1 Development of Attribute Provider p for GakuNin Federation (to provide VO information) (to provide VO information) 2011.02.24 @ APAN Honk Kong 2011.02.24 @ APAN Honk Kong Motonori Nakamura National Institute of Informatics, Japan i l i f f i
2 Realize “Single Sign On” by separation of authentication information from SPs • To share ID/PW information among SPs – Users are required to remember only one ID/PW • “Federation” is an architecture to utilize the SSO technology among organizations SP SP SP SP ID/PW ID/PW P Q P Q ID X1 AuthN ID Y2 Access ID X1 Univ. A Univ. B IdP ID Y2 ID Y2 IdP IdP IdP A B ID/PW ID/PW User X User Y User X User Y
3 Using Attribute Provider to separate Group information from SPs • To share a group information T h i f ti Mash ‐ up SP SP among SPs P Q – For authorization – For collaborative service • To avoid “provider lock ‐ in” and promote mash ‐ up p p Attribute [Attribute] [Attribute] isMemberOf: Grp ‐ G isMemberOf: Grp G Provider isMemberOf: Grp ‐ G SP SP Group Group P Q Grp Group Group Group Group G Admin Register Register Register Register Register Register R i t Register Register Univ. A Univ. B IdP IdP IdP IdP IdP IdP IdP IdP A B A B User X User Y User X User Y
4 [Service model transition] (1) Simple model only with IdP (SSO) (1) Simple model only with IdP (SSO) University A University A University B University B University C University C Identification Identification Register Campus Campus IdP IdP IdP IdP Register Register issue of ID/PW issue of ID/PW Use Use AuthN AuthN Use AuthN Universities can provide SP exact identification of users t id tifi ti f
5 (2) Introducing CC-IdP to support all users (Classic Model) University A University A University B University B University C University C Register Campus Campus IdP IdP IdP IdP Register Register Register Register issue of issue of ID/PW ID/PW issue of Register Register ID/PW Register Computer CC Center i issue of f IdP issue of Identification ID/PW ID/PW AuthN AuthN CC Computer Center provides SP N ti National/Regional service l/R i l i for other universities
6 (3) Introducing Attribute Provider (3) Introducing Attribute Provider University A University A University B University B University C University C Identification Identification Register Campus Campus IdP IdP IdP IdP Register Register issue of issue of ID/PW ID/PW Register Register Computer CC CC Center IdP IdP issue of Identification ID/PW Application Application Application Application Application Application A thN AuthN CC CC User Attribute Provider is SP Attribute Grp Grp Attribute Attribute operated by federation operated by federation Provider Admin Authorization
7 (4) Introducing Shared IdP (4) Introducing Shared IdP University A University A University B University B University C University C Identification Identification Register Campus Campus IdP IdP IdP IdP Register Register issue of ID/PW issue of ID/PW Application Application Application Computer Center Register issue of AuthN ID/PW ID/PW CC CC Shared User SP IdP Attribute Grp Grp Attribute Attribute Provider Identification Admin Authorization
8 Related Works to provide group (VO) information • Grouper (Internet2) ( ) – http://www.internet2.edu/grouper/ • Provides group management in a IdP • COmanage (Internet2) g ( ) – http://www.internet2.edu/comanage/ • In progress p og ess • VO system (SWITCH) – http://www.switch.ch/vo http://www switch ch/vo • In progress
9 Grouper Grouper
10 COmanage COmanage
11 SWITCH VO SWITCH VO
12 Propagation VO information in Shibboleth • is supported by Shibboleth IdP/SP 2.2 or later i d b hibb l h d / l – An SP can send requests to Attribute Providers to get attribute information about an accessed user (as well as to an IdP) • AP is specified by configuration of the SP – Basic concept is described in a document about VO S VO System by SWITCH t b SWITCH • http://www.switch.ch/aai/support/tools/vo ‐ concept/ • User Interface and Internal Data Structure are f d l out of scope of Shibboleth/SAML
13 User Interfaces to utilize Attribute Provider SP SAML AP System Attrib bute (Pers AP V User Interface of AP System SAML SP V sonal) IdP Admin of SAML a group U User
14 Privacy Issue on Simple Model Privacy Issue on Simple Model • Group info is also sent to SP SP P Q other SPs since Group is not bound to a specific SP Attribute Provider i M isMemberOf: Grp ‐ G, Grp ‐ H b Of G G G H i M isMemberOf: Grp ‐ G, Grp ‐ H b Of G G G H Request of Group Request of Group q q p p Grp Grp Grp Grp Group X Info on User Y Info on User Y G H Admin Application Application Application Application Univ. A Univ. B Univ. C IdP IdP IdP IdP IdP IdP A B C User X User Y User Z
15 Another Style of Group Administration Another Style of Group Administration • Consortium of Faculties, Laboratories, etc. SP P P • Separation of Responsibility Attribute Provider Request of Group Request of Group isMemberOf: Grp ‐ G, Grp ‐ A Info on User X Grp Law Faculty Federation G Faculty of Law Faculty of Law Admin of Faculty of Law Grp Grp Consortium Grp A B C Application A li ti A Application li ti A Application li ti Univ. A Univ. B Univ. C IdP IdP IdP IdP IdP IdP A B C User X User Y User Z Admin Admin Admin
16 Issues on Membership Administration Issues on Membership Administration • How to know ID of a member by group admin? H t k ID f b b d i ? – Search? Direct communication? – eduPersonPrincipalName for a user? eduPersonPrincipalName for a user? • How to know group name to join by a member? • How to define namespace for groups How to define namespace for groups • How to know SP related to the group? • Does membership registration have to be confirmed by p g y a member to be added? • How is automatic service subscription supported? • Is reuse of a group name possible? – A group should not be replaced cilently
17 Future Plan Future Plan • Basic Design of Attribute Provider i i f ib id – Implementation (1Q of 2011) – Evaluation with some simple SPs • Consideration to apply SPs which provide Consideration to apply SPs which provide contents with contract – e ‐ journal e ‐ book etc – e ‐ journal, e ‐ book, etc. • Apply to collaboration services which require more information i f ti – Mailing Lists, SNS, etc.
Recommend
More recommend