Fam12 locationassertion
-
Upload
nicole-harris -
Category
Documents
-
view
126 -
download
0
Transcript of Fam12 locationassertion
Location Assertion
Nicole HarrisFAM12
6th November 2012
From Where Are You From
to
Where Are You Now?
Problem Statement
• Original requirement from the Schools Sector;• SP Business Case:– Primary market is individual home users;– Secondary sales to schools for pupils ‘on network’;
• Need to distinguish these cases;• Desire to move from SP recognising IP to IdP
asserting location.
Why not IP authentication?
• Often not granular enough;• Easy to ‘fake’;• Difficult to maintain accurately;• Prone to keying errors;• Low tech implementations.
Location Assertion Extension
• Extension to Shibboleth;• Downloadable and implementable now;(
https://github.com/ukf/ua-attribute-idp-ext);• Creates attributes at the time of
authentication based on IP address of the user agent;
• SP can make decisions based on known location as well as other assertions.
What Does it Look Like? New Subsidiary attribute and use of eduPersonEntitlement
resolver:DataConnector id=”userAgentAttributes”xsi:type=”uadc:UserAgentMappedAttributes”
uadc:Mapping cidrBlock=”217.155.0.0/16″attributeId=”userAgent”attributeValue=”http://iay.org.uk/networks/zenInternet”/uadc:Mapping cidrBlock=”82.68.0.0/14″attributeId=”userAgent”attributeValue=”http://iay.org.uk/networks/zenInternet”/
uadc:Mapping cidrBlock=”192.168.117.19/32″attributeId=”eduPersonEntitlement”attributeValue=”http://iay.org.uk/entitlements/kestrel”/
Solving Walk-in?
• Allows Walk-in with BYOD;• Easy to provision guest accounts that don’t
work outside the institutional boundary;• Able to configure walk-in at a granular level for
SPs that don’t allow.
BUT…
Service Provider Implementation
Publishers have to actually consume and react to the attributes being passed.
More information
Blog post:
• http://access.jiscinvolve.org/wp/wayrn2/
The code:
• https://github.com/ukf/ua-attribute-idp-ext