Attributes in eduGAIN

tnc2009.terena.org

Attributes in eduGAIN

Attributes in eduGAIN

Kristof Bajnok, NIIF/Hungarnet

TNC2009, Málaga, 10 th June 2009

connect • communicate • collaborate


eduGAIN in a nutshell

eduGAIN connects identity federations

confederation of federations

each federation maintains its

– trust links

– protocols

– attribute schema

eduGAIN is also a software

developed by GN2 JRA5

– 1.0 released in April 2009

– maintained by GN3 SA3

connect • communicate • collaborate


eduGAIN in a nutshell

connect • communicate • collaborate


eduGAIN fully bridged

H-BE: Home

Bridging Element

SP in the

federation

IdP in eduGAIN

MDS: MetaData

Service

R-BE: Remote

Bridging Element

IdP in the

federation

SP in eduGAIN

connect • communicate • collaborate


eduGAIN fully connected

IdPs and SPs are

integrated to

eduGAIN without

Bridging Elements

By using SAML2

connect • communicate • collaborate


eduGAIN hybrid

connect • communicate • collaborate


Attributes

Identity federations are based on user attributes

Every federation has its own attribute specification and

requirements

It's not possible to create an ultimate specification

that is based on a common subset of federation attribute

usage

and satisfies every possible inter-federation scenario

and does not limit local trust relations

Some federations might want to develop closer

relationship, which might require exchanging additional

(bilaterally agreed) attributes

connect • communicate • collaborate


Attribute conversion challenges

Sometimes only the name differs

$eduPersonPrincipalName = $swissEduPersonUniqueId

Sometimes the information is available but not in the

form in what others expect

SWITCHaai does not implement

eduPersonScopedAffiliation

– but there is homeOrganization and eduPersonAffiliation

$eduPersonScopedAffiliation = $eduPersonAffiliation . '@' .

$homeOrganization

connect • communicate • collaborate


Semantic differences

Some attributes may hold different meaning across

federations

eduPersonAffiliation is the famous example

there are some cases when the appropriate attribute

value can be derived from other attributes

– schacHomeOrganizationType, etc

SCHAC schema addresses this problem by using URNs

for representing possibly different semantic content

connect • communicate • collaborate


Attribute mangling library

Includes attribute conversion and filtering

Part of eduGAIN software

builds into bridging elements (both home and remote)

– Java

– simpleSAMLphp

configured with XML files

uses Regular Expressions

connect • communicate • collaborate


Attribute mangling

connect • communicate • collaborate


Example: Adding static attributes,

Renaming attributes



SWITCHaai




Rename attribute swissEduPersonUniqueId to

edupersonPrincipalName





${swissEduPersonUniqueId}



connect • communicate • collaborate


Example:

Splitting attributes


Split the edupersonScopedAffiliation to

edupersonAffiliation and homeOrganization

^([^@]+)@(.+)$


${scopedAffiliation[1]}



${scopedAffiliation[2]}



connect • communicate • collaborate


Example:

Adding optional attributes


Create preferredLanguage only if not

supplied





hu, en-gb;q=0.8, en;q=0.7



connect • communicate • collaborate


The problem with

eduPersonTargetedID

Many federation implemented eduPersonTargetedId as

a simple “scoped” attribute


84e411ea-7daa-4a57-bbf6-b5cc52981b73


although it should (now) contain something like this [1]:


84e411ea-7daa-4a57-bbf6-b5cc52981b73


[1]: https://spaces.internet2.edu/display/SHIB2/NativeSPTargetedID

connect • communicate • collaborate


(Advanced) Example:

Sanitize eduPersonTargetedId


Sanitize eduPersonTargetedID


(.*)

(.*)

(.*)@.*



${eptid[1]}




connect • communicate • collaborate


Attribute Filtering

Allow / deny releasing attributes based on

attribute name

attribute value

remote peer's name

local (source or destination) provider (Java only)

each as regular expressions

any combination of the above

connect • communicate • collaborate


simpleSAMLphp module

Attribute Conversion & Filtering can be used for a

standalone IdP/SP as a module of simpleSAMLphp

Fits for scenarios where

data in the local identity database is not in the format

required by the federation

it is necessary to provide custom values to some SPs

the application behind the SP needs data in a special

format

more advanced attribute filtering is needed

– eg. filtering based on attribute values

connect • communicate • collaborate


Thank you!


http://wiki.edugain.org

https://www.aai.niif.hu/software

aai@niif.hu

connect • communicate • collaborate

More magazines by this user
Similar magazines