1 / 17

Shibboleth and uApprove at University of Michigan

Shibboleth and uApprove at University of Michigan. Luke Tracy – ltracy@umich.edu Ken Hammer – khammer@umich.edu. What is uApprove?. Developed by SWITCHaai under BSD License http://www.switch.ch/aai/support/tools/uApprove.html Purposes:

shirleyking
Download Presentation

Shibboleth and uApprove at University of Michigan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth and uApprove atUniversity of Michigan Luke Tracy – ltracy@umich.edu Ken Hammer – khammer@umich.edu

  2. What is uApprove? • Developed by SWITCHaai under BSD License • http://www.switch.ch/aai/support/tools/uApprove.html • Purposes: • For the user, mechanism to be informed about the release of attributes to a Service Provider (SP). • For the admin of an Identity Provider (IdP) • Provides a tool to implement data protection laws by requiring to obtain user consent before personal attributes are released to a SP • Allows for collection of information about the release of attributes and accesses to SP (if configured to do so). Source: http://www.switch.ch/aai/support/tools/uApprove.html on June 15, 2010.

  3. What is uApprove? • From the user's point of view, uApprove is an application which presents a webpage, on which to • accept or decline the Terms of Use of a Shibboleth Identity Provider upon first access to the system (optional) • globally accept the release of attributes to any/all Service Providers • accept the release of attributes upon first access to a given Service Provider (if the global release has not been approved) Note: User can reset attribute release consent on a separate webpage, such that he/she will be asked again, whenever attributes have to be released. Source: http://www.switch.ch/aai/support/tools/uApprove.html on June 15, 2010.

  4. U of M Attribute Release • InCommon IdP had been operating in Pilot Mode • Opt-in required • Temporarily provided means to approve the release of identity data • To move beyond Pilot • Remove barriers • Make more self-describing

  5. Governance Board • Investigated how others were handling privacy concerns around attribute release • Found common desire existed to be able to have individuals approve the release of attributes • Saw mention of uApprove being used within SWITCH • Demonstrated uApprove to IDM Governance Board • Liked it, but had issues with changes to data and privacy settings after approval to release • Looked into methods of detecting state changes and forcing re-approval

  6. uApprove • Determined best method was to prompt each time (until a more elegant solution was possible, maybe) • Discussed with uApprove developers method for forcing prompt every time • Decided together that in short term, using database triggers was optimal

  7. Demo

  8. User Visits Site and Selects Home University

  9. User Logs In Using Our Single Sign On Tool

  10. User is presented with the uApprove screen

  11. If the user declines…

  12. If the user approves…

  13. uApprove configuration • Can use a flat file or a mysql database for preferences • Can be disabled on a per-SP basis • Can configure which attributes are displayed and in what order • Optional “Terms of Use” screen • Multiple options for resetting preferences

  14. Normally, uApprove looks like this… • Presentation controlled by .jsp templates • Template text strings stored separately to make translation easy

  15. U-M localizations • Database trigger / cron job combination to effect our desired login behavior • Applied our SSO “skin” to the application • Changed text to better suit our audience

  16. attribute-resolver.xml <resolver:AttributeDefinition id="displayName" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="displayName"> <resolver:Dependency ref="mcomm" /> <resolver:DisplayName xml:lang="en">Full Name</resolver:DisplayName> <resolver:DisplayDescription xml:lang="en"> This is your full name. </resolver:DisplayDescription> ... </resolver:AttributeDefinition>

  17. resources • uApprove - http://www.switch.ch/aai/support/tools/uApprove.html • U-M InCommon Attribute Release Policy and Procedure - http://www.itd.umich.edu/itcsdocs/r1465/

More Related