Upload
philippa-craig
View
214
Download
2
Embed Size (px)
Citation preview
eduPerson is only part of the answer
Leeds University
David Holdsworth & Ray Powellhttp://www.personal.leeds.ac.uk/~ecldh/xlm4he/
XLM4HE project
• X.509 — identification
• LDAP — authorisation
• Middleware — incompatibilities
• for
• Higher
• Education — scalability, cost
Part of Internet2/JISC collaboration in UK
2
Shibboleth Architecture DRAFT
3
ResourceProvider’s
Web ServerXLM4HE
Middleware
XLM4HE Interactionshttp://129.11.152.25/xlm4heWeb site has step-by-step version
4
An Examplein which
Futile Operations On-Line (FOOL)
to provide access to their on-line educational product called
the Department of Futile Studies
negotiates with a content provider calledF-Systems
5
4. LDAP search:baseDN = namespace (i.e. FOOL)certNum = certificate serial numbercertSign = certificate signerFOOL is requested attribute
4
UniversityF-Systems
6
7. LDAP searchResponse:DN = whatever policy specifiesFOOL = user’s status in accessing FOOL
7
UniversityF-Systems
7
Shibboleth Equivalent 1• SHAR redirects browser to AA giving
handle and product name (i.e. FOOL)
<?xml version="1.0" encoding="UTF-8" ?><ShibAttributeQuery ... ><Version>1.0</Version><RequestID>00565d61-301c-1b1c-0010a4908950</RequestID><Issuer>newman.leeds.ac.uk</Issuer><IssueInstant>991702501</IssueInstant><TargetURI>http:/www.f-systems.co.uk/futility.html</TargetURI>
<Handle>0015d1f1-307c-1b1c-9581-0010a4908950</Handle></ShibAttributeQuery>
<ProductID>FOOL</ ProductID >
8
Shibboleth Equivalent 2• AA redirects browser to SHAR
giving YES or NO
<ShibAttributeResponse …. ><Version>1.0</Version><RequestID>00565d61-301c-1b1c-0010a4908950</RequestID><Issuer>aa.iss.leeds.ac.uk</Issuer><IssueInstant>991702561</IssueInstant><Attributes>
</Attributes></ShibAttributeResponse>
<ProductID>FOOL</ ProductID ><status>yes</ status >
9
Vanilla Shibboleth• AA redirects browser to SHAR
giving eduPerson attributes<ShibAttributeResponse … ><Version>1.0</Version><RequestID>00565d61-301c-1b1c-0010a4908950</RequestID><Issuer>aa.psu.edu</Issuer><IssueInstant>991702561</IssueInstant><Attributes>
</Attributes></ShibAttributeResponse>
<eduPersonPrincipalName>[email protected] </eduPersonPrincipalName><eduPersonAffiliation>staff</eduPersonAffiliation><eduPersonAffiliation>employee</eduPersonAffiliation><eduPersonAffiliation>member</eduPersonAffiliation>
10
Trust
• Target must trust university to answer honestly– Trust already needed to believe attributes
• Target must check that AA is trusted for requested product– i.e. there is a contractual relationship– could be global list of trusted AAs
11
Conclusions
• Shibboleth has decision at target
• Attributes (eduPerson) sent to target
• Uniformity of eduPerson usage at all institutions is needed
• XLM4HE has decision at university
• Attribute release to target is minimal
• Simplicity at the target end
• More Trust of university is needed, but there has to be trust in either case.
12
Recommendation• Include both mechanisms in
Shibboleth architecture
• Let experience see whether decision is best at University or Resource Provider
More information: http://129.11.152.25/xlm4he/
13