Shibboleth Attribute Release Policy Editing Tools ShARPE

ShibbolethAttribute Release Policy

Editing Tools

ShARPECAMP Shib June 2006

Bruc Lee [email protected]

http://federation.org.au

META ACCESS MANAGEMENT SYSTEM

TopicsTopics

ShARPE & Autograph GUIShARPE & Autograph GUISP Description MetadataSP Description MetadataGroup ARPGroup ARPAttribute MappingAttribute MappingPolicy Filter ChainPolicy Filter Chain


Part of MAMS IAM Suite(I really AM Sweet)


ShARPEShARPE AutographAutograph

IdPIdPadminadmin

IdP IdP membermember

IdPARP ARP Manage-Manage-mentment

AttributeAttributemappingmapping

Privacy Privacy Manage-Manage-mentment

Context

META ACCESS MANAGEMENT SYSTEMIdP adminIdP admin

ShARPE

attributes

IdP SPSPARP

Autograph

= group ARPs= group ARPs

= site ARP= site ARP

= user ARP= user ARP

Shibboleth ARP Editor (ShARPE)

Provide a GUI-based editor to enable Provide a GUI-based editor to enable ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPsUsers to manage their ARPs

Provide visibility to user of:Provide visibility to user of: attributes required by servicesattributes required by services attributes released to servicesattributes released to services Service received in return for attributesService received in return for attributes

Enable users to change their ARPs hence Enable users to change their ARPs hence exercise privacy controlexercise privacy control

HelpdeskHelpdesk


New featuresARP management GUIARP management GUIGroup ARPsGroup ARPs

Current Shibboleth supports site and user ARPsCurrent Shibboleth supports site and user ARPsService DescriptionsService Descriptions

Comprehensive information about SP’s service, Comprehensive information about SP’s service, service levels, attribute requirementsservice levels, attribute requirements

Attribute MappingAttribute Mapping Support for mapping between IdP and SP Support for mapping between IdP and SP

schemasschemas Policy-filter-chainPolicy-filter-chain extension extension


ShARPE – ARP Administrator

ARP AdminARP Admin

Import Service Description (Physics research Import Service Description (Physics research database from Sandstone Uni) – if never database from Sandstone Uni) – if never imported beforeimported before

Create site ARP (all communities get bronze Create site ARP (all communities get bronze access)access)

Create group ARP (Physics community gets Create group ARP (Physics community gets gold access)gold access)


Service Descriptions SP’s Service and Service Level descriptions and SP’s Service and Service Level descriptions and

attribute requirementsattribute requirements Services may provide service-levels - different Services may provide service-levels - different

functionality - based on supplied attributesfunctionality - based on supplied attributes e.g. for a institutional repository or publisher: read e.g. for a institutional repository or publisher: read

access, adding comments/rank/annotations, submit access, adding comments/rank/annotations, submit access… access…

Comprehensive Service Provider information Comprehensive Service Provider information needed by both admins and users for ‘sensible’ needed by both admins and users for ‘sensible’ attribute managementattribute management

ShARPE introduces ‘Service Description’ ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUImetadata to support ‘fully informative’ GUI


SandstoneUniServiceDescription.xml


Service Description Editor


Service Description Editor (cont)



arp.site.xml



arp.group.Physics.xml



Autograph


Autograph

arp.user.sue.xml


Group ARP Reason: diff dept admins want to manage their Reason: diff dept admins want to manage their

own usersown users No modification to original Shib codeNo modification to original Shib code Extending from Shib ARP structureExtending from Shib ARP structure Uses simplified flatten group (i.e. no hierarchical Uses simplified flatten group (i.e. no hierarchical

groups)groups) Group information provided by a set of plugins: Group information provided by a set of plugins:

AttributeResolver (LDAP/DB/etc), file, etcAttributeResolver (LDAP/DB/etc), file, etc Simplified API to allow extensionsSimplified API to allow extensions Released Attributes = processing (site ARP + Released Attributes = processing (site ARP +

group ARPs + user ARP)group ARPs + user ARP) http://federation.org.au/twiki/bin/view/Federation/http://federation.org.au/twiki/bin/view/Federation/

GroupLookupGroupLookup


Activating Group ARP <ReleasePolicyEngine>

<ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path>

<GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup>

<GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</

PropertyFile>

<GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing>

</GroupLookup>

</ArpRepository>

</ReleasePolicyEngine>


Example of Group Info (FlatFile) sample.grouplookup.properties sample.grouplookup.properties using

PropertyFileGroupLookup

# this defines institutional-wide groupsinstitutionalGroupList = Administrator, Staff, Researcher

# an example of local groupsgroupList = Library, Physics, Biology, Walk-in

# user based attributes specifying the groups using ‘memberOf’# ann.memberOf = Researcher# john.memberOf = Staff# joe.memberOf = HeadOfSchool, Staff, Librarian


Attribute Mapping Not all organizations use the same schemas for Not all organizations use the same schemas for

attributes, mapping is neededattributes, mapping is needed Attribute mapping functionsAttribute mapping functions

One-to-One MappingOne-to-One Mapping ConcatenationConcatenation Static Value assignmentStatic Value assignment Hashing (e.g. TargetedID)Hashing (e.g. TargetedID)

Examples:Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedIDComplex: creating targetedID

(e.g. hash(concat(SPname, email))) (e.g. hash(concat(SPname, email)))


Attribute Mapping GUI


What’s offered by AttributeResolver

Rename (mail Rename (mail email) email) Value mapping (“alumn” Value mapping (“alumn” “alumn”, “alumni”) “alumn”, “alumni”) Regex (changing to upper case)Regex (changing to upper case) Formatted outputFormatted output Composite ( A, B Composite ( A, B “A B”). Limited to same “A B”). Limited to same

number of rows attributesnumber of rows attributes Some others: StaticConnector, Some others: StaticConnector,

ScriptletAttributeDefinition,…ScriptletAttributeDefinition,… All, with exception of rename are *newly* All, with exception of rename are *newly*

introduced in 1.3cintroduced in 1.3c


Shib implementation

Scattered implementation but simple as Scattered implementation but simple as revolve around resolver pluginsrevolve around resolver plugins

No chaining (A No chaining (A B B C, hence A = C) C, hence A = C)Some implementations are limited to Some implementations are limited to

certain conditions (i.e. cannot concat certain conditions (i.e. cannot concat different length attributes)different length attributes)

Same Same mapmap applicable to all SPs, no applicable to all SPs, no differentiations or per SP mappingdifferentiations or per SP mapping


MAMS Attribute Mapping implementation

Attributes with different rows concatenation Attributes with different rows concatenation abilityability

One entry point for all mapping entries One entry point for all mapping entries one one mapping engine (CustomAttributeDefinition)mapping engine (CustomAttributeDefinition)

Different maps loaded for different SPsDifferent maps loaded for different SPs SP1 has mail SP1 has mail email email SP2 has fname + sn + ‘@nowhere.com’ SP2 has fname + sn + ‘@nowhere.com’ e-mail e-mail SP3 has …SP3 has …

GGeneral mapping can be provided (i.e. default eneral mapping can be provided (i.e. default mapping from eduPerson2MySchema mapping from eduPerson2MySchema applicable to all SPs)applicable to all SPs)


Attribute Mapping for SPa: X = X + Y

1. Rename existing entry of X to X’ on resolver

2. Create map entry on resolver for X that depends on X’ and Y

3. Put X = X’ + Y on SPa’s map

4. Put X = X’ on default.mapper (for other SPs)


Processing attribute X

1.1. Requests come to resolve X for SPaRequests come to resolve X for SPa

2.2. X is registered to be handled by mapperX is registered to be handled by mapper

3.3. Crosswalk for SPa loadedCrosswalk for SPa loadeda)a) If no crosswalk found, default.mapper loadedIf no crosswalk found, default.mapper loaded

4.4. All X’s dependencies provided to All X’s dependencies provided to CrosswalkCrosswalk

5.5. Map function try to resolve XMap function try to resolve X


Activating Attribute Mapping• Done automatically by ShARPE when enabled

<CustomAttributeDefinition id=“X”class=“au.edu.mq.melcoe.mams.sharpe.shib.aa.attrresolv.

provider.CrosswalkAttributeDefinition”> <AttributeDependency requires=“idp:X"/> <AttributeDependency requires=“Y"/></CustomAttributeDefinition>

<SimpleAttributeDefinition id=“idp:X” sourceName=“X”> <DataConnectorDependency requires=“echo”/></SimpleAttributeDefinition>


Map file entry for SPa

<Crosswalk …>

<Map class=“…” functionName=“concat”>

<Attribute>X</Attribute>

<MapValue>idp:X + Y</MapValue>

</Map>

</Crosswalk>


Future Works

Privacy settings for coarse-grain release Privacy settings for coarse-grain release policypolicy

Hierarchical groups to implement ‘room in Hierarchical groups to implement ‘room in room’ concept (if enough requests)room’ concept (if enough requests)

Integrations with Grouper & Signet for Integrations with Grouper & Signet for local management (currently planned for local management (currently planned for GroupManager and PrivilegeManager)GroupManager and PrivilegeManager)

Push Shib for ability to register new Push Shib for ability to register new attributes to resolver for Attribute Mappingattributes to resolver for Attribute Mapping


Questions?

Email: [email protected] ShARPE @ http://federation.org.au/ShARPE MAMS @ http://mams.melcoe.mq.edu.au Experiment http://opensharpe.federation.org.au Sharpe-users mailing list

http://federation.org.au/cgi-bin/mailman/listinfo MAMS’ Easy Installation IdP with ShARPE http

://federation.org.au/software/installcd


Extra Slides


Shib ARP ManagementSP attribute requirements agreed

negotiated manually (not scalable)Site and User ARPs, no Group ARPsLack of service information for users (what

attributes are required, released, for what reason)

Lack of interface for user ARP controlUser can’t access ARP files


Design Group ARP


Design Attribute Mapping


Policy Filter Chaining Allowing policies (ARP) to be passed through

chain of filters prior its final process on ArpEngine

Allow selective processing of policies i.e. when user has attribute X set to Y, do not

process group policy Z Used by Autograph to “find what attributes

affected by all policies without inclusion of user ARP” or similar use cases

http://federation.org.au/twiki/bin/view/Federation/PolicyFilter


Policy Filter

Different types of Policy Filter, extendible design

Filter on different types of ARPFilter on simple access control for the ARP

(create, read, update, delete)create is slightly difficult to enforce

Combination of filters and chaining


Design PolicyFilter


PolicyFilter Processing

For each activity identified as For each activity identified as create, read, create, read, update, delete update, delete on the policyon the policy

Calls registered PolicyFiltersCalls registered PolicyFiltersArp’ = PolicyFilter(Arp)Arp’ = PolicyFilter(Arp)The resultant policy is given back to the The resultant policy is given back to the

systemsystemAll active policies to be used by the All active policies to be used by the

system are processed prior being usedsystem are processed prior being used


Activating PolicyFilter

<ReleasePolicyEngine><ReleasePolicyEngine> <ArpRepository <ArpRepository

implementation=“implementation=“......provider.MAMSFileSystemArpReposiprovider.MAMSFileSystemArpRepositorytory“>“>

<<PolicyFilterPolicyFilter

implementation=“implementation=“....provider.PolicyTypeFilterprovider.PolicyTypeFilter””>>

<<PolicyTypePolicyType>sitePolicy</PolicyType>>sitePolicy</PolicyType> <PolicyType><PolicyType>useruserPolicy</PolicyType>Policy</PolicyType> </PolicyFilter></PolicyFilter> … …


Documents

Shibboleth Attribute Release Policy Editing Tools ShARPE