IdP V3: Upgrade now
Time is running out, upgrade to Shibboleth IdP V3 now!
With the End-of-Life (EOL) of Shibboleth V2 fast approaching (July 31, 2016), the AAF has been working with subscribers to prepare them for the upgrade to V3. In late 2015, the AAF released the IdP Installer which helps Identity Providers (IdPs) setup, configure and upgrade their IdP to Shibboleth V3. The new installer streamlines general maintenance and upgrade work while providing IdPs with:
- Enhanced Client or Proxy (ECP)
- simplified branding options
- a streamlined upgrade path
- best practice
- upgrades to the latest version using existing IdP information.
- Schedule the upgrade of your production IdP to V3 early to avoid running an unsupported version
- Ensure you upgrade is completed before July 31, 2016
- Use the AAF IdP Installer to simplify the upgrade work for you and your team.
For more information about the IdP Installer and how to get started with your upgrade, view our self-help resources online:
Contact AAF Support if you would like to discuss your Shibboleth IdP V3 upgrade by emailing email@example.com
In 2016 the AAF published three metadata documents:
- https://md.aaf.edu.au/aaf-metadata.xml – Containing all AAF subscribers
- https://md.aaf.edu.au/aaf-edugain-metadata.xml – Containing IdP and SP which have been approved for consumption by AAF subscribers from the global eduGAIN metadata source
- https://md.aaf.edu.au/aaf-edugain-export-metadata.xml – Containing AAF subscribed IdP and SP which have been approved for publishing to the global eduGAIN metadata source
All of these metadata documents are signed by the AAF.
Subscribers must use the public key available at https://md.aaf.edu.au/aaf-metadata-certificate.pem to verify metadata documents whenever they are retrieved.
To confirm that you have obtained the correct key ensure the file you have downloaded conforms to the following:
$> openssl x509 -subject -dates -fingerprint -in aaf-metadata-certificate.pem
subject= /O=Australian Access Federation/CN=AAF Metadata notBefore=Nov 24 04:27:20 2015 GMT notAfter=Dec 9 04:27:20 2035 GMT SHA1 Fingerprint=E2:FC:CC:CB:0E:0F:3B:32:FA:55:87:29:08:DE:E0:34:DA:A2:15:5A
Style and Usability Recommendations
Navigating to a particular Service through a federated environment can be quite a complex and confusing process to an end-user or researcher; however, there are ways for Service Providers to improve the user experience of their Service for a more unified integration. The Research and Education Federations (REFEDs), a membership group of identity federations from around the world, undertook a project to support service providers implementing access management. Named the Discovery Project, it aimed to achieve the most effective way to present federated identity to users, with best practices and examples of how to provide the best experience.
Style and Usability Recommendations
The REFEDs Discovery Project has produced a Best Practice Guide for Service Providers implementing access management, available for use from the REFEDs website: http://discovery.refeds.org/guide/. This Guide is also available as an interactive demonstration via this link: http://discovery.refeds.org/demo/. This Guide explains how to implement federated login in a way which protects your brand, improves user satisfaction, and increases successful logins. The four best practices are displayed below, and available in more detail from the Best Practice Guide.
- Create a single top right ‘login’ link
- Decide how to manage local login
- Install identity discovery software
- Tailor the options for your users
Not only did the Discovery Project produce a list of best practices, they also produced several examples of practices to avoid:
- Unusual login link locations
- Technology terminology
- Unordered listings
- Large drop down lists
- Missing co-branding
These bad practices are outlined in more detail on the REFEDS site.
Service Providers are encouraged to use the recommendations produced by the REFEDs Discovery Project to improve access management for a more consistent and unified approach.
AAF Assurance Framework
The Assurance Framework used within the AAF is the NIST Electronic Authentication Guideline – NIST SP 800-63-2. The NIST guideline forms the basis of many assurance frameworks used internationally and was selected with a view to being interoperable with other federations.
Within the AAF, assurance is separated into two concepts. Two values are asserted in the eduPersonAssurance attribute, one for each of these concepts.
Identity Assurance: The strength of the processes used to identify the user at the time of user registration. This is indicated by a value asserted in the eduPersonAssurance attribute of the format urn:mace:aaf.edu.au:iap:id:.[level], where level is a value from 1 to 2. Token and Credential Management Assurance: The strength of the token used and the strength of the processes used to manage tokens and credentials. This is indicated by a value asserted in the eduPersonAssurance attribute of the format urn:mace:aaf.edu.au:iap:authn:[level], where level is a value from 0 to 2. Together, these two values make up the Level of Assurance (LoA) associated with a user’s authentication.
Note that additional information about the particular authentication instance may be obtained from the value of AuthnContext asserted as part of the SAML transaction.
This AAF Assurance Framework is for Level of Assurance (LoA) 1 and LoA 2. Over time the AAF may amend this Framework to include other assurance levels.
For more information about the AAF Assurance Framework and moving to LoA1 or LoA2 please visit the knowledge base.
Recommendations on the use of personal information
Within the framework of the Australian Access Federation, identity providers pass information about individual end users to service providers in the form of attribute assertions. The service provider uses the attributes for authorisation and for providing a better service to the end user.
The policies and technologies behind the AAF are intended to protect user privacy while making it easier for users to access resources. However, because AAF Subscribers are handling information about individuals, there is also a potential risk to individual privacy if the information is not handled correctly. These recommendations are intended to help AAF Subscribers have a better understanding of handling personal information within the context of the federation.
Authoriative Sources of Information
Information privacy in Australia is regulated by the Privacy Act 1988. The Act includes a set of Information Privacy Principles that apply to government agencies, and a set of National Privacy Principles that apply to other types of organisations. (Law reform currently in progress may integrate these two sets of principles into one set of Australian Privacy Principles.) All AAF Subscribers are strongly encouraged to become familiar with the Guidelines to the Australian Privacy Principles. These are available on the website for the Office of the Australian Information Commissioner.
Many States also have their own privacy legislation.
For more information about the Recommendations on the Use of Personal Information.
AAF Core Attributes
The following is the list of core attributes used within the AAF. AAF Identity Providers need to collect or generate the core attributes regarding their end users. When an end user tries to access a service via the federation, the Service Provider may request some or all of these attributes about the end user from the Identity Provider. With end user permission, the Identity Provider may release the attributes to the Service Provider.
The attributes are used by the Service Provider to make authorisation decisions and to manage the user’s experience with the service. Service Providers should consider which attributes they need in order to provide the service effectively and only request those attributes that are needed. The list of core attributes may evolve over time in response to the needs of AAF Subscribers.
|auEduPersonSharedToken||ZsiAvfxa0BXULgcz7QXknbGtfxk||A unique identifier enabling federation spanning services such as Grid and Repositories.|
|displayName||Jack Liam Dougherty||Preferred name of a person to be used when displaying entries.|
|eduPersonAffiliation||faculty||Specifies the person’s relationship(s) to the institution in broad categories such as student, faculty, staff, alum, etc.|
|eduPersonEntitlement||urn:mace:washington.edu:confocalMicroscope http://www.sirca.org.au/contract/GL123||URI (either URN or URL) that indicates a set of rights to specific resources.|
|eduPersonScopedAffiliationfirstname.lastname@example.org||Specifies the person’s affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc.|
|eduPersonTargetedID||https://idp.arcs.org.au/idp/shibboleth! https://manager.aaf.edu.au/shibboleth! cmWc3mKualJlxjAwfFdu2mVgRxw=||A persistent, non-reassigned, privacy-preserving identifier for a user shared between an identity provider and service provider. An identity provider uses the appropriate value of this attribute when communicating with a particular service provider or group of service providers, and does not reveal that value to any other service provider except in limited circumstances.|
|AuthenticationMethod||urn:mace:aaf.edu.au:iap:authn:1||Set of URIs that assert compliance with specific standards for authentication method.|
|eduPersonAssurance||urn:mace:aaf.edu.au:iap:id:1||Set of URIs that assert compliance with specific standards for identity assurance.|
|cn||Jack Dougherty||User’s first name then surname.|
|o (or organizationName)||The University of Queensland||Standard name of the top-level organization (institution) with which this person is associated.|
|email@example.com||Email address, single value. User’s preferred outward facing email address with regard to the organisation.|
[List of Core Attributes as documented in Appendix 1 of the Federation Rules for Participants]
We also recommend you implement the following attribute not currently in the Core list. It can assists in interacting with some federation services.
|schacHomeOrganization||uq.edu.au||Specifies a person’s home organization using the domain name of the organization.|
|schacHomeOrganizationType||University||Specifies a person’s home organizations type.|
|givenName||Sally||A persons first name or preferred name|
|sn (surname)||Jones||A persons surname|
Detailed information about these attributes can be found in the auEduPerson Definition and Attribute Vocabulary.
Many other attributes are listed in this document in addition to the AAF core attributes. Together they form a standard attribute vocabulary for the sector and federation subscribers may find it useful to explore additional user attributes; however AAF Identity Providers are only required to support those attributes in the core list.
The LDAP Schema definitions (LDIFs) needed to extend your directory can be found at the follow links:
- auEduPerson schema OpenLDAP
- Active Directory
- eduPerson schema
- schac schema Note: the SCHAC schema contains only non-core (optional) AAF attributes.
Further information about the responsibilities of AAF subscribers in managing user attributes can be found in the Federation Rules.
Registrations in the urn:mace:aaf.edu.au namespace
Registrations in the urn:mace:aaf.edu.au namespace
MACE has delegated responsibility for the urn:mace:aaf.edu.au namespace to the Australian Access Federation.
Internet2/MACE Uniform Resource Name (URN) registry RFC 3613 defines the “urn:mace” namespace and describes the procedures and policies governing it’s use.
Namespaces administered by Australian Access Federation:
|urn:mace:aaf.edu.au:iap:id:1||AAF||Terry Smith||2012-01-01||Level 1 of Identity Assurance|
|urn:mace:aaf.edu.au:iap:id:2||AAF||Terry Smith||2012-01-01||Level 2 of Identity Assurance|
|urn:mace:aaf.edu.au:iap:authn:1||AAF||Terry Smith||2012-01-01||Level 1 of Authentication Assurance|
|urn:mace:aaf.edu.au:iap:authn:2||AAF||Terry Smith||2012-01-01||Level 2 of Authentication Assurance|
|urn:mace:aaf.edu.au:shibboleth:attribute-def:exlibrisid||AAF||Terry Smith||2015-10-14||Attribute name for the Primary identifier used in Patron
Directory Services for ExLibris products