overview of schemas used for idm community setting up of identity provider motonori nakamura,...
TRANSCRIPT
Overview of schemas used for IdM community Setting up of identity provider
Motonori Nakamura, National Institute of Informatics, Japan
2nd TEIN IAM Workshop in Kuala Lumpur
1
Authn Flow by the Federation
2
Transition of Browser Screed
Success
1. Login by Fed 4. Complete Login
3. Input ID & Pass2. Select Home Org
SPIdP
(Identity Provider)
DS(Discovery Service)
SP(Service Provider)
SP(Service Provider)
SAML(Attribute)
Control of attribute release
3
Name (abbreviation) Description
OrganizationName (o) English name of the organization
jaOrganizationName (jao) Japanese name of the organization
OrganizationalUnit (ou) English name of a unit in the organization
jaOrganizationalUnit (jaou) Japanese name of a unit in the organization
eduPersonPrincipalName (eppn) Uniquely identifies an entity in GakuNin
eduPersonTargetedID A pseudonym of an entity in GakuNin
eduPersonAffiliation Staff, Faculty, Student, Member
eduPersonScopedAffiliation Staff, Faculty, Student, Member with scope
eduPersonEntitlement Qualification to use a specific application
SurName (sn) Surname in English
jaSurName (jasn) Surname in Japanese
givenName Given name in English
jaGivenName Given name in Japanese
displayName Displayed name in English
jaDisplayName Displayed name in Japanese
mail E-mail address
gakuninScopedPersonalUniqueCode Student or faculty, staff number with scope
Attributes managed by an IdP Released attributes are different among SPs
SP-A (2 attr.s required)eppn (mandatory)eduPersonAffiliation (optional)
SP-B (1 attr. required)eduPersonAffiliation (mandatory)
SP-C (2 attr.s required)
eduPersonTargetedID (mandatory)
eduPersonEntitlementeduPersonScopedAffiliation(one of them is mandatory)
3 types of access on privacy
4
Anonymous Any identifier is not sent Fit for e-Journals (a member (of a department) of the
organization can access)
Autonymous eduPersonPrincipalName is sent
Unique identifier shared by all SPs (globally unique) Similar to e-mail address
Pseudonymous eduPersonTargetedID is sent [hash(ePPN, entityID of SP)]
Persistent unique identifier to each SP To avoid correlation of user activities among SPs
17 Attributes Utilized by GakuNin
5
Name (abbreviation) Description
OrganizationName (o) English name of the organization
jaOrganizationName (jao) Japanese name of the organization
OrganizationalUnit (ou) English name of a unit in the organization
jaOrganizationalUnit (jaou) Japanese name of a unit in the organization
eduPersonPrincipalName (eppn) Uniquely identifies an entity in GakuNin
eduPersonTargetedID A pseudonym of an entity in GakuNin
eduPersonAffiliation Staff, Faculty, Student, Member
eduPersonScopedAffiliation Staff, Faculty, Student, Member with scope
eduPersonEntitlement Qualification to use a specific application
SurName (sn) Surname in English
jaSurName (jasn) Surname in Japanese
givenName Given name in English
jaGivenName Given name in Japanese
displayName Displayed name in English
jaDisplayName Displayed name in Japanese
mail E-mail address
gakuninScopedPersonalUniqueCode Student or faculty, staff number with scope
Not much used
Static
Not much used
Generated from ID
From LDAP tree
Not so difficult to mapthe Shib Attr and LDAP
urn:mace:dir:entitlement:common-lib-terms
urn:mace:dir:entitlement:common-lib-terms
examples on attributes required by real SPs (GakuNin, Japan)
https://www.gakunin.jp/en-participants/
6
examples on attributes required by real SPs (UK Federation)
http://www.ukfederation.org.uk/content/Documents/AttributeUsage
7
Configure your attribute-filter.xml
8
To send out requested attributes
There are other related topics Attribute release user consent mechanism (uApprove)
https://www.switch.ch/aai/support/tools/uApprove.html https://
meatwiki.nii.ac.jp/confluence/pages/viewpage.action?pageId=13501031 (uApproveJP)
Shibboleth 3.0 will have user consent feature.
Automatic attribute-filter generation cooperated with GakuNin Registration System https://
meatwiki.nii.ac.jp/confluence/pages/viewpage.action?pageId=14647811 (In Japanese only, sorry)
uApprove plug-in by SWITCH
9
“uApproveJP” plug-inExtended to Support User’s Selection
Users can choose optional attributes to be released.
Users can also select future action. Mandatory
attributes
Optional attributes
Agree to release for all SPs in the future
Agree to release for this SP in the future
Need to confirmation again for next access even to the same SP
√√√