SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA

Description:

... service provides access to. UKDA. Census (CDU, CIDS, SARS, UK Borders, CHCC) ESDS International ... User details held in a registration database at UKDA. ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 28
Provided by: aet4
Category:

less

Transcript and Presenter's Notes

Title: SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA


1
SAFARI UKDAShibboleth Authentication for Access
to the Resource Infrastructures of the UKDA
2
SAFARI UKDA Current UKDA Registration
SystemSAFARI UKDA Shibboleth Model
3
Current system
  • One-stop registration service provides access
    to
  • UKDA
  • Census (CDU, CIDS, SARS, UK Borders, CHCC)
  • ESDS International
  • User details held in a registration database at
    UKDA. World-wide registration.
  • Differential access control based on
  • - Agreement to special conditions
  • Combination of user type and usage type (for UKDA
    survey data)
  • Authentication happens via Athens and
    Authorisation using UKDA Registration attributes

4
SAFARI UKDA Shibboleth Model
5
Choice of VOSP model
  • Normal Shibboleth flow is not broken
  • Use of scoped eduPersonPrincipalName attribute
    which is persistent across SPs
  • No requirement for SPs or IdPs to install any
    additional plug-in/make any additional
    modifications

6
A user attempts to access a protected area of
Resource
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
7
The request is redirected to the HS of the Proxy
IdP
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
8
and on to the ACS of the Proxy SP
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
9
The Proxy SP needs to know where the user is
from, so forwards him to the WAYF
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
10
where he selects his home institution
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
11
and is redirected to the selected institution
for authentication
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
12
The user logs in using credentials at his home
institution
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
13
If this authentication is OK, the Home IdP sends
a handle (H1) to the Proxy SP
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
H1
5
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
14
where it is forwarded to the AR
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
H1
5
6
AR
AA
AR
AA
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
15
and is used to request attributes from the
users home institution
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
6
7
AR
AA
AR
AA
H1
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
16
At the Home IdP, the AA accesses the directory
database
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
6
7
AR
AA
AR
AA
8
dB
dB
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
17
and releasable attributes are passed to the
Proxy SP
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
6
7
AR
AA
AR
AA
10
8
9
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
18
Control is returned to the HS of the Proxy IdP
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
6
11
7
AR
AA
AR
AA
10
8
9
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
19
A handle (H2) is sent to the ACS at the Resource
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
H2
5
12
6
11
7
AR
AA
AR
AA
10
8
9
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
20
where it is forwarded to the AR
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
H2
5
12
6
11
13
7
AR
AA
AR
AA
10
8
9
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
21
and is used to request attributes from the
Proxy IdP
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
12
6
11
13
7
14
AR
AA
AR
AA
H2
10
8
9
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
22
At the Proxy IdP, the AA accesses the database
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
12
6
11
13
7
14
AR
AA
AR
AA
10
8
9
15
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
23
using the ePPN obtained from the Home IdP as a
key
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
12
6
11
13
7
14
AR
AA
AR
AA
10
8
9
15
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
ePPN attribute used as a key to retrieve UKDA
attributes
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
24
and the users attributes are passed to the
Resource
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
12
6
11
13
7
14
AR
AA
AR
AA
10
17
8
9
15
16
UKDA attributes
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
ePPN attribute used as a key to retrieve UKDA
attributes
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
25
The Resource then makes an authorisation decision
based on the attributes received
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
12
6
11
13
7
14
AR
AA
AR
AA
10
17
8
9
15
16
UKDA attributes
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
ePPN attribute used as a key to retrieve UKDA
attributes
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
26
WAYF
SAFARI UKDA VO Proxy IdP Proxy SP
Home IdP
Resource
1
2
3
4
ACS
HS
ACS
HS
5
12
6
11
13
7
14
AR
AA
AR
AA
10
17
8
9
15
16
UKDA attributes
ePPN
dB
dB
eduPersonPrincipalName (ePPN) attribute scoped by
Home IdP
ePPN attribute used as a key to retrieve UKDA
attributes
Key AA Attribute
Authority ACS Assertion Consumer Service AR
Attribute Requester HS Handle Service
WAYF Where Are You From?
27
Further information
UKDA SAFARI web site safari.data-archive.ac.uk/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SAFARI UKDA Shibboleth Authentication for Access to the Resource Infrastructures of the UKDA" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!