AAI Attributes Thomas Lenggenhager,

Similar documents
AAI Attributes Thomas Lenggenhager,

AAI Tutorial. SWITCHaai Team

SWITCHpki Service Launch The SWITCHpki Team

Integration of Web Applications

AA Enabling applications Why and how to make web applications AAI ready. Lukas Hämmerle

Installation and Configuration Valéry Tschopp,

What does it take to participate in the AAI?

Technical Background Information

Installation and Configuration Patrik Schnellmann,

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

New trends in Identity Management

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

SAML-Based SSO Solution

Supporting a Widely Deployed Campus Shibboleth Implementation

Canadian Access Federation: Trust Assertion Document (TAD)

Identity and Access Management Infrastructure for Oxford University

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Canadian Access Federation: Trust Assertion Document (TAD)

SLCS and VASH Service Interoperability of Shibboleth and glite

A Welcome to Federated Identity Nate Klingenstein, Internet2, USA. Prepared for the Matsuyama University, December 2013

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Introduction to Operating Systems. Note Packet # 1. CSN 115 Operating Systems. Genesee Community College. CSN Lab Overview

IBM Tivoli Identity Manager V5.1 Fundamentals

Account Checking on a SP

Canadian Access Federation: Trust Assertion Document (TAD)

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

Organizing a Campus Change: Planning for Identity and Access Management Improvements at UF

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Canadian Access Federation: Trust Assertion Document (TAD)

Issuing user certificates with QuoVadis Trust/Link

QuickStart Guide for Mobile Device Management. Version 8.7

John Heimann Director, Security Product Management Oracle Corporation

Johns Hopkins

Faculty Quick Guide to Blackboard. Blackboard Version 9.1. Christine Paige Educational Technology Specialist.

LDAP Directory Integration

Johns Hopkins

VMware Identity Manager Administration

SAML-Based SSO Solution

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Liferay Security Features Overview. How Liferay Approaches Security

Configuration Guide - Single-Sign On for OneDesk

Advanced PDS Topics. Andrew Walsh Team Lead, NA Primo Support Teams

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Do I Really Need Another Account? External Identities for Campus Applications

MIDDLEWARE: SINGLE SIGN ON AUTHENTICATION AND AUTHORIZATION FOR GROUPS

The project is conducted individually The objective is to develop your dynamic, database supported, web site:

OCSP Stapling. Let the web server protect the users! SWITCHpki Team Bern, SWITCH 1

User Directories. Overview, Pros and Cons

LDAP Directory Integration

Lotus IBM WebShere Portal 6 Deployment and Administration.

Canadian Access Federation: Trust Assertion Document (TAD)

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Shibboleth Plumbing: Implementation and Architecture

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Unfortunately it was not possible to have people from GRID, so the scenario described in this reports is not complete.

SAML-Based SSO Configuration

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

Faculty Guide to Blackboard

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Shibbolizing uportal and a Path for Delegated Authentication with Shibboleth

Canadian Access Federation: Trust Assertion Document (TAD)

Requirements for ALEPH 500 Installation

SailPoint IdentityIQ 6.4

AppScaler SSO Active Directory Guide

VII. Corente Services SSL Client

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Community Site Quick Guide to Blackboard. Blackboard Version 9.1. Christine Paige Educational Technology Specialist.

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

D9.2.2 AD FS via SAML2

AAI-SSO with Active Directory. Kerberos Login Handler

CHUV CHUV. Vincent Bex Systems Engineer Patrick Zosso Infrastructure Project Manager

AAI at Unil. Home Organization Integration

maxecurity Product Suite

Perceptive DataTransfer

Canadian Access Federation: Trust Assertion Document (TAD)

ArcGIS Server and Portal for ArcGIS An Introduction to Security

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Version 3.3 System Administrator Guide

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

Red Hat Directory Server

Open Source in the Corporate World. Open Source. Single Sign On. Erin Mulder

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SAP GUI 7.30 for Windows Computer

Canadian Access Federation: Trust Assertion Document (TAD)

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

EnterSpace Data Sheet

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

VMware Identity Manager Administration

Authorizing Access to SPs. SWITCHaai Team

Canadian Access Federation: Trust Assertion Document (TAD)

Creating links to articles in IVCC library databases Updated March 18, 2014

Identity with Windows Server 2016

Transcription:

AAI Attributes Thomas Lenggenhager, <lenggenhager@switch.ch> 2004 SWITCH

Directories within a AAI Home Organization AAI-enabled Home Organization Authentication System Authentication System any Apache compatible authentication method: LDAP, PAM, RADIUS, TACACS, end-user certificates, Web SSO (e.g. Pubcookie), any Tomcat compatible authentication method: e.g. Web SSO (CAS) User Directory AAI Integration with User Directory via Java APIs LDAP via JNDI Databases via JDBC Login name is the link between the two parts SSO = Single Sign On 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 2

Authorization Attributes AAI transfers user attributes from a Home Organization to a Resource Requires a common understanding of what a value means Authorization Attribute Specification v1.1 http://www.switch.ch/aai/docs/aai_attr_specs.pdf A task force selected the attributes for SWITCHaai minimal set to start with attributes with pre-existing common understanding in line with foreign activities Descriptions are LDIF like, but use of LDAP not required 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 3

Authorization Attributes (2) Personal attributes Unique Identifier Surname Given name E-mail Address(es) Phone number(s) Preferred language Date of birth Gender Group membership Name of Home Organization Type of Home Organization Affiliation (student, staff, faculty, ) Study branch Study level Staff category Group membership Organization Path Organizational Unit Path study branch, study level, staff category are based on SHIS/SIUS username and password are missing only used locally! commonname is missing no common understanding on how to use it 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 4

Granting Access Ueli Kienholz, <kienholz@switch.ch> 2004 SWITCH

Method 1: SWITCHaai Attributes Login: p.mueller PW: 4rtz3w Web-Application Shibboleth Home Organisation HomeOrg = UniZH Affiliation = Student StudyBranch = Medicine StudyLevel = 34 Access Rule: Shibboleth Component HomeOrg = UniZH UniBE UniL Affiliation = Student StudyBranch = Medicine StudyLevel >= 20 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 6

Method 2: Entitlement Login: p.mueller PW: 4rtz3w Web-Application Entitlement = http://secure.app.unibe.ch/content Shibboleth Home Organisation Shibboleth Component Access Rule: Entitlement = http://secure.app.unibe.ch/content 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 7

Method 3: Definition of additional Attributes Login: p.mueller PW: 4rtz3w Web-Application Department = IAM Shibboleth Home Organisation Shibboleth Component Access Rule: Department = IAM 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 8

Method 4: Application has it s own Access Control Shibboleth Home Organisation Login: p.mueller PW: 4rtz3w UniqueID = 235241@ethz.ch Shibboleth Component Web Application Allowed Users Username HB5ghI@unibe.ch 235241@ethz.ch Gz58f7@unibe.ch ktziwlg@unil.ch 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 9

Deployment Valéry Tschopp, <tschopp@switch.ch> 2004 SWITCH

Browser Requirements Cookies Browser redirect SSL If no JavaScript: additional click necessary 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 11

Supported Servers for Target Installations Server OS Windows NT, 2000, XP, 2003 Linux (any blend) Solaris Web Servers Apache 1.3.x Apache 2.x IIS 4.x, 5.x, 6.x 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 12

Supported Applications Static content on Apache or IIS Applications (PHP, Perl,..) running on Apache JAVA-web-applications via mod_jk and Apache List of other shibbolized applications at http://shibboleth.internet2.edu/seas.html * Apple Quicktime Streaming Server * ArtSTOR * Blackboard * CSA * eacademy * EBSCO Publishing * Elsevier ScienceDirect * ExLibris - SFX * EZProxy * Fedora * Gale * Higher Markets * JSTOR * Napster * NSDL * OCLC * Ovid Technologies Inc. * Proquest Information and Learning * SYMPA * TWiki * Web Assign * WebCT * Zope4Edu 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 13

Useful Information for a Target Deployment http://www.switch.ch/aai/deployment.html With links to: Shibboleth Target Deployment Guide (Internet2) Compilation and Installation Guide (SWITCH) SWITCHaai Configuration Guide (SWITCH) SWITCHaai Sample Files (SWITCH) 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 14

Server Certificates Ueli Kienholz, <kienholz@switch.ch> 2004 SWITCH

Why are Server Certificates important? Can I trust this Resource and send User Attributes to it? Attribute Request HomeOrg User Attributes Resource aai.do main.c h SWITCH CA Can I trust this HomeOrg and rely on the User Attributes that were sent to me? host.d omain. ch SWITCH CA 2004 SWITCH AAI & Apache Workshop,1.7.2004, Thomas Lenggenhager, Ueli Kienholz, Valéry Tschopp 16

SWITCHpki Service The SWITCHpki Team pki@switch.ch http://www.switch.ch/pki/ 2004 SWITCH

Introduction Motivation for SWITCHpki Requirement of AAI Project: server certificates protecting backend communication PKI initiatives within our community could benefit from a common service What happened so far? AAI-TF-CA: Taskforce within AAI project Produced a CP/CPS draft, recommending SWITCH to make a service out of it SWITCH took this up, engaged SwissSign as consultant and potential outsourcing partner and drafted a new CP/CPS Result rediscussed in AAI-TF-CA and made into the service being presented today 2004 SWITCH 2

SWITCHpki - CA Structure SWITCH CA SWITCH Server CA SWITCH Personal CA Potential additional CAs 2004 SWITCH 3

CA Structure SwissSign & SWITCHpki SwissSign Root SwissSign Bronze SwissSign Silver SWITCH CA SwissSign Gold SWITCH Server CA SWITCH Personal CA Potential additional CAs RA RARARA RA RARARA SwissSign Platin 2004 SWITCH 4

Roles, Entities: Underlying Principles Correctness of information Included information must be correct E.g. no nicknames, pseudonyms need to be marked as such Verifiability of information Included information must be verifiable and meaningful E.g. organisation names must be registered somewhere Auditability All contents of signed information in certificates must be supported with some form of documentation attainable in reasonable time (e.g. during an audit) 2004 SWITCH 5

SWITCHpki Participants & Contacts current list available at: http://www.switch.ch/pki/participants.html 2004 SWITCH 6

SWITCHpki Participants & Contacts Site ETH Fachhochschule Aargau Universität Bern Université de Fribourg Université de Genève Université de Lausanne Universität Zürich Contact Person(s) Dolores Parravicini Brigitte Malacarne Martin Sorg Christian Heim Roland Trummer Peter Geiser Bruno Vuillemin Dominique Petitpierre Alexandre Roy David Meier, Jann Forrer Luzian Scherrer,Roberto Mazzoni 2004 SWITCH 7

Request a Certificate http://www.switch.ch/aai/certificates.html http://www.switch.ch/pki/manage.html 2004 SWITCH 8

Documents & further information CP/CPS, detailed slides Certificate Policy and Certification Practise Statement (CP/CPS) http://www.switch.ch/pki/switch_cp-cps200401.pdf http://www.switch.ch/pki/switchpki_launch.pdf 2004 SWITCH 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback