Upload
n-masahiro
View
652
Download
0
Embed Size (px)
DESCRIPTION
Authentication and Authorization exchange for University Federation.
Citation preview
4. Extension
Web server
Tomcat
IdP side
2
SP side
Request/Response
Redirect
Internal
DS
AuthnRequest
AssertionAttribute
SessionInitiator
AsserionConsumer
Service
SSO AttributeAuthority
AuthnHandlerCredential
1
345
6
7
8
9
10
11
1. Background
Authentication and Authorization exchange for University Federation
Informatization of higher education
Complex management
System cooperation
Increase convenience
e-Learning utilization
Merit
Introduction of many web systems
2. Problem User Organization• Many passwords
• Each authentication• Scattered identity
• Synchronization
3. Shibboleth
Identity Provider Service Provider Discovery Service
‣ Manage identity‣ Authentication
‣ Release attribute
‣ Protect resource‣ Query attribute
‣ Control access
‣ Find organization‣ Multiple IdPs
‣ SAML feature
5. Future work
M Nakagawa
How to solve?
Demerit Components
Features• Open source
• Developed by Internet2
• MACE Project
• SAML implementation
• Distributed infrastructure
• Building federation
FederationsName Country
InCommon United StatesSWITCHaai Switzerland
DFN-AAI GermanyUK Federation United Kingdom
Other federations...Other federations...
• ek4 federation
• Share educational materials• Federation policy
• Extensionʼs specification
Practical use Formulation Development• Anonymous user
• Reference implementation
‣ New federation in Japan
‣ 8 universities
‣ e-Learning, HRD, etc...
Identity Provider Service Provider Discovery Service
Merit Demerit
Authorization exchange Anonymous user
Attribute
Service Provider
System
Mapping server
Attribute’
UUID
AssertionUUID or NO
AccountManager
AnonymousIdP
AuthnRequest
Lock
SPside
WebInterface
• Decrease traceability
• For questionnaire
• One time account
• Each identity
• Activity restriction
Different identities
Access restriction
System A
Unidentify
System B
Image
Prototype
1
2
3
4
‣ UUID is user identifier
‣ Lock inactivates account
ProcessAbbrev
• Rewrite attribute
• Between SP and web system
• System architecture
• Mapping server
• Library called by web system
‣ Pattern matching
‣ Regular expression
‣ String
‣ XML base
1
2
3
4
Mapped result
Attribute
Library
Why? • Reduce operations
• Rule maintenance
• SP side < IdP side
• Authentication processing
• User normalization
Kochi UniversityThe University of TokushimaY YanoH MitsuharaY MiyoshiK MatsuuraK Kanenishi
† ††
†††† † †
†
SP side IdP side
AccountManager
Unidentify
Different identities
Access restriction
Mapped result