1 / 18

Group Management Tool

Group Management Tool. Lukas Haemmerle haemmerle@switch.ch. Situation. Web application/files/functions that must be protected Access/authorization shall be based on user groups Overhead for group administration shall be small Shibboleth/Other solution available Users have an AAI account

brandys
Télécharger la présentation

Group Management Tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Group Management Tool Lukas Haemmerle haemmerle@switch.ch

  2. Situation • Web application/files/functions that must be protected • Access/authorization shall be based on user groups • Overhead for group administration shall be small • Shibboleth/Other solution available • Users have an AAI account Real life example: The slides/photos of this meeting shall only be accessible by all people who attended the meeting.

  3. Case 1: Users share common attributes Access Rule HomeOrg = IdP X| IdP Y| IdP Z Affiliation = Student StudyBranch = Medicine

  4. Case 2: No common user attributes How can these users be authorized?

  5. Solution 1: Create a common attribute • Add an entitlement attribute for specific users Access Rule Require entitlement urn:mace:rediris.es:entitlement:wiki:jra5 + • Easy solution for a difficult problem • Additional work for user directory administrator • Difficult to efficiently manage many entitlement values • Only IdP admin can manage access -

  6. Solution 2.a: Use uniqueIDs or email • Get unique IDs or AAI email addresses of users. • Create access rules like: Access Rule require uniqueID 465@idp-x.ch 234@idp-y.ch […] require email hans.muster@idpx.ch pierre.m@idpz.ch […] + • Straight-forward solution • SP administrator must know unique ID/Email address • Difficult to efficiently manage for many users/apps • Only SP admin can manage access -

  7. Solution 2.b: Use SWITCH GMT 0.9 • Open Source software (BSD license) • Easy to install • Light-weight PHP application • Human readable text files to store group data Features • Manage multiple groups for multiple applications • Three user/admin roles with different privileges • Transfer privileges to other users • Invite new users to join group via email • User can request to join a group (self-registration) • Generate authorization files (Apache .htaccess) • API for use on remote hosts

  8. Administration interface • Every role has different options and views • Red groups are system groups

  9. Group settings

  10. Manage a group

  11. Adding users to a group • Add registered users to one or more groups with a certain role

  12. Inviting new users • Invitation token (link) is sent to provided email addresses • Tokens can be revoked

  13. Request to join a group

  14. Generate authorization files • Multiple authorization files can be generated per group • Files are updated automatically on changes

  15. Authorization files

  16. Interface for remote hosts • PHP/PERL functions: • isInGroup($uniqueID, $gName) • getGroupModifyURL($gName) • getUserGroups($uniqueID) • getStatus() • getError() • Secure queries: • Over SSL • Encrypted with shared key • Limited to allowed hosts

  17. Summary and outlook • Summary • Convenient management of “virtual” groups • Roles can be transferred • Users can request to join a group with self-registration • Authorize users on remote servers • Libraries available for PHP and Perl • Preliminary outlook for GMT 1.0 • Generation of Shibboleth XML authorization files • Additional API functions with SOAP/REST • Probably new name (e.g. “grot”, “groupy”, …) http://www.switch.ch/aai/gmt

  18. Questions Q & A http://www.switch.ch/aai aai@switch.ch

More Related