1 / 27

SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA

SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA. SAFARI UKDA Current UKDA Registration System SAFARI UKDA Shibboleth Model. Current system. One-stop registration service – provides access to UKDA Census (CDU, CIDS, SARS, UK Borders, CHCC)

cais
Télécharger la présentation

SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SAFARI UKDAShibboleth Authentication for Access to the Resource Infrastructures of the UKDA

  2. SAFARI UKDACurrent UKDA Registration SystemSAFARI UKDA Shibboleth Model

  3. Current system • One-stop registration service – provides access to • UKDA • Census (CDU, CIDS, SARS, UK Borders, CHCC) • ESDS International • User details held in a registration database at UKDA. World-wide registration. • Differential access control based on - Agreement to special conditions • Combination of user type and usage type (for UKDA survey data) • Authentication happens via Athens and Authorisation using UKDA Registration attributes

  4. SAFARI UKDA Shibboleth Model 1 3 2 4 5 6 9 7 8

  5. Choice of VOSP model • Normal Shibboleth flow is not broken • Use of scoped eduPersonPrincipalName attribute which is persistent across SPs • No requirement for SPs or IdPs to install any additional plug-in/make any additional modifications

  6. A user attempts to access a protected area of Resource WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  7. The request is redirected to the HS of the Proxy IdP … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  8. … and on to the ACS of the Proxy SP WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  9. The Proxy SP needs to know where the user is from, so forwards him to the WAYF … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  10. … where he selects his home institution … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  11. … and is redirected to the selected institution for authentication WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  12. The user logs in using credentials at his home institution WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  13. If this authentication is OK, the Home IdP sends a handle (H1) to the Proxy SP … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS H1 5 AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  14. … where it is forwarded to the AR … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS H1 5 6 AR AA AR AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  15. … and is used to request attributes from the user’s home institution WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 5 6 7 AR AA AR H1 AA dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  16. At the Home IdP, the AA accesses the directory database … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 5 6 7 AR AA AR AA 8 dB dB Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  17. … and releasable attributes are passed to the Proxy SP WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 5 6 7 AR AA AR AA 10 8 9 ePPN dB dB eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  18. Control is returned to the HS of the Proxy IdP WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 5 11 6 7 AR AA AR AA 10 8 9 ePPN dB dB eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  19. A handle (H2) is sent to the ACS at the Resource … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS H2 12 5 11 6 7 AR AA AR AA 10 8 9 ePPN dB dB eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  20. … where it is forwarded to the AR … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS H2 12 5 13 11 6 7 AR AA AR AA 10 8 9 ePPN dB dB eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  21. … and is used to request attributes from the Proxy IdP WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 12 5 13 11 6 14 7 AR H2 AA AR AA 10 8 9 ePPN dB dB eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  22. At the Proxy IdP, the AA accesses the database … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 12 5 13 11 6 14 7 AR AA AR AA 10 8 15 9 ePPN dB dB eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  23. … using the ePPN obtained from the Home IdP as a key … WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 12 5 13 11 6 14 7 AR AA AR AA 10 8 15 9 ePPN dB dB ePPN attribute used as a key to retrieveUKDA attributes eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  24. … and the user’s attributes are passed to the Resource WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 12 5 13 11 6 14 7 AR AA AR AA 17 10 8 16 15 9 UKDA attributes ePPN dB dB ePPN attribute used as a key to retrieveUKDA attributes eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  25. The Resource then makes an authorisation decision based on the attributes received WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 12 5 13 11 6 14 7 AR AA AR AA 17 10 8 16 15 9 UKDA attributes ePPN dB dB ePPN attribute used as a key to retrieveUKDA attributes eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  26. WAYF SAFARI UKDA VO Proxy IdP Proxy SP Resource Home IdP 1 2 3 4 ACS HS ACS HS 12 5 13 11 6 14 7 AR AA AR AA 17 10 8 16 15 9 UKDA attributes ePPN dB dB ePPN attribute used as a key to retrieveUKDA attributes eduPersonPrincipalName (ePPN) attribute scoped by Home IdP Key: AA – Attribute Authority; ACS – Assertion Consumer Service; AR – Attribute Requester; HS – Handle Service; WAYF – Where Are You From?

  27. Further information UKDA SAFARI web site – safari.data-archive.ac.uk/

More Related