JISC

The Final Report is available  here

Overview

Integration of grids and Shibboleth is being hampered because a users attributes are typically held in different locations, under different identifiers, and there is no coherent way of collecting them together and validating that they all belong to the same user so that they can be used for authorization of the user’s request.

Aims and objectives

• Work with the international community to develop standard protocol specifications to allow a Shibboleth service provider (SP) to collect together a user’s attributes from multiple identity providers (IDPs), so that the aggregated attributes can be used to authorise the user’s access to the SP.
• Build open source code that implements the protocols defined above and that can validate the aggregated attributes as belonging to the user.
• Build a pilot demonstrator for the National Grid Service.
• Release all the developed software as open source code.

Project methodology

The first task is to survey the international community to capture their requirements. Based on these, a conceptual design will be created and circulated for comment. Once the conceptual design has been broadly accepted, a set of (one or more) protocols will be drafted and then passed to the community for comment. Once there is reasonable consensus on the set of protocols, we plan to become affiliated to a standards group (probably Liberty Alliance) so that the protocols can be ratified by the standards group.

We will then implement the specifications in Java. Once the Java code has been built, we will test it in a pilot demonstrator with an e-Science project. After success piloting, we will integrate the code into the National Grid Service and release the software as open source code.

Anticipated outputs and outcomes

• D1.1 A User Requirements Questionnaire D1.2 Analysis of User Requirements
• D1.3 A conceptual model for attribute aggregation
• D1.4 Draft profiles for attribute aggregation
• D1.5 Final profiles for attribute aggregation
• D2.1 Modified IDP software that is capable of storing and returning links to other IDPs
• D2.2 A new Linking Service that stores links for users
• D3.1 An attribute aggregating service that is capable of validating signed and encrypted SAML attribute assertions received from multiple IdPs
• D3.2 An attribute aggregating service that is capable of attribute aggregation by pulling signed and encrypted SAML attribute assertions from multiple IdPs D4.1 An enhanced Shibboleth/PERMIS that is capable of receiving assertions from multiple IDPs and making authorisation decisions based on them
• D5.1 An enhanced GT4 that is capable of receiving or pulling assertions from multiple IDPs and making authorisation decisions based on them
• D6.1 A working demonstration of attribute aggregation in a current Grid project that will retrieve attributes from at least 3 IdPs.
• D7.1 The integrated software packaged with GT4, released as binaries and open source
• D7.2. User, developer and administrator documentation for the package including information needed for its support in a Shibboleth-enabled environment
• D7.3 A paper for an international conference or journal publicizing the work
• D7.4 Final report to JISC

Technology / Standards used

• SAML
• Liberty Alliance Specifications

Lead Institution

• University of Kent

Project Partners

• Internet 2