1 / 41

Shibboleth Attribute Release Policy Editing Tools ShARPE

Shibboleth Attribute Release Policy Editing Tools ShARPE. CAMP Shib June 2006 Bruc Lee Liong bliong@melcoe.mq.edu.au http://federation.org.au. Topics. ShARPE & Autograph GUI SP Description Metadata Group ARP Attribute Mapping Policy Filter Chain.

rene
Télécharger la présentation

Shibboleth Attribute Release Policy Editing Tools ShARPE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ShibbolethAttribute Release PolicyEditing ToolsShARPE CAMP Shib June 2006 Bruc Lee Liong bliong@melcoe.mq.edu.au http://federation.org.au META ACCESS MANAGEMENT SYSTEM

  2. Topics • ShARPE & Autograph GUI • SP Description Metadata • Group ARP • Attribute Mapping • Policy Filter Chain META ACCESS MANAGEMENT SYSTEM

  3. Part of MAMS IAM Suite(I really AM Sweet) Autograph ShARPE IdP ARP Manage- ment Privacy Manage- ment IdP admin IdP member Attribute mapping META ACCESS MANAGEMENT SYSTEM

  4. Context Autograph attributes IdP SP ARP ShARPE = user ARP = site ARP IdP admin = group ARPs META ACCESS MANAGEMENT SYSTEM

  5. Shibboleth ARP Editor (ShARPE) • Provide a GUI-based editor to enable • ARP admins to implement access contracts • Users to manage their ARPs • Provide visibility to user of: • attributes required by services • attributes released to services • Service received in return for attributes • Enable users to change their ARPs hence exercise privacy control • Helpdesk META ACCESS MANAGEMENT SYSTEM

  6. New features • ARP management GUI • Group ARPs • Current Shibboleth supports site and user ARPs • Service Descriptions • Comprehensive information about SP’s service, service levels, attribute requirements • Attribute Mapping • Support for mapping between IdP and SP schemas • Policy-filter-chain extension META ACCESS MANAGEMENT SYSTEM

  7. ShARPE – ARP Administrator • ARP Admin • Import Service Description (Physics research database from Sandstone Uni) – if never imported before • Create site ARP (all communities get bronze access) • Create group ARP (Physics community gets gold access) META ACCESS MANAGEMENT SYSTEM

  8. Service Descriptions • SP’s Service and Service Level descriptions and attribute requirements • Services may provide service-levels - different functionality - based on supplied attributes • e.g. for a institutional repository or publisher: read access, adding comments/rank/annotations, submit access… • Comprehensive Service Provider information needed by both admins and users for ‘sensible’ attribute management • ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUI META ACCESS MANAGEMENT SYSTEM

  9. SandstoneUniServiceDescription.xml META ACCESS MANAGEMENT SYSTEM

  10. Service Description Editor META ACCESS MANAGEMENT SYSTEM

  11. Service Description Editor (cont) META ACCESS MANAGEMENT SYSTEM

  12. META ACCESS MANAGEMENT SYSTEM

  13. arp.site.xml META ACCESS MANAGEMENT SYSTEM

  14. META ACCESS MANAGEMENT SYSTEM

  15. arp.group.Physics.xml META ACCESS MANAGEMENT SYSTEM

  16. Autograph META ACCESS MANAGEMENT SYSTEM

  17. Autograph META ACCESS MANAGEMENT SYSTEM

  18. arp.user.sue.xml META ACCESS MANAGEMENT SYSTEM

  19. Group ARP • Reason: diff dept admins want to manage their own users • No modification to original Shib code • Extending from Shib ARP structure • Uses simplified flatten group (i.e. no hierarchical groups) • Group information provided by a set of plugins: AttributeResolver (LDAP/DB/etc), file, etc • Simplified API to allow extensions • Released Attributes = processing (site ARP + group ARPs + user ARP) • http://federation.org.au/twiki/bin/view/Federation/GroupLookup META ACCESS MANAGEMENT SYSTEM

  20. Activating Group ARP <ReleasePolicyEngine> <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile> <GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing> </GroupLookup> </ArpRepository> </ReleasePolicyEngine> META ACCESS MANAGEMENT SYSTEM

  21. Example of Group Info (FlatFile) • sample.grouplookup.properties using PropertyFileGroupLookup # this defines institutional-wide groups institutionalGroupList = Administrator, Staff, Researcher # an example of local groups groupList = Library, Physics, Biology, Walk-in # user based attributes specifying the groups using ‘memberOf’ # ann.memberOf = Researcher # john.memberOf = Staff # joe.memberOf = HeadOfSchool, Staff, Librarian META ACCESS MANAGEMENT SYSTEM

  22. Attribute Mapping • Not all organizations use the same schemas for attributes, mapping is needed • Attribute mapping functions • One-to-One Mapping • Concatenation • Static Value assignment • Hashing (e.g. TargetedID) • Examples: • Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ • Complex: creating targetedID (e.g. hash(concat(SPname, email))) META ACCESS MANAGEMENT SYSTEM

  23. Attribute Mapping GUI META ACCESS MANAGEMENT SYSTEM

  24. What’s offered by AttributeResolver • Rename (mail  email) • Value mapping (“alumn”  “alumn”, “alumni”) • Regex (changing to upper case) • Formatted output • Composite ( A, B  “A B”). Limited to same number of rows attributes • Some others: StaticConnector, ScriptletAttributeDefinition,… • All, with exception of rename are *newly* introduced in 1.3c META ACCESS MANAGEMENT SYSTEM

  25. Shib implementation • Scattered implementation but simple as revolve around resolver plugins • No chaining (A  B  C, hence A = C) • Some implementations are limited to certain conditions (i.e. cannot concat different length attributes) • Same map applicable to all SPs, no differentiations or per SP mapping META ACCESS MANAGEMENT SYSTEM

  26. MAMS Attribute Mapping implementation • Attributes with different rows concatenation ability • One entry point for all mapping entries  one mapping engine (CustomAttributeDefinition) • Different maps loaded for different SPs • SP1 has mail  email • SP2 has fname + sn + ‘@nowhere.com’  e-mail • SP3 has … • General mapping can be provided (i.e. default mapping from eduPerson2MySchema applicable to all SPs) META ACCESS MANAGEMENT SYSTEM

  27. Attribute Mapping for SPa: X = X + Y • Rename existing entry of X to X’ on resolver • Create map entry on resolver for X that depends on X’ and Y • Put X = X’ + Y on SPa’s map • Put X = X’ on default.mapper (for other SPs) META ACCESS MANAGEMENT SYSTEM

  28. Processing attribute X • Requests come to resolve X for SPa • X is registered to be handled by mapper • Crosswalk for SPa loaded • If no crosswalk found, default.mapper loaded • All X’s dependencies provided to Crosswalk • Map function try to resolve X META ACCESS MANAGEMENT SYSTEM

  29. Activating Attribute Mapping • Done automatically by ShARPE when enabled <CustomAttributeDefinition id=“X” class=“au.edu.mq.melcoe.mams.sharpe.shib.aa.attrresolv.provider.CrosswalkAttributeDefinition”> <AttributeDependency requires=“idp:X"/> <AttributeDependency requires=“Y"/> </CustomAttributeDefinition> <SimpleAttributeDefinition id=“idp:X” sourceName=“X”> <DataConnectorDependency requires=“echo”/> </SimpleAttributeDefinition> META ACCESS MANAGEMENT SYSTEM

  30. Map file entry for SPa <Crosswalk …> <Map class=“…” functionName=“concat”> <Attribute>X</Attribute> <MapValue>idp:X + Y</MapValue> </Map> </Crosswalk> META ACCESS MANAGEMENT SYSTEM

  31. Future Works • Privacy settings for coarse-grain release policy • Hierarchical groups to implement ‘room in room’ concept (if enough requests) • Integrations with Grouper & Signet for local management (currently planned for GroupManager and PrivilegeManager) • Push Shib for ability to register new attributes to resolver for Attribute Mapping META ACCESS MANAGEMENT SYSTEM

  32. Questions? • Email: bliong@melcoe.mq.edu.au • ShARPE @ http://federation.org.au/ShARPE • MAMS @ http://mams.melcoe.mq.edu.au • Experiment http://opensharpe.federation.org.au • Sharpe-users mailing list http://federation.org.au/cgi-bin/mailman/listinfo • MAMS’ Easy Installation IdP with ShARPE http://federation.org.au/software/installcd META ACCESS MANAGEMENT SYSTEM

  33. Extra Slides META ACCESS MANAGEMENT SYSTEM

  34. Shib ARP Management • SP attribute requirements agreed negotiated manually (not scalable) • Site and User ARPs, no Group ARPs • Lack of service information for users (what attributes are required, released, for what reason) • Lack of interface for user ARP control • User can’t access ARP files META ACCESS MANAGEMENT SYSTEM

  35. Design Group ARP META ACCESS MANAGEMENT SYSTEM

  36. Design Attribute Mapping META ACCESS MANAGEMENT SYSTEM

  37. Policy Filter Chaining • Allowing policies (ARP) to be passed through chain of filters prior its final process on ArpEngine • Allow selective processing of policies • i.e. when user has attribute X set to Y, do not process group policy Z • Used by Autograph to “find what attributes affected by all policies without inclusion of user ARP” or similar use cases • http://federation.org.au/twiki/bin/view/Federation/PolicyFilter META ACCESS MANAGEMENT SYSTEM

  38. Policy Filter • Different types of Policy Filter, extendible design • Filter on different types of ARP • Filter on simple access control for the ARP (create, read, update, delete) • create is slightly difficult to enforce • Combination of filters and chaining META ACCESS MANAGEMENT SYSTEM

  39. Design PolicyFilter META ACCESS MANAGEMENT SYSTEM

  40. PolicyFilter Processing • For each activity identified as create, read, update, delete on the policy • Calls registered PolicyFilters • Arp’ = PolicyFilter(Arp) • The resultant policy is given back to the system • All active policies to be used by the system are processed prior being used META ACCESS MANAGEMENT SYSTEM

  41. Activating PolicyFilter <ReleasePolicyEngine> <ArpRepository implementation=“...provider.MAMSFileSystemArpRepository“> <PolicyFilter implementation=“..provider.PolicyTypeFilter”> <PolicyType>sitePolicy</PolicyType> <PolicyType>userPolicy</PolicyType> </PolicyFilter> … META ACCESS MANAGEMENT SYSTEM

More Related