provider » • Access to document

  28. ShibRoleStore and Shibboleth attributes � ShibRoleStore has 2 functions � Storage of Shibboleth groups definitions (done with administrator rights) � MKCOL “shib group” in /roles/shib branch � PROPPATCH the shib-eval-exp property of “shib group” in order to store the new shibboleth attributes based rule � Dynamically evaluate rule during ACE parsing � Use of a JSR-94 compatible rule engine (JBoss Drools) � If rule is successfully evaluated the group-member-set WebDAV property of “shib group” reference the current connected user � If rule isn’t successfully evaluated the group-member-set WebDAV property is empty and ACE isn’t verified � Rules can contain equal, not, or, and, etc.

  29. Portal integration for management � 1) Context � Demo (if it works…) � 2) Protocols � WebDAV protocol � ACP protocol � 3) Implementation � Slide WebDAV server � Shibboleth integration � 4) Portal integration for management � 5) About future

  30. ESUP Storage Channel � This channel provides uPortal users with access to all their files � It has CIFS, WebDAV and FTP capacities � You can, for example, cut a CIFS folder and paste it in an WebDAV server

  31. ESUP Storage (ACL management) � If you have write-acl privilege in a WebDAV server, you have a “share” button � With it, you can manage ACL on WebDAV current folder � Please note that if you give write-acl to others you can delegate ACL management. It is particularly useful in a large organization like a university � You also have facilities to select users or groups � With a directory browser for users and a groups explorer

  32. ESUP Storage (ACL management) Read Write Write-ACL Users Add a local user Add a Shibboleth user groups Add a group

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Drupal Shibboleth Authentication Ray Saray Ali Karim Andrea Kapitan Server

Drupal Shibboleth Authentication Ray Saray Ali Karim Andrea Kapitan Server

Drupal Shibboleth Authentication Ray Saray Ali Karim Andrea Kapitan Server Tools AWS Docker Shibboleth Service Resources AWS Elastic Beanstalk - for deploying and scaling applications

315 views • 19 slides
Webmail Authentication Using Shibboleth and Virtual Directory Server Stefano Zanmarchi Carlo

Webmail Authentication Using Shibboleth and Virtual Directory Server Stefano Zanmarchi Carlo

Webmail Authentication Using Shibboleth and Virtual Directory Server Stefano Zanmarchi Carlo Manfredi Simone Marzola Giorgio Paolucci University of Padova - ITALY TERENA Eurocamp Athens November 6, 2008 Introduction Our infrustructure:

729 views • 18 slides
Trust Management in Shibboleth Trust Management in Shibboleth and InCommon and InCommon RL

Trust Management in Shibboleth Trust Management in Shibboleth and InCommon and InCommon RL

Trust Management in Shibboleth Trust Management in Shibboleth and InCommon and InCommon RL Bob Morgan University of Washington and Internet2 TERENA TF-EMC2 Florence, Italy March 2007 Trust management in SAML Trust management in SAML

566 views • 9 slides
bc everywhere you look WebDAV Interoperability Event Hosted by Jim Whitehead, UC Santa

bc everywhere you look WebDAV Interoperability Event Hosted by Jim Whitehead, UC Santa

WebDAV Interoperability Event July 19-20, 2001 Report Larry Masinter Adobe Systems Incorporated http://larry.masinter.net bc everywhere you look WebDAV Interoperability Event Hosted by Jim Whitehead, UC Santa Cruz No registration

359 views • 7 slides
Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth

Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth

Design and Implementation of Web Forward Proxy with Shibboleth Authentication Shibboleth Authentication KOMURA Takaaki Kyoto University SANO Hiroaki Kyoto University Library DEMIZU Noritoshi OCTOPATH corporation MAKIMURA Ken OCTOPATH corporation

415 views • 25 slides
WSKE: Web Server Key Enabled Cookies Chris Masone with Kwang-Hyun Baek and Sean W. Smith

WSKE: Web Server Key Enabled Cookies Chris Masone with Kwang-Hyun Baek and Sean W. Smith

WSKE: Web Server Key Enabled Cookies Chris Masone with Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College Outline Motivation WSKE Design Implementation Evaluation Related work

436 views • 19 slides
WebDAV The good, the bad and the evil TobiasSchlitt < toby@php.net > IPC SE 2009

WebDAV The good, the bad and the evil TobiasSchlitt < toby@php.net > IPC SE 2009

WebDAV The good, the bad and the evil TobiasSchlitt < toby@php.net > IPC SE 2009 2009-05-30 Tobias Schlitt (IPC SE 2009) WebDAV 2009-05-30 1 / 32 About me Tobias Schlitt < toby@php.net > PHP since 2001 Freelancing consultant

916 views • 69 slides
GatorLink Authentication Using Shibboleth Peer 2 Peer August 6, 2010 UF INFORMATION TECHNOLOGY

GatorLink Authentication Using Shibboleth Peer 2 Peer August 6, 2010 UF INFORMATION TECHNOLOGY

GatorLink Authentication Using Shibboleth Peer 2 Peer August 6, 2010 UF INFORMATION TECHNOLOGY Shibboleth Warren Curry Associate Director and Lead, Core IT ES Alan Cook Interim Director, Student Information Systems ES Eli

627 views • 13 slides
Dynamic Deployment of IIOP-Enabled Components in the JBoss Server Francisco Reverbel CS

Dynamic Deployment of IIOP-Enabled Components in the JBoss Server Francisco Reverbel CS

Dynamic Deployment of IIOP-Enabled Components in the JBoss Server Francisco Reverbel CS Department, University of So Paulo Bill Burke JBoss, Inc. Marc Fleury JBoss, Inc. Francisco Reverbel, Bill

569 views • 25 slides
EduERP Atelier de Validation des Schmas de Portail Gnrique et de Plateforme d

EduERP Atelier de Validation des Schmas de Portail Gnrique et de Plateforme d

EduERP Atelier de Validation des Schmas de Portail Gnrique et de Plateforme d Authetification Lom, 12 - 13 Octobre 2015 Omo Oaiya Omo.Oaiya@wacren.net 1 Campus Administration System School management system some modules

891 views • 15 slides
Stars in Gaia DR1, and Beyond Ortwin Gerhard Based on work with Matthieu Portail, Chris Wegg,

Stars in Gaia DR1, and Beyond Ortwin Gerhard Based on work with Matthieu Portail, Chris Wegg,

The Galactic Bar, the Kinematics of Nearby Stars in Gaia DR1, and Beyond Ortwin Gerhard Based on work with Matthieu Portail, Chris Wegg, Angeles Perez- Villegas (MPE), Melissa Ness (MPIA) 1. Overview: the barred Milky Way 2. Dynamical models

537 views • 18 slides
Project Shibboleth Project Shibboleth Update, Demonstration and Discussion Update, Demonstration

Project Shibboleth Project Shibboleth Update, Demonstration and Discussion Update, Demonstration

Project Shibboleth Project Shibboleth Update, Demonstration and Discussion Update, Demonstration and Discussion Michael Gettes (gettes@Duke.EDU) Michael Gettes (gettes@Duke.EDU) May 20, 2003 May 20, 2003 TERENA Conference, Zagreb, Croatia

489 views • 19 slides
IT-SDC : Support for Distributed Computing 1 The problem Pick a number of generic

IT-SDC : Support for Distributed Computing 1 The problem Pick a number of generic

Dynamic Federations Storage federations for HTTP and WebDAV Fabrizio Furano (presenter) Adrien Devresse CERN IT-SDC IT-SDC : Support for Distributed Computing 1 The problem Pick a number of generic HTTP/WebDAV storage endpoints,

704 views • 47 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
ETHICS & FAIRNESS IN AI- ETHICS & FAIRNESS IN AI- ENABLED SYSTEMS ENABLED SYSTEMS

ETHICS & FAIRNESS IN AI- ETHICS & FAIRNESS IN AI- ENABLED SYSTEMS ENABLED SYSTEMS

ETHICS & FAIRNESS IN AI- ETHICS & FAIRNESS IN AI- ENABLED SYSTEMS ENABLED SYSTEMS Christian Kaestner (with slides from Eunsuk Kang) Required reading: R. Caplan, J. Donovan, L. Hanson, J. Matthews. " Algorithmic Accountability:

1.41k views • 75 slides
Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Server Server Server Server Server Datacenter Network (e.g., Ethernet, InfiniBand,

Chanwoo Chung , Jinhyung Koo, Junsu Im, Arvind , and Sungjin Lee DGIST and MIT NVRAMOS 19 2019.10.24 DATA -INTENSIVE COMPUTING SYSTEMS LAB ORATORY Computation Application Application Application Application Application

597 views • 48 slides
Network Administration Practice Homework 1: Python Scripts weicc & blzhuang Computer Center,

Network Administration Practice Homework 1: Python Scripts weicc & blzhuang Computer Center,

Network Administration Practice Homework 1: Python Scripts weicc & blzhuang Computer Center, CS, NCTU Requirements 1-1 Web crawler (45%+5%) Entry point: `nahw1-1_{student_ID}.py` Login options a) NCTU Portal (5% Bonus) b)

384 views • 17 slides
Advanced Java Course Reflection Reflection API What if you want to access information not

Advanced Java Course Reflection Reflection API What if you want to access information not

Advanced Java Course Reflection Reflection API What if you want to access information not just about the Object, but about that Objects Class? What if you want to access a method, field, or constructor whose name you dont know

574 views • 23 slides
Internet Technologies Some sample questions for the exam F. Ricci 1 Questions 1. Is the

Internet Technologies Some sample questions for the exam F. Ricci 1 Questions 1. Is the

Internet Technologies Some sample questions for the exam F. Ricci 1 Questions 1. Is the number of hostnames (websites) typically larger, equal or smaller than the number of hosts running an http daemon? Explain why. 2. What is the main

346 views • 5 slides
Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps,

Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps,

Cloud and Big Data Summer School, Stockholm, Aug., 2015 Jeffrey D. Ullman To motivate the Bloom-filter idea, consider a web crawler. It keeps, centrally, a list of all the URLs it has found so far. It assigns these URLs to any

549 views • 37 slides
ARCS Data Fabric Pauline Mak pauline.mak@arcs.org.au ARCS Data Services Pauline Mak Outline

ARCS Data Fabric Pauline Mak pauline.mak@arcs.org.au ARCS Data Services Pauline Mak Outline

ARCS Data Fabric Pauline Mak pauline.mak@arcs.org.au ARCS Data Services Pauline Mak Outline Introduction to the ARCS Data Fabric Migration from SRB to iRODS Davis Hermes Pauline Mak ARCS Data Fabric Pauline Mak Why SRB?

735 views • 26 slides
Nextcloud Decentralize the way we share, sync and collaborate Bjrn Schiele

Nextcloud Decentralize the way we share, sync and collaborate Bjrn Schiele

Nextcloud Decentralize the way we share, sync and collaborate Bjrn Schiele www.schiessle.org @schiessle bjoern@mastodon.social About Me Bjrn Schiele Free Software activist for 20+ years Building free, decentralized and open

922 views • 33 slides
A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier

A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier

A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier LIUPPA Universit e de Pau et des Pays de lAdour Mont de Marsan, France manuel.munier@univ-pau.fr SITIS 2011 November 28 - December 1, 2011

591 views • 36 slides
Creating a TEI-Based Website with the eXist XML Database Joseph Wicentowski, Ph.D. U.S.

Creating a TEI-Based Website with the eXist XML Database Joseph Wicentowski, Ph.D. U.S.

Creating a TEI-Based Website with the eXist XML Database Joseph Wicentowski, Ph.D. U.S. Department of State July 2010 Goals . . how to install and use eXist and oXygen to query and create a 3 . . . about eXist : a free, open-source native

669 views • 30 slides

More recommend