Tech Track: Attribute Delivery Newcastle University

1
Tech Track Attribute Delivery Newcastle
University

• Caleb Racey
• Caleb.Racey_at_ncl.ac.uk

2
Overview

• Introduction
• Attribute Issues
• External site access
• Internal site access
• Provisioning
• Usability improvements
• Roundup

3
Technical Background

• Distributed ad hoc identity infrastructure
• No Authoritative directory of user info
• Identity information spread across diverse
  systems
• Mixed Infrastructure
• Unix Solaris Redhat EL
• Windows
• SAP
• Mixed web application platforms
• The 3 Ps PHP, Perl, Python
• Java
• ASP ASP.net

4
What attributes are used for

• Access control to external applications
• federated use
• Access control to internal applications
• Provisioning internal applications
• Usability internal enhancements

5
Prerequisites to attribute use

• Identify requirement for attributes
• Do people actually know?
• Chicken and egg,
• wont use Shib until attributes there, wont
  know what they need until they try
• Identify Sources of Attributes
• Data Integrity
• Ownership issues
• Cultural issues
• Uses
• Data protection issues
• Can I release this?
• Service and support
• What to do on failure
• How to support devolved systems

6
Technical Stages, Attribute Delivery

• Aggregation
• Get Attributes from data stores
• Release
• Decide what information you will release to whom
• Acceptance
• Decide what information you will accept
• From whom
• In what format
• Mapped to what variables on the server

7
Attribute Release

• Determined by Site ARP and User ARP
• e.g. Arp.xml arp.ncr18.xml files
• User Arp can be from LDAP
• Tools for user control
• SHARPE- web based gui
• Explanation Email address on support site
  manual intervention
• Problems too complex for users?

8
Attribute release

• ARP.xml
• ltRulegt
• ltDescriptiongtEMOL service at EDINAlt/Descriptiongt
• ltTargetgt
• ltRequestergt
• urnmaceac.ukthingproviderserviceemol.sdss.ac
  .uk
• lt/Requestergt
• lt/Targetgt
• ltAttribute name"urnmacedirthingeduPersonEntit
  lement"gt
• ltValue release"permit"gt
• urnmaceac.ukthingentitlementemol.sdss.ac.uk
  restricted
• lt/Valuegt
• lt/Attributegt
• lt/Rulegt

9
Attribute Acceptance

• Map attribute to server variables (Header)
• Flexibility useful for supporting legacy e.g.
• Map ncr18 to REMOTE_USER for legacy .htaccess
• Map ncr18_at_ncl.ac.uk to REMOTE_USER for federated
  apps
• Give Attribute alias for access config (Alias)
• Allow unscoped-affiliation member
• Determine what you will accept from whom
• What ltValuegt
• Whom
• ltAnySitegt
• ltSiteRulegt
• ltScope accepttruegtncl.ac.uklt/Scopegt

10
Attribute acceptance

• AAP.xml
• ltAttributeRule Name"urnmacedirattribute-defe
  duPersonAffiliation" Header"Shib-EP-UnscopedAffil
  iation" Alias"unscoped-affiliation"gt
• ltAnySitegt
• ltValue Type"regexp"gt
• MmEeMmBbEeRr
• lt/Valuegt
• lt/AnySitegt
• lt/AttributeRulegt

11
Fed use What was required

• Identify Attribute requirements of providers
• Generally stated by the federation
• Can be bilateral agreements
• Generally not complicated
• Aggregate attributes
• Release

12
Simple Example

• Access to Athens journal resources
• Via shib login gateway shib gtgt athen assertion
  conversion
• Access to most journals
• Requires Affiliation attribute
• login id in active directory gt Affiliated user
• Policy implication login membership
• Problem for edge cases (Distance learning, NHS
  staff)
• Echo the affiliation
• ltSimpleAttributeDefinition idurnthing
• eduPersonAffiliation"gt
• ltDataConnectorDependency requires"echo"/gt
• lt/SimpleAttributeDefinitiongt

13
Complex example

• Restricted access to online medical videos
• Autopsy videos Medic only
• Duplicate Athens medic restricted group
• Manually provisioned by medical librarians
• Problem identifying medics
• Students on medical courses,
• identify diversity of courses
• keep up to date
• Staff convince medical librarian they are a
  medic
• Solution only good for students
• Long term solution Grouper?

14
Complex example

• ltSimpleAttributeDefinition id"urnmace..eduPers
  onEntitlement sourceName"sdssentitlement
  smartScopencl.ac.ukgt
• ltDataConnectorDependency requires"db6"/gt
• lt/SimpleAttributeDefinitiongt
• ltJDBCDataConnector id"db6"
• dbURL"jdbcmysql//thing.ncl.ac.uk/courseData
  ?userthingamppasswordthing"
• dbDriver"com.mysql.jdbc.Driver
  maxActive"10 maxIdle"5"gt
• ltQuerygt
• SELECT course_code,
• CASE course_code
• WHEN 'A101' THEN 'urnmaceac.ukthingentitleleme
  ntemol.sdss.ac.ukrestricted'
• WHEN 'A106' THEN 'urnmaceac.ukthingentitlement
  emol.sdss.ac.ukrestricted'
• ELSE 'none' END
• as sdssentitlement FROM CMstudentdata WHERE
  loginid ?
• lt/Querygt
• lt/JDBCDataConnectorgt

15
Lessons Learned federated use

• Federated attribute usage is a nice well defined
  simple subset
• Shibboleth useable with messy composite Identity
  Infrastructures
• It is much better not to need to
• Need for identity enrichment tools
• e.g. medical staff
• Shib Technology is not the hard bit
• The identity management processes are
• Not going to go away

16
Internal use What is required

• Access control to internal resources
• Valid users - e.g. Exam papers
• Group membership - research wikis
• Better usability of applications
• Auto population of form fields
• Nicer interaction
• Hello Cal not Hello ncr18
• Provisioning of applications
• Simple deployment of applications
• e.g. Sympa mediawiki

17
Example Names sn GivenName

• Need sn givenName for Usability enhancements
• e.g. ncr18_at_ncl.ac.uk vs Caleb Racey, form
  pre-population
• Problem Userbase split into staff and students
• Data in separate tables
• Solution Union selects across tables.
• Question possible if they are in separate DBs?

18
Example

• ltSimpleAttributeDefinition id"urnmacedirattrib
  ute-defsn"gt
• ltDataConnectorDependency
  requires"db10"/gt
• lt/SimpleAttributeDefinitiongt
• ltSimpleAttributeDefinition id"urnmacedirattrib
  ute-defgivenName"gt
• ltDataConnectorDependency
  requires"db10"/gt
• lt/SimpleAttributeDefinitiongt
• ltJDBCDataConnector id"db10"gt
• ltDataConnectorDependency
  requires"echo"/gt
• ltQuerygt
• SELECT forenames as givenName,
  surname as sn FROM staff WHERE loginname ?
• UNION
• SELECT forenames as givenName,
  surname as sn FROM student WHERE loginname ?
• lt/Querygt
• lt/JDBCDataConnectorgt

19
Future Enhancements

• Scriptable attribute Aggregation
• ltDataConnectorDependency requires"directory"/gt
• ltScriptletgt
• lt!CDATA
• Attributes attributes dependencies.getConnector
  Resolution("directory")
• Attribute affiliation attributes.get("eduPerson
  Affiliation")
• if (affiliation.size() gt 0)
• resolverAttribute.addValue("affiliate")
• gt
• lt/Scriptletgt
• Potential Use case Active Directory Groups
• Group membership property of user object
• LDAP lookup not easy/possible?

20
Lessons Learned internal use

• Attribute aggregation valuable business process
• Expose via webservices?
• Duplicate?
• Just use shib?
• Reengineer identity infrastructure?
• Need identity enrichment tool for future apps
• Dspace - identify librarians
• Wikis sympa - research groups
• Allow Integration of applications into a platform
• Grouper
• Enable identity enrichment
• Add once, use anywhere

21
Usability enhancements

• Provide identifiers for self service apps
• Library number
• Smart card number
• Pay role number
• Auto populate forms
• Login name
• Email address
• First name, Surname
• Greater Personal Data visibility
• better integrity?
• higher initial support burden?

22
Provisioning Applications

• Benefits
• Simplifies institutional back ends
• AA abstracts business logic
• Authentication authorisation provisioning in
  one shot
• Reusable between applications
• Enables lightweight deployment techniques
• No more 22,000 user databases
• No Imports, Updates, Suspensions, Removals,
  Reactivations, Reprovisioning.
• Fewer deprovisioning headaches
• Application accounts provisioned on first use
• Login deactivated in one place

23
Provisioning examples

• MediaWiki
• PHP based
• Install Shibboleth extension
• Requiresusername (eppn) email address
  (optional)
• Deployed by Graduate in 1st 3 months of job
• Sympa Mailing list manager
• Perl based
• Requires Email Address
• Configure shibboleth login system
• Compatible with legacy (8000 lists)

24
Media wiki
25
Sympa
26
Provisioning Applications Questions

• Dealing with external users
• Separate directory?
• Compatible data formats?
• Aggrageting multiple identity sources
• User data changes
• Change of institute ncr18_at_ncl becomes ncr18_at_dur
• Deprovisioning out of scope
• Does no login no problem?
• Lack of data control?
• Who is provisioning?
• Freedom of information requests
• Question is this any worse than other techniques?

27
Final Questions?

• Are ARPs usable by users, will they ever be?
• Attribute Aggregation
• Deal with messy institutional data stores?
• Instigate identity management review?
• Enhance identity stores?
• Glory in perfect present?
• Provisioning
• Good idea or trouble brewing?