06/05/2306/05/23META ACCESS MANAGEMENT SYSTEM

11

A Ship on the Grid– Interoperability between Shibboleth and the Grid –

Dr. Erik VullingsDr. Erik VullingsProgramme ManagerProgramme Manager

Macquarie University E-Learning Centre of Excellence (MELCOE)Macquarie University E-Learning Centre of Excellence (MELCOE)AustraliaAustralia

Erik.Vullings@melcoe.mq.edu.auErik.Vullings@melcoe.mq.edu.au

05/06/2305/06/23 22META ACCESS MANAGEMENT SYSTEM

Backing Australia’s AbilityBacking Australia’s AbilityDEST founded ARIIC to guide the first round of SII projects:DEST founded ARIIC to guide the first round of SII projects: Australian Digital Thesis (ADT)Australian Digital Thesis (ADT) Australian Partnership for Sustainable Repositories (APSR)Australian Partnership for Sustainable Repositories (APSR) Australian Research Repositories Online to the World (ARROW)Australian Research Repositories Online to the World (ARROW) Meta Access Management System (MAMS)Meta Access Management System (MAMS)

Financed by DEST till the end of 2006 (3y, $4.2 million ~ €2,7m)Financed by DEST till the end of 2006 (3y, $4.2 million ~ €2,7m)

FRODO (Federated Repositories of Digital Objects)

05/06/2305/06/23 33META ACCESS MANAGEMENT SYSTEM

Single Sign-OnDigital Identity Mgmt

Federated Identity Mgmt

Access Control

Provisioning

Federated search

Legacy plug-ins

05/06/2305/06/23 44META ACCESS MANAGEMENT SYSTEM

Projects I won’t spend a slide on…Projects I won’t spend a slide on…

Australian Inqueu-like FederationAustralian Inqueu-like Federation Easy Install CD, incl. registrationEasy Install CD, incl. registration Mini-grant program: Shibbolizing SPsMini-grant program: Shibbolizing SPs Shibbolizing Shibbolizing GridSphereGridSphere, DSpace, Zope/Plone, Wiki..., DSpace, Zope/Plone, Wiki...

Institutional Repository WebGUIInstitutional Repository WebGUI Fedora with XACMLFedora with XACML

Virtual Librarian ServiceVirtual Librarian Service Use Shibboleth to validate IM serviceUse Shibboleth to validate IM service

XACML editor for repository policiesXACML editor for repository policies XML-free interfaceXML-free interface

05/06/2305/06/23 55META ACCESS MANAGEMENT SYSTEM

Attribute Release PoliciesAttribute Release Policies

When I visit an SP, how do I present myself?When I visit an SP, how do I present myself?

Reference #123456Staff at Macquarie Uni

Erik VullingsStaff at Macquarie Uni

Erik VullingsErik@mq.edu.au

Staff at Macquarie Uni+61-(0)2-9850.6537

MQ

05/06/2305/06/23 66META ACCESS MANAGEMENT SYSTEM

Different cards open different doorsDifferent cards open different doors – Attributes give access to Features – – Attributes give access to Features –

Reference #123456Staff at Macquarie Uni

Erik VullingsStaff at Macquarie Uni

Erik VullingsErik@mq.edu.au

Staff at Macquarie Uni+61-(0)2-9850.6537

MQ

Enables access to repository

Allows me to rank material

Allows me to add comments

05/06/2305/06/23 77META ACCESS MANAGEMENT SYSTEM

Different cards open different doorsDifferent cards open different doors – Services & Service Level – – Services & Service Level –

05/06/2305/06/23 88META ACCESS MANAGEMENT SYSTEM

Multiple Attribute AuthorityMultiple Attribute Authority(Join SAML assertions as SP)(Join SAML assertions as SP)

Visit other IdP/AA and return

05/06/2305/06/23 99META ACCESS MANAGEMENT SYSTEM

AuthNAuthN federated Search (AFS) federated Search (AFS)(Delegated SAML Profile?)(Delegated SAML Profile?)

UniversityStaff member

FS

IdP

<<SP>>

R<<WS>>

S

<<SP>>

AFS

<<SP>>

R<<WS>>

S <<SP>>

Repositoryi

<<WS>>

Search

1Login via

WAYF & IdP

Access

Query

2aCreate UserShib session

(bypass WAYF)

3Query +

SessionID

<<SP>>

Repositoryi

<<Servlet>>

Attribute Mngr

<<WS>>

Search

2bTarget=SessionMngr/SessionID

OldNew

05/06/2305/06/23 1010META ACCESS MANAGEMENT SYSTEM

Shibbolizing MyProxyShibbolizing MyProxy(with Jim Basney & Von Welch)(with Jim Basney & Von Welch)

UniversityStaff member

IdP

1Login via

WAYF & IdP

2aCreate UserShib session

(bypass WAYF)

2bTarget=SessionMngr/SessionID

<<SP>>

GS Portal<<Portlet>>

MyProxy3

Get proxy cert + SessionID

MyProxy Server

<<SP>>

Attribute Mngr

MyProxy Server

GS Portal<<Portlet>>

MyProxyOldNew

Login withUsername1 & pwd1

Username2 & pwd2

05/06/2305/06/23 1111META ACCESS MANAGEMENT SYSTEM

Virtual OrganisationVirtual Organisation(Attribute Authority)(Attribute Authority)

1

UniversityStaff member

SP

Usersession

AttributeRequester

3 IdP

LDAPdirectory

AttributeAuthority

CredentialsRequestaccess

VO AAWAYF

VO members2

Redirect

Notes:1. At step 4 and 5, mapping of attr.

names and values can take place.2. Typical VO attr. are entitlements,

such as ethnicity, IEEE fellow, etc.3. Extendable between federations

4IdP

attributes

SPAR

5IdP+VO

attributes

IdPAA

LDAP(session)

ClaimTransformation

Service(CTS)

05/06/2305/06/23 1212META ACCESS MANAGEMENT SYSTEM

Federation A (Fa)

Federation B (Fb)IdP

IdP

IdP

IdP

IdP

IdP

SP

SP

SP

SP

CTSWAYF

CTS

WAYF

1

2

3

4

5

6

7

CTS: Claim Transformation ServiceWAYF: Where Are You FromIdP: Identity ProviderSP: Service Provider

Fed2Fed SSOFed2Fed SSO