4. Without AAI
University of Zurich
Web Mail
Course Reg.
E-Learning
University of Berne
Research DB
Library
Student Admin.
Authentication Authorization
4
5. With standards-based AAI
AAI
University of Zurich
Web Mail
Course Reg.
E-Learning
University of Berne
Research DB
Library
Student Admin.
Authentication Authorization
5
6. Benefits
• Virtualized ID: Service providers can save
registration and administration efforts
• Standardized interfaces: Service providers can easily
integrate users of other organizations
• Standardized authentication: Users can access
various services at different organizations with a
single password
6
11. Browser
SP
WAYF
IdP
Request
Accessing a Service
Redirect to
Protected
WAYF
Page
Show IdP
Selection
Select IdP
Redirect
to IdP
Login
Screen
Username,
Password
Authenti-
cation
Handle
Attribute
Request
Provide
Attributes
Attributes
Granted /
... Denied
11
12. The Shibboleth Project
• Internet2: US networking consortium,
led by research and education community
• Middleware Architecture Committee for Education
• PKI
• URN namespace
• course data infrastructure
• ...
• Open Source (Apache License 2.0)
• Standards based: SAML, SSL, LDAP, ...
12
13. Available Software
• Shibboleth Project:
• Apache modules for SP and IdP
• Java SP implementation (stalled)
• New Java SP implementation in progress:
servlet filter within servlet 2.4 specification
• OLAT:
• Custom SP impl. based on old Shibboleth Java SP
• Lenya:
• Uses (slightly modified) OLAT code
13
19. User Attributes in Lenya
• Expressions for evaluation, e.g.
• givenName == „John“ && surname == „Doe“
• eduPersonScopedAffiliation == „student“
• Can be obtained from various identity providers, e.g.
• Shibboleth IdP (TransientUser)
• LDAP server (LDAPUser)
19
20. Attribute Evaluation in Lenya
• Interface User provides access to attributes:
User.getAttributeNames() : String[]
User.getAttributeValues(String name): String[]
• Interface Group allows to set rules:
Group.setRule(String)
Group.getRule() : String
• Method AbstractGroup.contains(Groupable)
evaluates the rule using a RuleEvaluator
implementation
20
21. AbstractGroup.contains()
public boolean contains(Groupable member) {
boolean contains = members.contains(member);
if (!contains && member instanceof User
&& getRule() != null) {
User user = (User) member;
AttributeRuleEvaluator evaluator
= getAttributeRuleEvaluator();
contains = evaluator.isComplied(user, getRule());
}
return contains;
}
21
24. JEXL
• About JEXL
• Java Expression Language
• Apache Jakarta Commons project
• Inspired by Velocity and the JSTL expr. language
• Advantages
• Very easy to integrate (only a couple of lines)
• No custom grammar necessary
• Disadvantages
• No specific rule syntax check
• It‘s difficult to identify dangerous code
24
25. ANTLR
• About ANTLR
• Another Tool for Language Recognition
• Framework for recognizers, interpreters, parsers, ...
• based on LL(k) grammars
• 3-clause BSD license
• Advantages
• Custom grammar for strict syntax check
• No dangerous code accepted
• Disadvantages
• Maintenance and enhancements require specific
knowledge
• Default error messages are hard to understand
25