GuanxiUHI

Ox

Leeds

Alistair YoungSenior Software Engineer

UHI@Sabhal Mòr OstaigÀrd-Innleadair air Bathar-bog

GuanxiTERENA, BarcelonaSeptember 8th 2005

Sean MehanGuanxi Project Manager

sean@smo.uhi.ac.uk

GuanxiUHI

Ox

Leeds

More information

Technical Description

Demonstration / ?s

Guanxi - Summary and Current State

Some Analysis of the Situation

WAFFLE

GuanxiUHI

Ox

Leeds

The Guanxi Project

Who is GuanXi? (i.e., who to blame...)

GuanxiUHI

Ox

Leeds

The Guanxi Project

UK JISC funded Core Middleware Project

Collaboration:

University of the Highlands and Islands (lead partner)

University of Leeds

University of Oxford

IdP SP WAYF

Core Guanxi

SAMUEL

SAML

GuanxiUHI

Ox

Leeds

What is Guanxi?

Guanxi has three main objectives:

To implement the Shibboleth 1.2 specification into a WS architecture and within a VLE

To extend and develop intra/inter-institutional AA functions

To create and use Shibboleth federations, based upon Bodington usage.

In the Chinese business world, “Guanxi” is understood as the network of relationships among various parties that cooperate and support one another

“...you scratch my back, I’ll scratch yours”

Guanxi is composed of two strands:

Integration of the Shibboleth reference implementation within the Bodington VLE - but now uses the GuanXi alternative.Alternative implementation of the Shibboleth protocol, in an eLearning context

GuanxiUHI

Ox

Leeds

The Guanxi Project

GuanxiUHI

Ox

Leeds

Bodington

5 resource.htm

org2 VLE2

3

4

1loginuser@org1

Authentication Storeinternal to Bodington

Authorisation Storeinternal to Bodington

Aut

hent

icat

ion

Stor

e org1 VLELDAP

JDBC

Webauth

1loginuser@org1

StandardShibboleth

Target

GuanxiUHI

Ox

Leeds

Strand 2

3

org2 VLE7 resource.htm

1loginuser@org1 org2 GX SP 2

4

org1 GX IdP

Attribute store 1

Attribute store 2

Attribute store n

Policymap <samlp:AttributeQuery>

<saml:Assertion>

1loginuser@org1

StandardShibboleth

SP

5

6

Policymap

JISC IE

authentication / authorization services

service registries

terminology services

metadata schema registries

resolvers

intitutional + user profiling services

end-user client

JISC fundedcontend providers

InstitutionalContent providers

Externalcontend providers

brokers aggregators catalogues indices

OpenURL resolvers

media specific portals

institutional portals

subject portals

learning management

systems

shared infrastructure pres

enta

tion

fusio

n

prov

ision

GuanxiUHI

Ox

Leeds

Guanxi & SAMUEL

Shibboleth is a profile of SAML1.1 and also the default implementation

Shibboleth, the app, uses openSAML to implement the profileopenSAML is the Internet2 partial implementation of the SAML1.1 spec

Guanxi is an alternative implementation of the Shibboleth profile

Guanxi uses SAMUEL to implement the profileSAMUEL is the Guanxi partial implementation of the SAML1.1. spec

openSAMLShibboleth

SAMUELGuanxi

Profile space

SAMl Used in E Learning

GuanxiUHI

Ox

Leeds

SAMUEL

Partial implementation of SAML1.1

Partial implementation of SAML2 Metadata

Standalone Java SAML toolkit

Available as separate download

SAMl Used in ELearning

Metadata extensions for distributed Service Provider

GuanxiUHI

Ox

Leeds

Bodington + GuanxiA Shibboleth compatible Virtual Learning Environment

GuanxiSP

AthensShibb Gateway

ShibbolethSP

GxBodington asIdP

Bodington VLE with embedded Guanxi IdP

Minimal configuration - self-signed certs areauto generated

True SSO

Very fine-grained user permission system, exposed as bodington_member attribute by Guanxi

Can login to your IdP to create users and manage their access rights

GuanxiUHI

Ox

Leeds

Web Service Enabled Service Provider

user@org1 accesses resource at org21

Filter sets up WS-Callback with SP2

Filter redirects to federation WAYF3

User’s SSO authenticates them4

SSO replies to federation SP5

Federation SP requests attributes on behalf of filter

6

User’s AA sends attributes to federation SP

7

Federation SP invokes WS-Callback to filter which retrieves it’s attribute request data

8

Filter makes access decision based on attributes gathered by the federation SP

9

org 2 Server

WebappFilter

Resourcespecificmodules

(A/C)

1

AA

SSO

org1 IdP

InstitutionalSP

WAYF

Federation server

23

4

5

6

7

8

9

Distributed architectureInstitutional SAML Server, satellite GuardsCan scale SAML servers to balance load

GuanxiUHI

Ox

Leeds

Guanxi IdP & SP

UHI - MA Cake Munching, Year 1, Cake Eating Etiquette module

Leeds have supplemental material for hopeless cake munchers

Student added to “No hopers” cohort in UHI Bodington

Course assertion comes from SITS, cohort assertion from Bodington

SITS

eDirectory

Bodington

Guanxi IdPUHI

Bodington

Guanxi SPLeeds

Shibboleth

Extra-institutional learning material access based on hierarchical, aggregated attributes from multiple sources

GuanxiUHI

Ox

Leeds

Attribute Scatter

Attribute Acceptance Policies are defined by federations, not Shibboleth

Although only relevant attributes are supposed to be released, this doesn’t happen in the field

Lack of AttributeDesignator elements from an SP mean “give me everything you know about the user”

Everything allowed by the ARP is released to the SP, whether it’s relevant to the resource or not

Very difficult to determine in what capacity the user is accessing the resource. Are they staff who happen to also be a student?

Blunderbuss approach to attributes makes user role almost impossible to determine...

GuanxiUHI

Ox

Leeds

Scoping the user

Recent talk about user roles - staff and student - how to identify via eduPersonScopedAffiliationTurn it on it’s head - how to populate eduPersonScopedAffiliation via a user’s roleUsers choose roles by accessing properly scoped resourcesIf you access bodington.org/studentunion/chat.jsp then you’re “pretending” to be a student

The SP guarding chat.jsp should be configured to ask for eduCourse or similar. Not a blanket request for all attributesIdP backs up user’s claim to be a student by returning eduCourse type thingyeduPersonScopedAffiliation comes out naturally once the user’s role in the current access session is determined

The secret is in properly scoped resources

GuanxiUHI

Ox

Leeds

WUN WAFFLE

9 EU universities - Bergen, Bristol, Leeds, Manchester, Oslo, Sheffield, Southhampton, Utrecht, York

5 US universities - UIUC, Penn State, Washington-Seattle, Wisconsin-Madison, UCSD

3 Chinese universities - Nanjing, Zhejiang

Worldwide Universities Network

Wide Area Freely Federated Learning Environment

Have another acronym. Don’t mind if I do!

GuanxiUHI

Ox

Leeds

Collaborative Online Course

MSc Bioinformatics - Leeds, Manchester, UCSD

MSc Geographical Information Systems - Leeds, Southampton, Penn State

Need to securely share learning resources with SSO. Ideal test bed for Shibboleth compatible systems in real eLearning

GuanxiUHI

Ox

Leeds

Information

Guanxi project website - http://guanxi.sourceforge.net/

Guanxi mailing list - guanxi-development@lists.sourceforge.net

Email the team - alistair@smo.uhi.ac.uk, sean@smo.uhi.ac.uk, antony@smo.uhi.ac.uk, a.g.booth@leeds.ac.uk

Why does Alistair talk about cakes a lot?http://www.weblogs.uhi.ac.uk/sm00ay/?p=40

GuanxiUHI

Ox

Leeds

Demo & Questions