Location Assertion

Nicole HarrisFAM12

6th November 2012

From Where Are You From

to

Where Are You Now?

Problem Statement

• Original requirement from the Schools Sector;• SP Business Case:– Primary market is individual home users;– Secondary sales to schools for pupils ‘on network’;

• Need to distinguish these cases;• Desire to move from SP recognising IP to IdP

asserting location.

Why not IP authentication?

• Often not granular enough;• Easy to ‘fake’;• Difficult to maintain accurately;• Prone to keying errors;• Low tech implementations.

Location Assertion Extension

• Extension to Shibboleth;• Downloadable and implementable now;(

https://github.com/ukf/ua-attribute-idp-ext);• Creates attributes at the time of

authentication based on IP address of the user agent;

• SP can make decisions based on known location as well as other assertions.

What Does it Look Like? New Subsidiary attribute and use of eduPersonEntitlement

resolver:DataConnector id=”userAgentAttributes”xsi:type=”uadc:UserAgentMappedAttributes”

uadc:Mapping cidrBlock=”217.155.0.0/16″attributeId=”userAgent”attributeValue=”http://iay.org.uk/networks/zenInternet”/uadc:Mapping cidrBlock=”82.68.0.0/14″attributeId=”userAgent”attributeValue=”http://iay.org.uk/networks/zenInternet”/

uadc:Mapping cidrBlock=”192.168.117.19/32″attributeId=”eduPersonEntitlement”attributeValue=”http://iay.org.uk/entitlements/kestrel”/

Solving Walk-in?

• Allows Walk-in with BYOD;• Easy to provision guest accounts that don’t

work outside the institutional boundary;• Able to configure walk-in at a granular level for

SPs that don’t allow.

BUT…

Service Provider Implementation

Publishers have to actually consume and react to the attributes being passed.

More information

Blog post:

• http://access.jiscinvolve.org/wp/wayrn2/

The code:

• https://github.com/ukf/ua-attribute-idp-ext