170 likes | 181 Vues
Shibboleth and uApprove at University of Michigan. Luke Tracy – ltracy@umich.edu Ken Hammer – khammer@umich.edu. What is uApprove?. Developed by SWITCHaai under BSD License http://www.switch.ch/aai/support/tools/uApprove.html Purposes:
E N D
Shibboleth and uApprove atUniversity of Michigan Luke Tracy – ltracy@umich.edu Ken Hammer – khammer@umich.edu
What is uApprove? • Developed by SWITCHaai under BSD License • http://www.switch.ch/aai/support/tools/uApprove.html • Purposes: • For the user, mechanism to be informed about the release of attributes to a Service Provider (SP). • For the admin of an Identity Provider (IdP) • Provides a tool to implement data protection laws by requiring to obtain user consent before personal attributes are released to a SP • Allows for collection of information about the release of attributes and accesses to SP (if configured to do so). Source: http://www.switch.ch/aai/support/tools/uApprove.html on June 15, 2010.
What is uApprove? • From the user's point of view, uApprove is an application which presents a webpage, on which to • accept or decline the Terms of Use of a Shibboleth Identity Provider upon first access to the system (optional) • globally accept the release of attributes to any/all Service Providers • accept the release of attributes upon first access to a given Service Provider (if the global release has not been approved) Note: User can reset attribute release consent on a separate webpage, such that he/she will be asked again, whenever attributes have to be released. Source: http://www.switch.ch/aai/support/tools/uApprove.html on June 15, 2010.
U of M Attribute Release • InCommon IdP had been operating in Pilot Mode • Opt-in required • Temporarily provided means to approve the release of identity data • To move beyond Pilot • Remove barriers • Make more self-describing
Governance Board • Investigated how others were handling privacy concerns around attribute release • Found common desire existed to be able to have individuals approve the release of attributes • Saw mention of uApprove being used within SWITCH • Demonstrated uApprove to IDM Governance Board • Liked it, but had issues with changes to data and privacy settings after approval to release • Looked into methods of detecting state changes and forcing re-approval
uApprove • Determined best method was to prompt each time (until a more elegant solution was possible, maybe) • Discussed with uApprove developers method for forcing prompt every time • Decided together that in short term, using database triggers was optimal
uApprove configuration • Can use a flat file or a mysql database for preferences • Can be disabled on a per-SP basis • Can configure which attributes are displayed and in what order • Optional “Terms of Use” screen • Multiple options for resetting preferences
Normally, uApprove looks like this… • Presentation controlled by .jsp templates • Template text strings stored separately to make translation easy
U-M localizations • Database trigger / cron job combination to effect our desired login behavior • Applied our SSO “skin” to the application • Changed text to better suit our audience
attribute-resolver.xml <resolver:AttributeDefinition id="displayName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="displayName"> <resolver:Dependency ref="mcomm" /> <resolver:DisplayName xml:lang="en">Full Name</resolver:DisplayName> <resolver:DisplayDescription xml:lang="en"> This is your full name. </resolver:DisplayDescription> ... </resolver:AttributeDefinition>
resources • uApprove - http://www.switch.ch/aai/support/tools/uApprove.html • U-M InCommon Attribute Release Policy and Procedure - http://www.itd.umich.edu/itcsdocs/r1465/