Shibboleth Development and Support Services

Case Study - EDINA

Fiona Culloch, EDINA

JISC Services Briefing Day, Birmingham, 28 September 2007

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 2

EDINA Services

• EDINA develops and hosts services based on

licensed data content:

– Geographic (Digimap, UKBORDERS, …)

– Bibliographic (Times Index, CAB Abstracts, LLL)

– Multimedia (Film & Sound Online, EIG)

– Repositories (JORUM, The Depot)

• Customer institutions take out subscriptions

• Authentication by IP address, Athens, UK

federation

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 3

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 4

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 5

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 6

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 7

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 8

The Authorisation Decision

• IP address:

– EDINA maintains own list of valid address ranges corresponding to each subscribing institution

• Athens:

– Eduserv central table of institutions vs services; they tell us whether a user is authorised for our service

• UK federation:

– How do we decide if user is from a subscribing org?

– It’s our problem (like with IP, not like Athens)

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 9

What You Can’t Assume

• Just because someone has an ID within the

federation:

– Doesn’t mean they are necessarily entitled to use your service (may be from non-subscribing institution)

– They may not even be from “the community” (e.g., anyone can get a ProtectNetwork or TypeKey ID)

– They may not be an identifiable real-world person: only true if identity provider claims user accountability

• So it’s up to you to check all this. How?

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 10

Identifying User’s Organisation

• eduPersonScopedAffiliation attribute (in env. var.):

– student@ed.ac.uk

• Scope (ed.ac.uk), a.k.a. “security domain,” is:

– Restricted by federation policy to be a DNS name belonging to a real-world member organisation

– Published in federation metadata for those IdPs that may use it; other IdPs can’t (enforced by SP s/w)

– Intended for use by SPs to discover user’s org.

– Easily referenced within a licence agreement

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 11

Affiliations in HE/FE

• Affiliation (student): user’s relation to

organisation.

• Maps to categories in JISC Model Licence:student Authorised

staff Authorised

faculty Authorised

employee Authorised

member Authorised

affiliate Not authorised

alum Not authorised

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 12

Authorisation, Organisation Tables

• EDINA login scripts (perl) implement business rules for access, using file that maps scopes to authorised services:

– ed.ac.uk: eig jorum media statacc …leeds.ac.uk: eig media mediamedical …ox.ac.uk: jorum media

• If you already have internal customer codes, you need a mapping from scopes to those, e.g.:

– ed.ac.uk: eduleeds.ac.uk: leeox.ac.uk: oxu

• Service providers must invent these wheels themselves. Neither Shibboleth nor the federation can do it for you.

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 13

EDINA Experience

• Initially, we generated these scope mapping files by hand

• But we had an existing DB of subscription info., keyed by internal org. code (cam, dur, liv, …)

• This DB happened to contain e-mail addresses of local contacts at these organisations (and therefore DNS names)

• So we now automatically generate scope to licences and org code mappings from this DB and the federation metadata (with manual approval of changes in case of accidents)

• You may not be so lucky and may need to change existing DBs (and populate) to include federation scope info.

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 14

User Accountability

• This is a property of the IdP, not of individual users; therefore, it’s not a user attribute

• Only need to worry if you care about traceability

• Proposal with Shibboleth core team for attributes about IdPs (expressed in metadata, distinguishable from user attributes), possibly in Shibboleth 2.x

• Mean time, must write own XSLT transform to extract entityIDs with <AccountableUsers> label from metadata (Digimap will do this).

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 15

Contacts

• http://www.ukfederation.org.uk/

• http://shibboleth.internet2.edu/

• edina@ed.ac.uk

Shibboleth Development and Support Services

JISC Services Briefing Day, Aston University 28 September 2007 16

UK Federation Core Attributes

eduPerson

ScopedAffiliatio

n

member@ed.ac.uk (or student, staff,

faculty, alum). Identifies user’s status

& organisation. Required by most SPs

eduPerson

TargetedID

Opaque, persistent ID allows

personalisation without SP knowing

user’s real identity. Each SP sees

different value of this for same user

eduPerson

Entitlement

Extensible list of URIs intended to list

entitlements to access specific

resources

eduPerson

PrincipalName

User ID only when essential

(fculloch@ed.ac.uk). Data protection

issues