View
215
Download
0
Category
Preview:
Citation preview
Slide 2
Where it all started
› REFEDS Wiki› Dog food› MediaWiki + SimpleSAMLphpAuth› One SP› Accumulated > 20 IdPs
<lastname@terena.org>
Next SP comes along
› TACAR › Will need to contact several IdPs again to
exchange metadata › 3rd SP› 4th SP etc etc
Slide 4
Too many IdP-SP combinations
› Difficult to manage:
Slide 5
New approach: cheating
› Create one SP to connect all our IdPs to› “Hide” all our REAL SPs behind that
› External IdPs only do business with a single TERENA SP
› We get to do fancy stuff at our magic SP
Slide 6
Slide 7
What could be the “?”
› Attribute injection› authproc: SmartAttr.php
Slide 8
SmartAttr.php
› Generate globally unique identifier for ALL possible users
› Pick first available attribute name+value from:› eduPersonTargetedID› eduPersonPRincipalName› openid› sha1(salt.serialize(attributes))
› Append @$IdP› Results:
Slide 9
SmartID exa,mples:
› urn:mace:dir:attribute-def:eduPersonTargetedID:c4bcbe7ca8eac074565291fd5524caa88f3115c8@terena.org@https://login.terena.org/idp/saml2/idp/metadata.php
› urn:mace:dir:attribute-def:eduPersonPrincipalName:horvath@terena.org@https://login.terena.org/idp/saml2/idp/metadata.php
› openid:https://www.google.com/accounts/o8/id?id=AItOawk1wEwIIRLSKf6kWb_1Rb0X00psc3lPqWU@https://login.terena.org/bridge/saml2/idp/metadata.php
Slide 10
More attributes
› Fullname: Stolen from Olav › Organisation: first available from:
› organizationName› Uppercase version of schacHomeOrganization,
without TLD› Uppercase version of email domain without TLD› Uppercase version of eduPersonPrincipalName
domain without TLD› String ‘MY_ORG’
› Country, fname, lname, email, etc
Slide 11
Group membership
› To be implemented…..
Slide 12
Concepts
› We will have homeless users -> guest accounts› Everyone can login to any service› “logged-in” does not mean anything (well….)
› https://tnc2010.omega.terena.org
› One page to manage all your data (‘profile’ page)› Similar to Switch.ch javascript sidebar› To be implemented
Slide 13
Issues encountered
› Changing your SP metadata at remote parties takes a long time non-technical, so think twice
› Non-federated users – don’t run ourselves› Too may guest options now!!!
› Provisioning before users log in -> not possible› Globally persistent ID
Slide 14
Recommended