1 / 10

Shibboleth Trust Model

Shibboleth Trust Model. Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the origin attribute authority at the club level, for target and origin at the target resource level

gyala
Télécharger la présentation

Shibboleth Trust Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth Trust Model • Shibboleth/SAML Communities (aka Federated Administrations) • Club Shib • Club Shib Application process • Policy decision points • at the origin attribute authority • at the club level, for target and origin • at the target resource level • Typical campus target management strategies

  2. Shibboleth/SAML Communities(aka Clubs) • A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using the SAML/Shibboleth protocols. • In doing so they implicitly or explicitly agree to abide by a common set of by-laws. • The rules and functions associated with a community include: • A registry to process applications and distribute club • A URI that provides information on local authentication and authorization practices • A set of agreements or best practices within the group on policies and business rules governing the exchange and use of attributes. • The set of attributes that are regularly exchanged (syntax and semantics). • A mechanism (WAYF) to identify a user’s security domains

  3. Club Shib • A co-op for higher education and its information providers • Members can be organizations that are origins (IdSP’s), targets (student loan services, content providers) or both (universities, museums, etc.) • Associated functions • Registry service to be operated by I2, and open to all.. • eduOrg pointer to campus account management practices • Conventions on the management of exchanged attributes • Attribute sets (eduPerson and eduOrg) to use to exchange attributes • WAYF done via Wayfarer service

  4. Club Shib In-laws • Operational requirements • system PKI certificate profiles • install handle server at hs.yourschool.edu • etc • Trust conventions • targets don’t misuse attributes • origins answer faithfully • origins post their account management policies

  5. Club Shib Registry service • Receives and processes applications • Operates Wayfarer (tm Jeff Hodges) • origin sites are listed • target sites can use • Insures uniqueness of key identifiers among community members • Houses PKI components of Shib • institutional signing keys • bridging if important

  6. Club Shib Application Process • Complete origin/target Shibboleth tech info as required • Implement eduPerson and eduOrg? • Plug origins (campuses) into Wayfarer

  7. Campus Account Practices • Account affiliations /authorizations are set appropriately • Initial identification/password assignment process for accounts • Authentication mechanisms for account use • Policy on the reuse of account names (ePPN) • Business logic for key attributes, as the need surfaces • “member of community” • primary affiliation

  8. Target Policy Decision Points • the Club level (basic firewall level) • at the target resource level • at the origin attribute authority

  9. Campus Management Strategies • Technical • SHAR for general Club Shib access • SHAR for more restricted sites (exclude origins with overly broad or sloppy practices) • Cluster sites with similar restrictions in a web tree • Policy • Account management • Directory and attribute management • Setting the defaults • Operating an attribute authority

  10. Multiple Clubs and their consequence • Communities form clubs – Meteor, NDSL, Liberty • by-laws and membership committees • Within a club, members decide per-site policies that are consistent with the overall club policies and procedures • Balancing where and what to manage • Strength of I/A a repeated theme within and among clubs • User interface issues • attribute management • levels of authentication – logging in and out • A virtual Border Gateway Protocol (BGP)

More Related