"Seegrid will be due for a migration to confluence on the 1st of August. Any update on or after the 1st of August will NOT be migrated"

Token identity example

THIS IS NOT AN EMAIL ADDRESS.... its a token identity

user@provider

This represents a identity of a user, held by a provider. For now we will call it a 'scoped ID'.

We can assume that the identity is unique, because we trust the provider is doing the right thing.

Identity

The components that make up your Identity are held by the IdP. Since there are many IdP's in the federation, only standard pieces of information are kept in the IdP. To make matters more interesting - a user is allowed to block any piece of information before it makes it to a SP.

Authentication

This is the job of the provider. They keep track of users, password management and their validity (employed or not). Once a user is authenticated, it proves their identity and association with the provider. This information is used later on to store and track authorization

Authorization

As a user, from an institution, I have a valid identity, which my institution checked, (thanks shibboleth), however my Identity does NOT prove I am allowed or blocked from using services available to communities.

For example - as a userA@institution1, I should not be allowed to access userB@institution1 's records, or user1@institution2 's records either.

Questions

  1. If the service is for the Auscope, and I am a member of that group, but my identity is held at provider.com, where is that record kept?
  2. How can establish the existance of extra information and link it back to the scoped ID?
  3. Who is the best service, in the chain of services, to check if I am a member of the Auscope?
  4. How do you maintain this extra information? Who is really responsible?

Design

ImageComments
current.png

This is the current look at the system.
  1. There is a tight integration between what the IdP provides and what the SP requires. Until now nothing extra to identify authorization is needed
auscope-problem.png Comments
  1. We now need 'extra' information not related to the 'user' at the 'proder' but related to a group, which the user is a part of.
solution1.png Comments:
  1. We could store all the extended information we required in a custom VHO (the Auscope VHO)
  2. This would eliminate the need for the provider to store the extra information, it could come from IdP chaining.
  3. This would ONLY work if you signed in from the VHO, and no current implementation of IdP chaining is available.
solution2.png Comments:
  1. Extra information can be sorted at a level where the SP can get it
  2. Identities can be scoped - so you end up with user@provider being the 'lookup' in a local store, and validity is checked against the request.
  3. Since the SP only knows about limited things, the fine grain control here may not be possible. (does it have any concept of url?)
solution3.png Comments
  1. Extra information can be sorted at a level where the service can get it
  2. Identities can be scoped - so you end up with user@provider being the 'lookup' in a local store, and validity is checked against the request.
  3. Services now have to be aware of how to control user access/authorization.

Current Proposed Solution

We take the best ideas from solution 2 and interface them with apache.

We currently have location and locationmatch protection in apache. These force the user to authenticate and have a 'attrubute' which is met by the require statement in apache.

For example
<Location /twiki>
# Authentication
AuthName twikiAuscope
AuthType Basic
AuthBasicAuthoritative Off
AuthGroupFile /dev/null
AuthUserFile /dev/null
Auth_MySQL on
.....
require group twikiAuscope

The solution here needs to be able to call out to shibboleth to aquire an identity verification, then using the scoped identity call out to an authorization database.

We will label this as authz chaining. AuthBasicProvider says it allows for multiple providers. With require set to an extra attribute provided by the ldap connector, we should be able to enforce this.


You can get Dia for windows from here.

-- TerryRankine - 14 Nov 2007
Topic attachments
I Attachment Action Size Date Who Comment
auscope-problem.diadia auscope-problem.dia manage 1.7 K 14 Nov 2007 - 15:28 TerryRankine  
auscope-problem.pngpng auscope-problem.png manage 8.3 K 14 Nov 2007 - 15:28 TerryRankine  
current.diadia current.dia manage 1.6 K 14 Nov 2007 - 15:28 TerryRankine  
current.pngpng current.png manage 8.6 K 14 Nov 2007 - 15:28 TerryRankine  
solution1.diadia solution1.dia manage 1.9 K 14 Nov 2007 - 15:27 TerryRankine  
solution1.pngpng solution1.png manage 11.9 K 14 Nov 2007 - 15:27 TerryRankine  
solution2.diadia solution2.dia manage 1.9 K 14 Nov 2007 - 15:27 TerryRankine  
solution2.pngpng solution2.png manage 13.6 K 14 Nov 2007 - 15:27 TerryRankine  
solution3.diadia solution3.dia manage 1.9 K 14 Nov 2007 - 15:28 TerryRankine  
solution3.pngpng solution3.png manage 13.3 K 14 Nov 2007 - 15:28 TerryRankine  
Topic revision: r3 - 15 Oct 2010, UnknownUser
 

Current license: All material on this collaboration platform is licensed under a Creative Commons Attribution 3.0 Australia Licence (CC BY 3.0).