About augmented (attribute) reality

Transcription

1 About augmented (attribute) reality A VO concept using SAML 2 and attribute aggregation Lukas Hämmerle lukas.haemmerle@switch.ch Budapest, 17. November 2009

2 Your favorite a -words we will focus on augment verb [ trans. ] make (something) greater by adding to it aggregate verb to gather into a mass, sum, or whole 2

3 Relation between VO and VO groups Organizational/social VO definition: A group of individuals collaborating through the use of online services A VO can consist of only one single group of users or have multiple (sub) groups Group membership and roles are expressed by VO attributes GroupA SubgroupC GroupB Example VO 3

4 What is technically relevant for VOs? It s all about setting and managing (group membership) attributes of VO users! uid=w.tell givenname=william surname=tell mail=national.hero@switzerland.ch affiliation=staff entitlement: urn:mace:test:user-attribute entitlement=vo-attribute:swissresistance:groupadmin entitlement=vo-attribute:freeswitzerland:member VO relevant attributes 4

5 The Involved Components Home Organisation User Home Organisation: Authenticates and asserts identity information about a user. E.g university Administration VO Platform Data Store AA Virtual Organization Platform: Set of software used to register and manage members of one or more VOs and allow them to interact with virtual organization services. Group1 Group2 Group3 Application Application Application VO Service Virtual Organization Service: A service used by members of the VO in order to perform their work. E.g. wikis, calendars, file storage etc. 5

6 Technical Idea to Implement a VO aggregates attributes: 1. From user s Home Organisation Attributes are set by admin 2. From VO Platform(s) Attributes are set by VO admin User is identified by an attribute that is used as shared ID Home Organisation VO Platform VO AA User Attributes Attributes Application VO Service Augmented set of attributes available at VO 6

7 (Simple) Attribute Aggregation Home Organisation User uid=w.tell givenname=william surname=tell affiliation=staff entitlement: urn:mace:test:user-attribute... Shared ID (swissedupersonuniqueid): GMT Interface PoC VO Platform MySQL DB AA VO Service Application uid=w.tell givenname=william surname=tell affiliation=staff entitlement=urn:mace:test:user-attribute entitlement=vo-attribute:swissresistance:groupadmin entitlement=vo-attribute:freeswitzerland:member SwissResistance FreeSwitzerland entitlement=vo-attribute:swissresistance:groupadmin entitlement=vo-attribute:freeswitzerland:member 7

8 What to use as shared ID/principal identifier? Has to be known at user, VO services and VO platform Used in SAML 2 Persistent Name Identifier of attribute request Option 1: Common identifier attribute like edupersonprincipalname, swissedupersonuniqueid, mail or similar Easy to implement and already works today Problematic mainly if used for multiple VOs that span multiple organizations due to data correlation attacks ( A from VO 1 and B from VO 2 could merge data) Option 2: Use edupersontargetedid that is generated by the for an or group of VO s using an Affiliation descriptor in metadata: Is not yet implemented in Shibboleth Identity Provider, due early 2010 <EntityDescriptor entityid=" <AffiliationDescriptor affiliationownerid=" <AffiliateMember> <AffiliateMember> <AffiliateMember> </AffiliationDescriptor> </EntityDescriptor> 8

9 How is a user added to a VO? Most-likely: User is initially invited by with token should be known for most users Scenario that is used in following slides Alternatives: Self-enrollment using VO/group password Manual VO joining requests that have to be approved/rejected by VO (group) admin Attribute-based enrollment with regular expression 9

10 Step 1: Invitation token sent by User is invited by VO admin Home Organisation User Subject: Join the Swiss Resistance From: VO Group Admin To: William Tell You are invited to join the VO group SwissResistance, please click on token=324jcxio34529cj VO Platform Administration Data Store AA Application VO Service SwissResistance OtherGroup 10

11 Step 2: Authentication at user Home Organisation User User clicks on invitation link, that points to VO administration platform that forces user to authenticate at his User VO Platform Administration Data Store AA Application VO Service SwissResistance OtherGroup 11

12 Step 3: Adding shared ID to group/data store Home Organisation User provides user s shared ID attribute to VO administration that stores information in data store and adds user to group assigned to invitation token VO Platform Administration Data Store AA Application VO Service SwissResistance OtherGroup 12

13 Step 4: Redirection to VO Service Home Organisation User VO administration (transparently) redirects user to VO Service application. VO Platform Administration Data Store AA Application VO Service SwissResistance OtherGroup 13

14 Step 5: VO service authentication with SSO Home Organisation User VO Platform VO Service gets user s attributes, including Shared ID from User due to SSO. Administration Data Store AA Application VO Service SwissResistance OtherGroup 14

15 Step 6: Simple attribute aggregation Home Organisation Administration User VO Platform Data Store AA uses shared ID for user to query VO AA with an standard attribute query and receives user s VO group attributes VO Service Application SwissResistance OtherGroup 15

16 Step 7: uses aggregated set of attributes Home Organisation Administration User VO Platform provides user s attributes from User and from VO AA to application Data Store AA Application VO Service SwissResistance OtherGroup 16

17 Demo 1. Access 2. Use AAI Test Home Organisation (Shibboleth 1.3) as 3. Authenticate with w.tell / demo as username/password 4. Entitlement attribute comes from VO, the other attributes from above selected user 5. Click on Show Shibboleth assertions 6. Quit web browser 7. Access the administration interface on as user voadmin/demo 8. Add w.tell to group DieEidgenossen 9. Quit web browser and continue with steps

18 Proof-of-Concept using GMT Uses the SWITCH Group Management Tool as simple VO Management interface GMT stores data in MySQL database so that group information can be read by Shibboleth Names of groups a user is member of are entitlement values This is only a proof-of-concept for now! 18

19 Advantages of this approach No additional protocols needed It s pure SAML 2, no code changes or hacks needed at or Simple configuration on VO Approximately 4 lines have to be added VO Service application needs no other modifications VO service applications get access to VO attributes the same way as any other attribute set by user. No additional API required. Attribute queries to multiple VO platforms possible too Statically or dynamically based on a configurable attribute value 19

20 Requirements VO Service : Shibboleth >= 2.2 Already available, implements simple attribute aggregation User : Almost any SAML product Existing user s don t have to change anything more than they do If edupersontargetedid is used, Affiliation RoleDescriptor first must be implemented, due early 2010 VO Platform : Any Shibboleth >= 1.3x Only has to support attribute requests/queries User Registration/Administration for VO Platform Partly VO specific (e.g. processes), needs to be implemented Basically allows VO admins to set attributes for users to declare them as members of a group 20

21 It also works in an inter-federation setup from VO Platform from openidp.feide.no 21

22 ... and with s using eppn from Sweden from VO Platform from idp.nordu.net 22

23 ... and with a non-shib Python from VO Platform 23

24 Try it out yourself Demo instructions: You can t break anything :-) 24