to improve identity federation scalability
play

to improve Identity Federation Scalability Daniela Phn and Wolfgang - PowerPoint PPT Presentation

Jan 26, 2023 •44 likes •244 views

Automated User Information Conversion to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda Introduction and Motivation Generic Conversion Rule Repository Functionality Workflows Architecture

  1. Automated User Information Conversion to improve Identity Federation Scalability Daniela Pöhn and Wolfgang Hommel

  2. Agenda • Introduction and Motivation • Generic Conversion Rule Repository • Functionality • Workflows • Architecture • Example • Conclusion and Outlook 09/06/16 Leibniz Supercomputing Centre 2

  3. Introduction and Motivation 09/06/16 Leibniz Supercomputing Centre 3

  4. Introduction and Motivation • Problem: User information (attribute) missing • Attribute: displayName or cn • Inform organisation • Which attribute? • Update configuration manually • Waiting time 09/06/16 Leibniz Supercomputing Centre 4

  5. Introduction and Motivation Current situation in R&E: • Local Identity & Access Management (I&AM): LDAP or relational database • user information (attributes) • • Federated Identity Management (FIM): Collaborations • SAML • Identity Provider (IDP) • Service Provider (SP) • Signed Metadata, aggregated and pre-shared • Schema: Semantics and syntax attributes • • Inter-Federated Identity Management (IFIM) 09/06/16 Leibniz Supercomputing Centre 5

  6. Introduction and Motivation Federation 3 – Schema 3 Federation 2 – Schema 2 Federation 1 – Schema 1 University C University B Federation University A – Schema A Inter-Federation operator Global Schema Wiki Foodle Moodle SP SP SP Commercial SP IdP 09/06/16 Leibniz Supercomputing Centre 6

  7. Introduction and Motivation Service Providers: • Can state requested attributes in metadata. • Can also send a request. • FriendlyName, Name as OID, NameFormat, and isRequired 09/06/16 Leibniz Supercomputing Centre 7

  8. Introduction and Motivation Identity Provider: Fetch raw user data into IDP software ( DataConnector ) 1. Define attributes ( AttributeDefinition ) 2. Filter attributes ( AttributeFilter ) 3. Send attributes ( AttributeRelease ) 4. 09/06/16 Leibniz Supercomputing Centre 8

  9. Introduction and Motivation Typical conversion rules: • Renaming, e.g., from DateofBirth to schacDateOfBirth , • Merging, e.g., sn and givenName to displayName • Splitting, e.g. cn to givenName • Transforming, e.g., different date formats – dd.mm.yyyy to mm-dd-yyyy 09/06/16 Leibniz Supercomputing Centre 9

  10. Introduction and Motivation • Need to be applied manually by the IDP administrator. • Waiting time for users. • Not scalable • Shibboleth and other FIM software have pre-defined conversion types. • Pre-defined conversion types vary.  Generic conversion rule repository  Translated into software-specific rules. 09/06/16 Leibniz Supercomputing Centre 10

  11. Generic Conversion Rule Repository - Functionality Shibboleth IDP • Known: available and needed attributes  Extension searches for conversion rule Extension TTP Shibboleth • Generic conversion rule at TTP Generic CR API • Adapted for the FIM software SimpleSAMLphp IDP Repos • Locally integrated Extension SimpleSAML- php  Specific and generic conversion rules can be re-used  Speeding up setup between IDPs and SPs 09/06/16 Leibniz Supercomputing Centre 11

  12. Generic Conversion Rule Repository - Functionality Workflow: Known: IDP attributes and needed SP attributes Extension detects that IDP does not have necessary attributes for SP. 1. Extension queries TTP. 2. a. If generic conversion rule is found, rule is downloaded and transformed. 3. b. Complex conversion rule with scripts is stored IDP software specific and manually downloaded. c. If no conversion rule is found, IDP operator writes new conversion rule. After downloading conversion rule, the generated specific rule is integrated 4. into IDP’s local configuration. User can make use of service without problems. 5. 09/06/16 Leibniz Supercomputing Centre 12

  13. Generic Conversion Rule Repository - Workflow • TTP stores generic conversion rules in database. • Generic rule is downloaded, converted, and inserted into configuration. • If rule is written, it is translated into generic format and uploaded to the TTP. • Specific rules are also stored in database. 09/06/16 Leibniz Supercomputing Centre 13

  14. Generic Conversion Rule Repository - Architecture Database: • ConversionRule : Conversion from one or more attributes into another attribute. • ConversionKeyword : Inserts keywords for specific conversion rules. • ConversionAttribute : Information about source and target attributes for a conversion rule. 09/06/16 Leibniz Supercomputing Centre 14

  15. Generic Conversion Rule Repository - Architecture Generic format of simple conversion rules Shibboleth uses pre-defined operations, e.g.: • Renaming by mapping of attributes. • Splitting and other definitions with regular expressions. • Merging by template attribute definition (Velocity template language). • Scoping by scoped attribute definition. • Principal name by principal name attribute definition. Mapping of different pre-defined operations  Generic simple conversion rules 09/06/16 Leibniz Supercomputing Centre 15

  16. Generic Conversion Rule Repository - Architecture Following information needed: • sort of conversion, • source attributes, • target attribute, and • additional information, like regex. Keywords to apply specific conversion rules: source , • target , • targeturn1 , • targeturn2 as well as the transformations • regex respectively pattern and • conversion . • 09/06/16 Leibniz Supercomputing Centre 16

  17. Generic Conversion Rule Repository - Architecture Generic conversion rule: source={source1, source2, ...}; transformation = [renaming, merging, regex, conversion]; target={target, targeturn1, targeturn2}; source(transformation) => target; Renaming: source; transformation = renaming; target={target, targeturn1, targeturn2}; 09/06/16 Leibniz Supercomputing Centre 17

  18. Generic Conversion Rule Repository - Architecture • FIM software specific templates • Keywords filled with values from generic conversion rule repository • Federations can operate such a repository <resolver:AttributeDefinition xsi:type=" Script“ xmlns="urn:mace:shibboleth:2.0:resolver:ad" id=" {{target}} "> <resolver:Dependency ref= "{{source1}} "/> <resolver:Dependency ref=" {{source2}} "/> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name=" {{targetUrn1}} " /> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name=" {{targetUrn2}} " friendlyName=" {{target}} " /> ... </resolver:AttributeDefinition> 09/06/16 Leibniz Supercomputing Centre 18

  19. Generic Conversion Rule Repository - Example source={ gecos }; transformation = renaming ; target={ displayName , targeturn1, targeturn2}; <resolver:AttributeDefinition xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id=" displayName " sourceAttributeID=" gecos "> <resolver:Dependency ref="{{ source|resource }}" /> <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="{{ targeturn1 }}"/> <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="{{ targeturn2 }}" friendlyName=" displayName " /> </resolver:AttributeDefinition> 09/06/16 Leibniz Supercomputing Centre 19

  20. Conclusion and Outlook • Generic conversion rule repository improves Shibboleth repository • Improves Proof-of- Concept implementation of GÉANT TrustBroker • Allows re-use of conversion rules • Independent of FIM software • Speeds up IDP-SP setup • Reduces waiting time for users Next steps: • Test concept with different parties • Improve and extend repository • How to generalize scripts or more complex conversion rules? 09/06/16 Leibniz Supercomputing Centre 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3 Symposium 15-16 October 2012 Agenda 1. The Politics behind Federation Policies 2. Tales from a Federation Operator: On-boarding of prospective

195 views • 16 slides
GCA Scalability June 99 Test Federation D. Zimmerman Argonne Meeting April 28, 1999

GCA Scalability June 99 Test Federation D. Zimmerman Argonne Meeting April 28, 1999

GCA Scalability June 99 Test Federation D. Zimmerman Argonne Meeting April 28, 1999 Requirements for the Scalability test Event Store &gt;=10 million events. Multiple components for each event, distributed across files. More

391 views • 6 slides
Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client software combines tools and utilities to extend a Web Application to: Enable login via federated SSO like eduGAIN Retrieve a SAML2 Identity Assertion

385 views • 24 slides
OpenStack Identity Federation Many thanks to: Who are we? Joe Savak Rackspace Product

OpenStack Identity Federation Many thanks to: Who are we? Joe Savak Rackspace Product

OpenStack Identity Federation Many thanks to: Who are we? Joe Savak Rackspace Product Manager ( ) Brad Topol IBM Distinguished Engineer \_( )_/ Jorge Williams Rackspace Principal Architect ~*

380 views • 26 slides
Automatic clustering of similar VM to improve the scalability of monitoring and management in

Automatic clustering of similar VM to improve the scalability of monitoring and management in

Automatic clustering of similar VM to improve the scalability of monitoring and management in IaaS cloud infrastructures C. Canali R. Lancellotti University of Modena and Reggio Emilia Department of Engineering Enzo Ferrari December

784 views • 61 slides
Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability

Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability

Scalability and Replication Marco Serafini COMPSCI 532 Lecture 13 Scalability 2 Scalability Ideal world Linear scalability Speedup Reality Ideal Bottlenecks For example: central coordinator When do we stop

938 views • 36 slides
Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario Maurice ter Beek (FMT, ISTICNR, Pisa, Italy) joint work with Marinella Petrocchi (IITCNR, Pisa, Italy) Corrado Moiso (Telecom Italia, Torino,

559 views • 28 slides
Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop Jan 22nd, 2006 Toyko, Japan Von Welch vwelch@ncsa.uiuc.edu Outline GridShib MyProxy Future plans: Shibboleth/MyProxy/GridShib

473 views • 28 slides
Federation: Beyond Distributed Control Kevin Lai HP Labs 27/10/05 page 1 [Clark, Wroklawski,

Federation: Beyond Distributed Control Kevin Lai HP Labs 27/10/05 page 1 [Clark, Wroklawski,

Federation: Beyond Distributed Control Kevin Lai HP Labs 27/10/05 page 1 [Clark, Wroklawski, Sollins, Braden 2002] ...we focus on design principles that deliver such virtues as robustness, scalability and manageability in the face of

206 views • 18 slides
Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes Identity theft can cost you time and money. Tips for Preventing Identity Theft

322 views • 10 slides
Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability

Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability

Scalability of web applications CSCI 470: Web Science Keith Vertanen Overview Scalability questions What's important in order to build scalable web sites? High availability vs. load balancing Approaches to scaling

600 views • 26 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model Introduction Development of the model by TNO as part of the Root Scalability Study Team Why quantify? Scalability is a quantitative topic

674 views • 18 slides
IDENTITY What is the Relationship Between Identity and the College Experience? What Role

IDENTITY What is the Relationship Between Identity and the College Experience? What Role

2/15/2019 Jordan Truex Agenda or Summary Layout The Road to SelfAuthorship NonTraditional Students Effective Interview Strategies Meeting the Student Where They Are IDENTITY What is the Relationship Between Identity and the

367 views • 10 slides
Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long

Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long

Performance and Scalability (Chapter 11) Performance and Scalability Performance: How long is the latency? Scalability: Do we get higher throughput if we add more resources? Performance and Scalability Performance: How long is the

210 views • 17 slides
Federation monitoring Jaime Prez &lt; jaime.perez@ j p @ rediris.es&gt; Virginia

Federation monitoring Jaime Prez &lt; jaime.perez@ j p @ rediris.es&gt; Virginia

TF-NOC meeting Brussels, October 2011 Federation monitoring Jaime Prez &lt; jaime.perez@ j p @ rediris.es&gt; Virginia Martn-Rubio &lt; virgini ia.martinrubio@rediris.es&gt; What is an identity fed deration? A set of

585 views • 29 slides
3 New Services Streamlining Access to eResearch Capabilities John Scullen

3 New Services Streamlining Access to eResearch Capabilities John Scullen

3 New Services Streamlining Access to eResearch Capabilities John Scullen (john.scullen@aaf.edu.au) Manager, Strategic Initiatives &amp; Managed Services (EDUcation Global Authentication INfrastructure) Growing International Community 55

414 views • 20 slides
MINEBEA Financial Review Tsugio Yamamoto President and Representative Director November 10,

MINEBEA Financial Review Tsugio Yamamoto President and Representative Director November 10,

MINEBEA Financial Review Tsugio Yamamoto President and Representative Director November 10, 2000 0 FY 2 2000 H 000 Half Y Year ar Consolid idated F Financia ial H l Highlights Plan an an and R Result \ mill llio ions /

176 views • 15 slides
Claudio Erba, CEO Ian Kidson, CFO Ma May 2020 Note: All financials presented are in US$ unless

Claudio Erba, CEO Ian Kidson, CFO Ma May 2020 Note: All financials presented are in US$ unless

Claudio Erba, CEO Ian Kidson, CFO Ma May 2020 Note: All financials presented are in US$ unless otherwise noted. 1 Disclaimer General This presentation is property of Docebo Canada Inc. (the Company, Docebo, us or we)

334 views • 19 slides
Domain Name System (DNS) Session 2: Resolver Operation and debugging Michuki Mwangi AfNOG

Domain Name System (DNS) Session 2: Resolver Operation and debugging Michuki Mwangi AfNOG

Domain Name System (DNS) Session 2: Resolver Operation and debugging Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar DNS Resolver Operation How Resolvers Work (1) ! If we've dealt with this query before recently, answer is already in the cache

452 views • 41 slides
Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology

614 views • 39 slides
An Application Conflict Detection and Resolution Method for Smart Homes Miki Yagita 1st year

An Application Conflict Detection and Resolution Method for Smart Homes Miki Yagita 1st year

An Application Conflict Detection and Resolution Method for Smart Homes Miki Yagita 1st year masters course @ The University of Tokyo, Japan Supervisers: Assoc. Prof. Fuyuki Ishikawa, Prof. Shinichi Honiden 1 IoT - Internet of Things A

522 views • 25 slides
Book Chapters and Loans Joe Natale udoc@lib.uconn.edu What are we talking about today? Rapid ILL

Book Chapters and Loans Joe Natale udoc@lib.uconn.edu What are we talking about today? Rapid ILL

Rapid ILL and RapidR Book Chapters and Loans Joe Natale udoc@lib.uconn.edu What are we talking about today? Rapid ILL - Articles - Book Chapters - Loans (RapidR Pilot) ILLiad - Rapid Manager - Direct ILL RapidR Pilot - Boston Library

841 views • 45 slides
Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A.

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam July 3, 2018 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 1 /

286 views • 15 slides

More recommend