SlideShare a Scribd company logo

20041117: SDSS Project Summary

iay
iay

17th November 2004, London

TechnologyEducation
1 of 21
Download to read offline
SDSS Project Summary Ian A. Young, EDINA ian@iay.org.uk 17th November 2004 17-Nov-2004
SDSS Project Shibboleth Development and Support  Services Goal is to provide a basic national  infrastructure for use by other projects – Operate a development Shibboleth federation – Provide Shibboleth access to EDINA services – General support – Technology watch 17-Nov-2004 2
Federation Defined A grouping of identity providers and  service providers following defined rules. More a social construct than a technical  one. Components:  – Participant agreement → trust – Federation signup → metadata service – WAYF service (optional) 17-Nov-2004 3
SDSS Federation Overview Not like InQueue:  – Takes all comers, no guarantees of any kind Not full production:  – Requires defined level of service guarantees – May require stronger participant guarantees – Administration scalable to all UK institutions SDSS is somewhere in between:  – Sufficient trust to support delivery of licensed services – Few entry hurdles for development projects 17-Nov-2004 4
SDSS Federation Policy Agreement:  – Best practices – Best efforts – Privacy protection X.509 Certificates  – GlobalSign certificates required – Temporary SDSS CA certificates available 17-Nov-2004 5
SDSS Federation Policy V1.0 All members of the federation must:  – Observe best practice in the handling and use of your digital certificates and private keys All identity providers (origins) must:  – Make reasonable attempts to ensure that only members of your institution are provided with credentials permitting authentication to your handle server, and that the assertions made to service providers by your attribute authority are correct. All service providers (targets) must:  – Agree not to aggregate, or disclose to other parties, attributes supplied by identity providers. 17-Nov-2004 X
SDSS Federation Membership Identity providers: 5  – SDSS tests: 3 – Other projects: 2 – Institutional: 1 Service providers: 11  – SDSS tests: 4 – Other projects: 1 – Pending EDINA services: 4 – Live EDINA services: 2 17-Nov-2004 6
Biosis Login Page
Biosis Search Result
eduPersonScopedAffiliation MACE-Dir eduPerson attribute  Example: member@ed.ac.uk  Gives subject’s relationship to a security  domain Semantics: member of institution  Many resources licensed on these terms  Definition a little vague; working with  MACE-Dir on this. 17-Nov-2004 9
eduPersonEntitlement MACE-Dir eduPerson attribute  Examples:  – urn:mace:ac.uk:sdss.ac.uk:entitlement:resource – http://provider.co.uk/resource/contract.html Claims subject’s entitlement to a particular  resource Service provider must trust identity  provider to issue any particular entitlement Good fine grained fall-back approach.  17-Nov-2004 X
Update Login Page
Update Search Results
Update Saved Searches
eduPersonTargetedID MACE-Dir eduPerson attribute  Example: sObw8cK7JJ6qqwj2v9O1tpidV4U=@ed.ac.uk  
 
 
 

 
 
  

 
 
 

 
 
 Value is an opaque string  Allows personalisation and saved state  without compromising privacy Issues about stored vs. generated forms.  17-Nov-2004 13
SDSS Federation Collateral Web site: http://sdss.ac.uk/  – Policies and procedures – Installation documentation – Registries: • URN registry • OID registry – Wiki (living documentation) – Metadata service – Root and signing certificates 17-Nov-2004 14
To-do List More external providers  More EDINA services  Convert to final certificates  Continue to improve documentation and  packaging Encapsulate experience with authorisation:  – Suggested service attribute requirements – Suggested attribute release policies Collate service information  17-Nov-2004 15
EDINA Contacts Talk: ian@iay.org.uk  Project: http://sdss.ac.uk/  – Project manager: sandy.shaw@ed.ac.uk – Technical: ian@iay.org.uk – Technical: Fiona.Culloch@btinternet.com 17-Nov-2004 16
Scoped Attributes This is a MACE-Dir concept, embodied in the  eduPerson specification. Scoped attributes have two parts:  – Scope = security domain – Value relative to that scope Example: member@ed.ac.uk  A principal may have multiple attribute values:  – within the same scope – in different scopes. Definitely not the answer to all questions of  attribute scoping; work continues. 17-Nov-2004 X
Scoped Attributes in Shibboleth Shibboleth 1.1 uses an informal attribute profile.  Scoped Attributes assert a value within a security domain.  In the directory, they are just a DirectoryString.  Scoped attributes have XML structure in this profile.  “Scope” XML attribute expresses security domain.  <Attribute  AttributeName=quot;urn:mace:dir:attribute-def:eduPersonPrincipalNamequot; AttributeNamespace=quot;urn:mace:shibboleth:1.0:attributeNamespace:uriquot;> <AttributeValue Scope=quot;iay.org.ukquot;>iay</AttributeValue> </Attribute> Shibboleth filters such assertions using federation metadata.  17-Nov-2004 X
SAML 2 LDAP Attribute Profile SAML 2.0 adds a standardised profile for  encoding all X.500/LDAP attributes. Switch to standardised profile essential for  interoperability. <Attribute  NameFormat=quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uriquot; Name=quot;urn:oid:1.3.6.1.4.1.5923.1.1.1.6quot;> <AttributeValue>iay@iay.org.uk</AttributeValue> </Attribute> No XML structure in encoding of these attributes  in this profile. Shibboleth will still filter according to federation  metadata. 17-Nov-2004 X

Recommended

Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsExploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsKingsley Uyi Idehen
 
Exploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerExploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerKingsley Uyi Idehen
 
Exploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessExploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessKingsley Uyi Idehen
 
Identity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolIdentity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolSSIMeetup
 
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCUsing SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCKingsley Uyi Idehen
 
Accessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCAccessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCKingsley Uyi Idehen
 
Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Kingsley Uyi Idehen
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized IdentifiersMarkus Sabadello
 

Recommended

Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsExploiting Linked (Open) Data via Microsoft Access using ODBC File DSNs
Exploiting Linked (Open) Data via Microsoft Access using ODBC File DSNsKingsley Uyi Idehen
 
Exploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerExploiting Linked Data via Filemaker
Exploiting Linked Data via FilemakerKingsley Uyi Idehen
 
Exploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessExploiting Linked (Open) Data via Microsoft Access
Exploiting Linked (Open) Data via Microsoft AccessKingsley Uyi Idehen
 
Identity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolIdentity-centric interoperability with the Ceramic Protocol
Identity-centric interoperability with the Ceramic ProtocolSSIMeetup
 
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCUsing SAP Crystal Reports as a Linked (Open) Data Front-End via ODBC
Using SAP Crystal Reports as a Linked (Open) Data Front-End via ODBCKingsley Uyi Idehen
 
Accessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCAccessing the Linked Open Data Cloud via ODBC
Accessing the Linked Open Data Cloud via ODBCKingsley Uyi Idehen
 
Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Virtuoso ODBC Driver Configuration & Usage (Windows)
Virtuoso ODBC Driver Configuration & Usage (Windows)Kingsley Uyi Idehen
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized IdentifiersMarkus Sabadello
 
Had Iraq won the war.......
Had Iraq won the war.......Had Iraq won the war.......
Had Iraq won the war.......mariasinha81
 
PražSké PovstáNí Pps
PražSké PovstáNí PpsPražSké PovstáNí Pps
PražSké PovstáNí Ppsguest039948
 
Logistics Management
Logistics Management Logistics Management
Logistics Management mariasinha81
 
PražSké PovstáNí 2
PražSké PovstáNí 2PražSké PovstáNí 2
PražSké PovstáNí 2guest039948
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managersmariasinha81
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basicvane1989
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Boltsiay
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguestd9aa5
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguru122
 
20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributesiay
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data TutorialMichael Hausenblas
 
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic waymakker_nl
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Cisco DevNet
 
X Aware Ajax World V1
X Aware Ajax World V1X Aware Ajax World V1
X Aware Ajax World V1rajivmordani
 
Nuxeo JavaOne 2007
Nuxeo JavaOne 2007Nuxeo JavaOne 2007
Nuxeo JavaOne 2007Stefane Fermigier
 
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesDemystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesVMware Tanzu
 
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreConnector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreFilipe Silva
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aaOracleIDM
 
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Eelco Visser
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElasticsearch
 
20171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v120171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v1Ivan Ma
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 

More Related Content

Viewers also liked

Had Iraq won the war.......
Had Iraq won the war.......Had Iraq won the war.......
Had Iraq won the war.......mariasinha81
 
PražSké PovstáNí Pps
PražSké PovstáNí PpsPražSké PovstáNí Pps
PražSké PovstáNí Ppsguest039948
 
Logistics Management
Logistics Management Logistics Management
Logistics Management mariasinha81
 
PražSké PovstáNí 2
PražSké PovstáNí 2PražSké PovstáNí 2
PražSké PovstáNí 2guest039948
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managersmariasinha81
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basicvane1989
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Boltsiay
 

Viewers also liked (7)

Had Iraq won the war.......
Had Iraq won the war.......Had Iraq won the war.......
Had Iraq won the war.......
 
PražSké PovstáNí Pps
PražSké PovstáNí PpsPražSké PovstáNí Pps
PražSké PovstáNí Pps
 
Logistics Management
Logistics Management Logistics Management
Logistics Management
 
PražSké PovstáNí 2
PražSké PovstáNí 2PražSké PovstáNí 2
PražSké PovstáNí 2
 
Managers are Managers
Managers are ManagersManagers are Managers
Managers are Managers
 
Esercizio Visual Basic
Esercizio Visual BasicEsercizio Visual Basic
Esercizio Visual Basic
 
20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts20070404: UK federation and Shibboleth: Nuts And Bolts
20070404: UK federation and Shibboleth: Nuts And Bolts
 

Similar to 20041117: SDSS Project Summary

Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguestd9aa5
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxfordguru122
 
20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributesiay
 
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic waymakker_nl
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Cisco DevNet
 
X Aware Ajax World V1
X Aware Ajax World V1X Aware Ajax World V1
X Aware Ajax World V1rajivmordani
 
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesDemystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesVMware Tanzu
 
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreConnector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreFilipe Silva
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aaOracleIDM
 
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Eelco Visser
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElasticsearch
 
20171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v120171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v1Ivan Ma
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apexEnkitec
 
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdfConfigure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdfddghh
 
The Data Web and PLM
The Data Web and PLMThe Data Web and PLM
The Data Web and PLMKoneksys
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 

Similar to 20041117: SDSS Project Summary (20)

Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes20071214: An Identity Provider's Guide to the Core Attributes
20071214: An Identity Provider's Guide to the Core Attributes
 
Linked Data Tutorial
Linked Data TutorialLinked Data Tutorial
Linked Data Tutorial
 
20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way20180605 sso with apex and adfs the weblogic way
20180605 sso with apex and adfs the weblogic way
 
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
Webex APIs for Admins - Cisco Live Orlando 2018 - DEVNET-3610
 
X Aware Ajax World V1
X Aware Ajax World V1X Aware Ajax World V1
X Aware Ajax World V1
 
Nuxeo JavaOne 2007
Nuxeo JavaOne 2007Nuxeo JavaOne 2007
Nuxeo JavaOne 2007
 
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on KubernetesDemystify LDAP and OIDC Providing Security to Your App on Kubernetes
Demystify LDAP and OIDC Providing Security to Your App on Kubernetes
 
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document StoreConnector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
Connector/J Beyond JDBC: the X DevAPI for Java and MySQL as a Document Store
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aa
 
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)Domain Specific Languages for Parallel Graph AnalytiX (PGX)
Domain Specific Languages for Parallel Graph AnalytiX (PGX)
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ Cisco
 
20171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v120171104 hk-py con-mysql-documentstore_v1
20171104 hk-py con-mysql-documentstore_v1
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Enterprise class apex
Enterprise class apexEnterprise class apex
Enterprise class apex
 
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdfConfigure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
Configure-Troubleshoot-Cisco-ISE-2.X-3-Days.pdf
 
The Data Web and PLM
The Data Web and PLMThe Data Web and PLM
The Data Web and PLM
 
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

20041117: SDSS Project Summary

  • 1. SDSS Project Summary Ian A. Young, EDINA ian@iay.org.uk 17th November 2004 17-Nov-2004
  • 2. SDSS Project Shibboleth Development and Support  Services Goal is to provide a basic national  infrastructure for use by other projects – Operate a development Shibboleth federation – Provide Shibboleth access to EDINA services – General support – Technology watch 17-Nov-2004 2
  • 3. Federation Defined A grouping of identity providers and  service providers following defined rules. More a social construct than a technical  one. Components:  – Participant agreement → trust – Federation signup → metadata service – WAYF service (optional) 17-Nov-2004 3
  • 4. SDSS Federation Overview Not like InQueue:  – Takes all comers, no guarantees of any kind Not full production:  – Requires defined level of service guarantees – May require stronger participant guarantees – Administration scalable to all UK institutions SDSS is somewhere in between:  – Sufficient trust to support delivery of licensed services – Few entry hurdles for development projects 17-Nov-2004 4
  • 5. SDSS Federation Policy Agreement:  – Best practices – Best efforts – Privacy protection X.509 Certificates  – GlobalSign certificates required – Temporary SDSS CA certificates available 17-Nov-2004 5
  • 6. SDSS Federation Policy V1.0 All members of the federation must:  – Observe best practice in the handling and use of your digital certificates and private keys All identity providers (origins) must:  – Make reasonable attempts to ensure that only members of your institution are provided with credentials permitting authentication to your handle server, and that the assertions made to service providers by your attribute authority are correct. All service providers (targets) must:  – Agree not to aggregate, or disclose to other parties, attributes supplied by identity providers. 17-Nov-2004 X
  • 7. SDSS Federation Membership Identity providers: 5  – SDSS tests: 3 – Other projects: 2 – Institutional: 1 Service providers: 11  – SDSS tests: 4 – Other projects: 1 – Pending EDINA services: 4 – Live EDINA services: 2 17-Nov-2004 6
  • 10. eduPersonScopedAffiliation MACE-Dir eduPerson attribute  Example: member@ed.ac.uk  Gives subject’s relationship to a security  domain Semantics: member of institution  Many resources licensed on these terms  Definition a little vague; working with  MACE-Dir on this. 17-Nov-2004 9
  • 11. eduPersonEntitlement MACE-Dir eduPerson attribute  Examples:  – urn:mace:ac.uk:sdss.ac.uk:entitlement:resource – http://provider.co.uk/resource/contract.html Claims subject’s entitlement to a particular  resource Service provider must trust identity  provider to issue any particular entitlement Good fine grained fall-back approach.  17-Nov-2004 X
  • 15. eduPersonTargetedID MACE-Dir eduPerson attribute  Example: sObw8cK7JJ6qqwj2v9O1tpidV4U=@ed.ac.uk  
 
 
 

 
 
  

 
 
 

 
 
 Value is an opaque string  Allows personalisation and saved state  without compromising privacy Issues about stored vs. generated forms.  17-Nov-2004 13
  • 16. SDSS Federation Collateral Web site: http://sdss.ac.uk/  – Policies and procedures – Installation documentation – Registries: • URN registry • OID registry – Wiki (living documentation) – Metadata service – Root and signing certificates 17-Nov-2004 14
  • 17. To-do List More external providers  More EDINA services  Convert to final certificates  Continue to improve documentation and  packaging Encapsulate experience with authorisation:  – Suggested service attribute requirements – Suggested attribute release policies Collate service information  17-Nov-2004 15
  • 18. EDINA Contacts Talk: ian@iay.org.uk  Project: http://sdss.ac.uk/  – Project manager: sandy.shaw@ed.ac.uk – Technical: ian@iay.org.uk – Technical: Fiona.Culloch@btinternet.com 17-Nov-2004 16
  • 19. Scoped Attributes This is a MACE-Dir concept, embodied in the  eduPerson specification. Scoped attributes have two parts:  – Scope = security domain – Value relative to that scope Example: member@ed.ac.uk  A principal may have multiple attribute values:  – within the same scope – in different scopes. Definitely not the answer to all questions of  attribute scoping; work continues. 17-Nov-2004 X
  • 20. Scoped Attributes in Shibboleth Shibboleth 1.1 uses an informal attribute profile.  Scoped Attributes assert a value within a security domain.  In the directory, they are just a DirectoryString.  Scoped attributes have XML structure in this profile.  “Scope” XML attribute expresses security domain.  <Attribute  AttributeName=quot;urn:mace:dir:attribute-def:eduPersonPrincipalNamequot; AttributeNamespace=quot;urn:mace:shibboleth:1.0:attributeNamespace:uriquot;> <AttributeValue Scope=quot;iay.org.ukquot;>iay</AttributeValue> </Attribute> Shibboleth filters such assertions using federation metadata.  17-Nov-2004 X
  • 21. SAML 2 LDAP Attribute Profile SAML 2.0 adds a standardised profile for  encoding all X.500/LDAP attributes. Switch to standardised profile essential for  interoperability. <Attribute  NameFormat=quot;urn:oasis:names:tc:SAML:2.0:attrname-format:uriquot; Name=quot;urn:oid:1.3.6.1.4.1.5923.1.1.1.6quot;> <AttributeValue>iay@iay.org.uk</AttributeValue> </Attribute> No XML structure in encoding of these attributes  in this profile. Shibboleth will still filter according to federation  metadata. 17-Nov-2004 X