1 / 13

Streamlining Identity Management in Federated Systems: A Simplified Approach

This presentation explores innovative strategies for managing Service Provider (SP) and Identity Provider (IdP) interactions in federated identity systems. With over 20 IdPs accumulated, the complexity of managing various IdP-SP combinations necessitates the development of a singular SP to streamline connections. We discuss the concept of attribute injection, the generation of globally unique identifiers, and the implementation of a 'guest account' system to facilitate user access. Join us for insights into enhancing user experience while addressing common challenges faced in federated identity management.

yaholo
Télécharger la présentation

Streamlining Identity Management in Federated Systems: A Simplified Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAI @ TERENA EUROCamp 2010 DyonisiusVisser visser@terena.rg www.terena.org

  2. Where it all started • REFEDS Wiki • Dog food • MediaWiki+ SimpleSAMLphpAuth • One SP • Accumulated > 20 IdPs <lastname@terena.org>

  3. Next SP comes along • TACAR  • Will need to contact several IdPsagain to exchange metadata  • 3rd SP • 4th SP etc etc

  4. Too many IdP-SP combinations • Difficult to manage:

  5. New approach: cheating • Create one SP to connect all our IdPs to • “Hide” all our REAL SPs behind that • External IdPs only do business with a single TERENA SP • We get to do fancy stuff at our magic SP

  6. What could be the “?” • Attribute injection • authproc: SmartAttr.php

  7. SmartAttr.php • Generate globally unique identifier for ALL possible users • Pick first available attribute name+value from: • eduPersonTargetedID • eduPersonPRincipalName • openid • sha1(salt.serialize(attributes)) • Append @$IdP • Results:

  8. SmartIDexa,mples: • urn:mace:dir:attribute-def:eduPersonTargetedID:c4bcbe7ca8eac074565291fd5524caa88f3115c8@terena.org@https://login.terena.org/idp/saml2/idp/metadata.php • urn:mace:dir:attribute-def:eduPersonPrincipalName:horvath@terena.org@https://login.terena.org/idp/saml2/idp/metadata.php • openid:https://www.google.com/accounts/o8/id?id=AItOawk1wEwIIRLSKf6kWb_1Rb0X00psc3lPqWU@https://login.terena.org/bridge/saml2/idp/metadata.php

  9. More attributes • Fullname: Stolen from Olav  • Organisation:first available from: • organizationName • Uppercase version of schacHomeOrganization, without TLD • Uppercase version of email domain without TLD • Uppercase version of eduPersonPrincipalName domain without TLD • String ‘MY_ORG’ • Country, fname, lname, email, etc

  10. Group membership • To be implemented…..

  11. Concepts • We will have homeless users -> guest accounts • Everyone can login to any service • “logged-in” does not mean anything (well….) • https://tnc2010.omega.terena.org • One page to manage all your data (‘profile’ page) • Similar to Switch.ch javascript sidebar • To be implemented

  12. Issues encountered • Changing your SP metadata at remote parties takes a long time  non-technical, so think twice • Non-federated users – don’t run ourselves • Too may guest options now!!! • Provisioning before users log in -> not possible • Globally persistent ID

More Related