1 / 14

Neil Witheridge nwitheridge@melcoe.mq.au Program manager

Australian Access Federation Shibboleth Trust Federation AARNet Ozeconference - Identity Management Primer 3 23 rd July 2007. Neil Witheridge nwitheridge@melcoe.mq.edu.au Program manager Meta Access Management System (MAMS) Project Macquarie E-Learning Centre of Excellence (MELCOE)

morela
Download Presentation

Neil Witheridge nwitheridge@melcoe.mq.au Program manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Australian Access FederationShibboleth Trust FederationAARNet Ozeconference - Identity Management Primer 323rd July2007 Neil Witheridge nwitheridge@melcoe.mq.edu.au Program manager Meta Access Management System (MAMS) Project Macquarie E-Learning Centre of Excellence (MELCOE) Macquarie University META ACCESS MANAGEMENT SYSTEM

  2. MAMS Project • Meta Access Management System project • Funded by DEST under the “Systemic Infrastructure Initiative” for Australian Higher Education • Apply Federated Identity and Access Management with aim of facilitating increased research effectiveness “ At the heart of the middleware required to unleash research potential is the cluster of services described as identity and access management ”. • Provide a secure infrastructure for inter-institutional sharing of research data and other resources META ACCESS MANAGEMENT SYSTEM

  3. - an open source implementation of OASIS open standard Security Assertion Markup Language (SAML) Users Each user belongs to an organisation which manages their identity and have privacy concerns Federation Manager SAML transfer of user attributes Identity Providers Service Providers WAYF Federation MetadataShared Services Federation Policies News, alerts & updates Secure identity management is a core business requirement Trust Provide Services accessible via the web Want to focus on core business & avoid risks of managing users’ confidential info. Trust Federation Entities • Shibboleth META ACCESS MANAGEMENT SYSTEM

  4. WAYF Local Authentication Authenticate Shibboleth SP HTTP Filter User Directory User Attributes SAML Request / Response Attribute Release Policies Protected Web Application User Handle Authorisation Shibboleth Protocol Single Sign On Service Provider Identity Provider META ACCESS MANAGEMENT SYSTEM

  5. Shibboleth provides... • Federated IAM infrastructure: software components, secure protocol & metadata definitions • Implements SAML for secure transfer of user attributes • Authentication and Attribute statements • Secure transport & message layer transactions through use of PKI • Mutual authentication for Server-Server (IdP-SP) transactions • Inter-institutional single-sign-on through use of session cookies • Shib 2.0 will deliver Single Sign Out • Privacy protection via attribute release policies • Potential for end-user control of release of attributes to SPs META ACCESS MANAGEMENT SYSTEM

  6. IdP Admin Choose service level B Import Service Description Attribute ReleasePolicies (ARPs) Service Description Service Level A:e.g. view Wiki Attributes a,b,c Site Group User Identity Provider Service Provider Service Level B:e.g. Edit wiki Attributes a,b,c,d User Approval of attribute release User Attribute Release Management ShARPE Shibboleth ARP Editor One aspect of “TRUST” Effective identity management. User attributes rightly asserted, with agreed syntax, semantics, and constraints. Autograph META ACCESS MANAGEMENT SYSTEM

  7. MAMS Testbed Federation http://federation.org.au/FedManager/listMembers.do “Level-2” Federation (at 26/6/07): (Level 2 = known institutions) 21 Service Providers 19 Identity Providers (~900,000 identities) META ACCESS MANAGEMENT SYSTEM

  8. Round 1 (Feb 2006): AARNet: IdP, ENUM SP Griffith Uni: IdP, IT Department Wiki SP Uni of Qld IdP, eSpace Fedora+Fez SP Qld Uni of Technology : ATN IdPs, eGrad School SP Uni of Sydney IdP, NANO image database SP Round 2 (Jul 2006): Deakin Uni: IdP, eLectures SP James Cook Uni: IdP, JCU/AIMS data access SP Melbourne Uni: IdP, LIGO data access SP Monash Uni: IdP, Shibbolised SRB SP Murdoch Uni: IdP, Online Librarian SP Curtin Uni: 5 IdPs (WAGUL), Reciprocal Borrowing SPs MAMS Mini-Grant Program META ACCESS MANAGEMENT SYSTEM

  9. Demo: Shibboleth SP examples • Information Repository Service • UQ ePrints Service ( https://espace.library.uq.edu.au/ ) • Collaborative Tools • Shibboleth Wiki • Sharing Library Service • WAGUL Reciprocal Borrowing • Borrower Registration, Workstation Authentication • Database Access Service • UQ/USyd NANO Project • Image database One name and password = access to many services. META ACCESS MANAGEMENT SYSTEM

  10. AAF Shib Trust Fed Schedule • Integration & Testing (2007) • Technology • Federation Management interfaces • AusCERT PKI Interfaces • Shared (‘Federation level’) Services • Grid Services interfaces • High-availability infrastructure • SP/IdP Deployment assistance • Policy Development • Outreach (workshops, roadshows) • AAF Minigrant projects • Release 1 (early 2008) • Bootstrapping phase • IdP implementation assistance • Release 2 (late 2008) META ACCESS MANAGEMENT SYSTEM

  11. Shared / Hosted Services AAF Shibboleth Trust Federation (Release 1) AusCERT PKI AAF PKI Federation Manager CA / RA IdP Support Grid Services Federation Hosted IdPs WAYF Where Are You From IdP IdP IdP IdP IdP IdP IdP IdP VHO SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP SP Grid Services CA / RA SLCS/MICS CA / RA Trad PKI Institutional Proxy Certs Virtual Organisations VOMS GS GS GS GS VGS VGS VGS VGS GS GS GS Grid Services AAF Shib Trust Fed Components META ACCESS MANAGEMENT SYSTEM

  12. Services & Applications • Shared/Hosted Services • e.g. Federated Directory Search • Shibboleth enabled applications & collaboration tools • Repositories (e.g. DSpace, Fedora) • Wiki’s (e.g. Confluence) • Action/defect tracking (e.g. JIRA) • Secure Instant Messaging (e.g. for HelpDesk) • eResearch VO Toolkit (MAMS’ IAMSuite) • Grid Services Interoperability META ACCESS MANAGEMENT SYSTEM

  13. Summary • AAF Shibboleth Trust Federation will • provide a secure infrastructure for sharing of resources between member institutions • facilitate secure collaborative research & sharing or research data & other resources • provide set of services and resources promoting efficient & effective use of the AAF • provide secure VO infrastructure • provide for privacy control of individual users META ACCESS MANAGEMENT SYSTEM

  14. Thank you Questions ? Links: MAMS Testbed Federation: http://www.federation.org.au/ MAMS Project: http://www.melcoe.mq.edu.au/projects/MAMS/ MAMS CMS: https://mams.melcoe.mq.edu.au/zope/mams Software downloads: http://www.federation.org.au/software META ACCESS MANAGEMENT SYSTEM

More Related