Shibboleth Attribute Release Policy Editing Tools ShARPE

1
ShibbolethAttribute Release PolicyEditing
ToolsShARPE

• CAMP Shib June 2006
• Bruc Lee Liong
• bliong_at_melcoe.mq.edu.au
• http//federation.org.au

2
Topics

• ShARPE Autograph GUI
• SP Description Metadata
• Group ARP
• Attribute Mapping
• Policy Filter Chain

3
Part of MAMS IAM Suite(I really AM Sweet)
Autograph
ShARPE
IdP
ARP Manage- ment
Privacy Manage- ment
IdP admin
IdP member
Attribute mapping
4
Context
Autograph
attributes
IdP
SP
ARP
ShARPE
user ARP
site ARP
IdP admin
group ARPs
5
Shibboleth ARP Editor (ShARPE)

• Provide a GUI-based editor to enable
• ARP admins to implement access contracts
• Users to manage their ARPs
• Provide visibility to user of
• attributes required by services
• attributes released to services
• Service received in return for attributes
• Enable users to change their ARPs hence exercise
  privacy control
• Helpdesk

6
New features

• ARP management GUI
• Group ARPs
• Current Shibboleth supports site and user ARPs
• Service Descriptions
• Comprehensive information about SPs service,
  service levels, attribute requirements
• Attribute Mapping
• Support for mapping between IdP and SP schemas
• Policy-filter-chain extension

7
ShARPE ARP Administrator

• ARP Admin
• Import Service Description (Physics research
  database from Sandstone Uni) if never imported
  before
• Create site ARP (all communities get bronze
  access)
• Create group ARP (Physics community gets gold
  access)

8
Service Descriptions

• SPs Service and Service Level descriptions and
  attribute requirements
• Services may provide service-levels - different
  functionality - based on supplied attributes
• e.g. for a institutional repository or publisher
  read access, adding comments/rank/annotations,
  submit access
• Comprehensive Service Provider information needed
  by both admins and users for sensible attribute
  management
• ShARPE introduces Service Description metadata
  to support fully informative GUI

9
SandstoneUniServiceDescription.xml
10
Service Description Editor
11
Service Description Editor (cont)
12
(No Transcript)
13
arp.site.xml
14
(No Transcript)
15
arp.group.Physics.xml
16
Autograph
17
Autograph
18
arp.user.sue.xml
19
Group ARP

• Reason diff dept admins want to manage their own
  users
• No modification to original Shib code
• Extending from Shib ARP structure
• Uses simplified flatten group (i.e. no
  hierarchical groups)
• Group information provided by a set of plugins
  AttributeResolver (LDAP/DB/etc), file, etc
• Simplified API to allow extensions
• Released Attributes processing (site ARP
  group ARPs user ARP)
• http//federation.org.au/twiki/bin/view/Federation
  /GroupLookup

20
Activating Group ARP

• ltReleasePolicyEnginegt
• ltArpRepository implementation
• "au.edu.mq.melcoe.mams.sharpe.shib.aa.ar
  p.provider.MAMSFileSystemArpRepository"gt
• ltPathgtfile/usr/local/shibboleth-idp/etc/
  arps/lt/Pathgt
• ltGroupLookup implementation
• "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp
  .group.provider.AttributeResolverGroupLookup"gt
• ltResolverConfig implementation
• "edu.internet2.middleware.shibboleth.a
  a.attrresolv.MAMSAttributeResolver"gt
• file///usr/local/shibboleth-idp/etc/
  resolver.ldap.xml
• lt/ResolverConfiggt
• ltUserGroupgturnmacedirattribute-def
  eduPersonAffiliationlt/UserGroupgt
• lt/GroupLookupgt
• ltGroupLookup implementation
• "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp
  .group.provider.PropertyFileGroupLookup
• separator"PRINCIPAL."gt
• ltPropertyFilegtfile///usr/local/shibb
  oleth-idp/etc/sample.grouplookup.propertieslt/Prope
  rtyFilegt

21
Example of Group Info (FlatFile)

• sample.grouplookup.properties using
  PropertyFileGroupLookup
• this defines institutional-wide groups
• institutionalGroupList Administrator, Staff,
  Researcher
• an example of local groups
• groupList Library, Physics, Biology, Walk-in
• user based attributes specifying the groups
  using memberOf
• ann.memberOf Researcher
• john.memberOf Staff
• joe.memberOf HeadOfSchool, Staff, Librarian

22
Attribute Mapping

• Not all organizations use the same schemas for
  attributes, mapping is needed
• Attribute mapping functions
• One-to-One Mapping
• Concatenation
• Static Value assignment
• Hashing (e.g. TargetedID)
• Examples
• Simple email to mail, or gender to sex
• Complex creating targetedID (e.g.
  hash(concat(SPname, email)))

23
Attribute Mapping GUI
24
Whats offered by AttributeResolver

• Rename (mail ? email)
• Value mapping (alumn ? alumn, alumni)
• Regex (changing to upper case)
• Formatted output
• Composite ( A, B ? A B). Limited to same number
  of rows attributes
• Some others StaticConnector, ScriptletAttributeDe
  finition,
• All, with exception of rename are newly
  introduced in 1.3c

25
Shib implementation

• Scattered implementation but simple as revolve
  around resolver plugins
• No chaining (A ? B ? C, hence A C)
• Some implementations are limited to certain
  conditions (i.e. cannot concat different length
  attributes)
• Same map applicable to all SPs, no
  differentiations or per SP mapping

26
MAMS Attribute Mapping implementation

• Attributes with different rows concatenation
  ability
• One entry point for all mapping entries ? one
  mapping engine (CustomAttributeDefinition)
• Different maps loaded for different SPs
• SP1 has mail ? email
• SP2 has fname sn _at_nowhere.com ? e-mail
• SP3 has
• General mapping can be provided (i.e. default
  mapping from eduPerson2MySchema applicable to all
  SPs)

27
Attribute Mapping for SPa X X Y

• Rename existing entry of X to X on resolver
• Create map entry on resolver for X that depends
  on X and Y
• Put X X Y on SPas map
• Put X X on default.mapper (for other SPs)

28
Processing attribute X

• Requests come to resolve X for SPa
• X is registered to be handled by mapper
• Crosswalk for SPa loaded
• If no crosswalk found, default.mapper loaded
• All Xs dependencies provided to Crosswalk
• Map function try to resolve X

29
Activating Attribute Mapping

• Done automatically by ShARPE when enabled
• ltCustomAttributeDefinition idX
• classau.edu.mq.melcoe.mams.sharpe.shib.aa.attrre
  solv.provider.CrosswalkAttributeDefinitiongt
• ltAttributeDependency requiresidpX"/gt
• ltAttributeDependency requiresY"/gt
• lt/CustomAttributeDefinitiongt
• ltSimpleAttributeDefinition ididpX
  sourceNameXgt
• ltDataConnectorDependency requiresecho/gt
• lt/SimpleAttributeDefinitiongt

30
Map file entry for SPa

• ltCrosswalk gt
• ltMap class functionNameconcatgt
• ltAttributegtXlt/Attributegt
• ltMapValuegtidpX Ylt/MapValuegt
• lt/Mapgt
• lt/Crosswalkgt

31
Future Works

• Privacy settings for coarse-grain release policy
• Hierarchical groups to implement room in room
  concept (if enough requests)
• Integrations with Grouper Signet for local
  management (currently planned for GroupManager
  and PrivilegeManager)
• Push Shib for ability to register new attributes
  to resolver for Attribute Mapping

32
Questions?

• Email bliong_at_melcoe.mq.edu.au
• ShARPE _at_ http//federation.org.au/ShARPE
• MAMS _at_ http//mams.melcoe.mq.edu.au
• Experiment http//opensharpe.federation.org.au
• Sharpe-users mailing list http//federation.org.au
  /cgi-bin/mailman/listinfo
• MAMS Easy Installation IdP with ShARPE
  http//federation.org.au/software/installcd

33
Extra Slides
34
Shib ARP Management

• SP attribute requirements agreed negotiated
  manually (not scalable)
• Site and User ARPs, no Group ARPs
• Lack of service information for users (what
  attributes are required, released, for what
  reason)
• Lack of interface for user ARP control
• User cant access ARP files

35
Design Group ARP
36
Design Attribute Mapping
37
Policy Filter Chaining

• Allowing policies (ARP) to be passed through
  chain of filters prior its final process on
  ArpEngine
• Allow selective processing of policies
• i.e. when user has attribute X set to Y, do not
  process group policy Z
• Used by Autograph to find what attributes
  affected by all policies without inclusion of
  user ARP or similar use cases
• http//federation.org.au/twiki/bin/view/Federation
  /PolicyFilter

38
Policy Filter

• Different types of Policy Filter, extendible
  design
• Filter on different types of ARP
• Filter on simple access control for the ARP
  (create, read, update, delete)
• create is slightly difficult to enforce
• Combination of filters and chaining

39
Design PolicyFilter
40
PolicyFilter Processing

• For each activity identified as create, read,
  update, delete on the policy
• Calls registered PolicyFilters
• Arp PolicyFilter(Arp)
• The resultant policy is given back to the system
• All active policies to be used by the system are
  processed prior being used

41
Activating PolicyFilter

• ltReleasePolicyEnginegt
• ltArpRepository implementation...provider.MAM
  SFileSystemArpRepositorygt
• ltPolicyFilter implementation..provider.Polic
  yTypeFiltergt
• ltPolicyTypegtsitePolicylt/PolicyTypegt
• ltPolicyTypegtuserPolicylt/PolicyTypegt
• lt/PolicyFiltergt