Upload
duongdang
View
214
Download
1
Embed Size (px)
Citation preview
GuanxiUHI
Ox
Leeds
Alistair YoungSenior Software Engineer
UHI@Sabhal Mòr OstaigÀrd-Innleadair air Bathar-bog
GuanxiTERENA, BarcelonaSeptember 8th 2005
Sean MehanGuanxi Project Manager
GuanxiUHI
Ox
Leeds
More information
Technical Description
Demonstration / ?s
Guanxi - Summary and Current State
Some Analysis of the Situation
WAFFLE
GuanxiUHI
Ox
Leeds
The Guanxi Project
UK JISC funded Core Middleware Project
Collaboration:
University of the Highlands and Islands (lead partner)
University of Leeds
University of Oxford
IdP SP WAYF
Core Guanxi
SAMUEL
SAML
GuanxiUHI
Ox
Leeds
What is Guanxi?
Guanxi has three main objectives:
To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE
To extend and develop intra/inter-institutional AA functions
To create and use Shibboleth federations, based upon Bodington usage.
In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another
“...you scratch my back, I’ll scratch yours”
Guanxi is composed of two strands:
Integration of the Shibboleth reference implementation within the Bodington VLE - but now uses the GuanXi alternative.Alternative implementation of the Shibboleth protocol, in an eLearning context
GuanxiUHI
Ox
Leeds
The Guanxi Project
GuanxiUHI
Ox
Leeds
Bodington
5 resource.htm
org2 VLE2
3
4
1loginuser@org1
Authentication Storeinternal to Bodington
Authorisation Storeinternal to Bodington
Aut
hent
icat
ion
Stor
e org1 VLELDAP
JDBC
Webauth
1loginuser@org1
StandardShibboleth
Target
GuanxiUHI
Ox
Leeds
Strand 2
3
org2 VLE7 resource.htm
1loginuser@org1 org2 GX SP 2
4
org1 GX IdP
Attribute store 1
Attribute store 2
Attribute store n
Policymap <samlp:AttributeQuery>
<saml:Assertion>
1loginuser@org1
StandardShibboleth
SP
5
6
Policymap
JISC IE
authentication / authorization services
service registries
terminology services
metadata schema registries
resolvers
intitutional + user profiling services
end-user client
JISC fundedcontend providers
InstitutionalContent providers
Externalcontend providers
brokers aggregators catalogues indices
OpenURL resolvers
media specific portals
institutional portals
subject portals
learning management
systems
shared infrastructure pres
enta
tion
fusio
n
prov
ision
GuanxiUHI
Ox
Leeds
Guanxi & SAMUEL
Shibboleth is a profile of SAML1.1 and also the default implementation
Shibboleth, the app, uses openSAML to implement the profileopenSAML is the Internet2 partial implementation of the SAML1.1 spec
Guanxi is an alternative implementation of the Shibboleth profile
Guanxi uses SAMUEL to implement the profileSAMUEL is the Guanxi partial implementation of the SAML1.1. spec
openSAMLShibboleth
SAMUELGuanxi
Profile space
SAMl Used in E Learning
GuanxiUHI
Ox
Leeds
SAMUEL
Partial implementation of SAML1.1
Partial implementation of SAML2 Metadata
Standalone Java SAML toolkit
Available as separate download
SAMl Used in ELearning
Metadata extensions for distributed Service Provider
GuanxiUHI
Ox
Leeds
Bodington + GuanxiA Shibboleth compatible Virtual Learning Environment
GuanxiSP
AthensShibb Gateway
ShibbolethSP
GxBodington asIdP
Bodington VLE with embedded Guanxi IdP
Minimal configuration - self-signed certs areauto generated
True SSO
Very fine-grained user permission system, exposed as bodington_member attribute by Guanxi
Can login to your IdP to create users and manage their access rights
GuanxiUHI
Ox
Leeds
Web Service Enabled Service Provider
user@org1 accesses resource at org21
Filter sets up WS-Callback with SP2
Filter redirects to federation WAYF3
User’s SSO authenticates them4
SSO replies to federation SP5
Federation SP requests attributes on behalf of filter
6
User’s AA sends attributes to federation SP
7
Federation SP invokes WS-Callback to filter which retrieves it’s attribute request data
8
Filter makes access decision based on attributes gathered by the federation SP
9
org 2 Server
WebappFilter
Resourcespecificmodules
(A/C)
1
AA
SSO
org1 IdP
InstitutionalSP
WAYF
Federation server
23
4
5
6
7
8
9
Distributed architectureInstitutional SAML Server, satellite GuardsCan scale SAML servers to balance load
GuanxiUHI
Ox
Leeds
Guanxi IdP & SP
UHI - MA Cake Munching, Year 1, Cake Eating Etiquette module
Leeds have supplemental material for hopeless cake munchers
Student added to “No hopers” cohort in UHI Bodington
Course assertion comes from SITS, cohort assertion from Bodington
SITS
eDirectory
Bodington
Guanxi IdPUHI
Bodington
Guanxi SPLeeds
Shibboleth
Extra-institutional learning material access based on hierarchical, aggregated attributes from multiple sources
GuanxiUHI
Ox
Leeds
Attribute Scatter
Attribute Acceptance Policies are defined by federations, not Shibboleth
Although only relevant attributes are supposed to be released, this doesn’t happen in the field
Lack of AttributeDesignator elements from an SP mean “give me everything you know about the user”
Everything allowed by the ARP is released to the SP, whether it’s relevant to the resource or not
Very difficult to determine in what capacity the user is accessing the resource. Are they staff who happen to also be a student?
Blunderbuss approach to attributes makes user role almost impossible to determine...
GuanxiUHI
Ox
Leeds
Scoping the user
Recent talk about user roles - staff and student - how to identify via eduPersonScopedAffiliationTurn it on it’s head - how to populate eduPersonScopedAffiliation via a user’s roleUsers choose roles by accessing properly scoped resourcesIf you access bodington.org/studentunion/chat.jsp then you’re “pretending” to be a student
The SP guarding chat.jsp should be configured to ask for eduCourse or similar. Not a blanket request for all attributesIdP backs up user’s claim to be a student by returning eduCourse type thingyeduPersonScopedAffiliation comes out naturally once the user’s role in the current access session is determined
The secret is in properly scoped resources
GuanxiUHI
Ox
Leeds
WUN WAFFLE
9 EU universities - Bergen, Bristol, Leeds, Manchester, Oslo, Sheffield, Southhampton, Utrecht, York
5 US universities - UIUC, Penn State, Washington-Seattle, Wisconsin-Madison, UCSD
3 Chinese universities - Nanjing, Zhejiang
Worldwide Universities Network
Wide Area Freely Federated Learning Environment
Have another acronym. Don’t mind if I do!
GuanxiUHI
Ox
Leeds
Collaborative Online Course
MSc Bioinformatics - Leeds, Manchester, UCSD
MSc Geographical Information Systems - Leeds, Southampton, Penn State
Need to securely share learning resources with SSO. Ideal test bed for Shibboleth compatible systems in real eLearning
GuanxiUHI
Ox
Leeds
Information
Guanxi project website - http://guanxi.sourceforge.net/
Guanxi mailing list - [email protected]
Email the team - [email protected], [email protected], [email protected], [email protected]
Why does Alistair talk about cakes a lot?http://www.weblogs.uhi.ac.uk/sm00ay/?p=40