Skip to content
Permalink
cb1ff404af
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

grouper_training/docs/201/201.4.rst

Go to file
 
 
Cannot retrieve contributors at this time
201.4 Access Control Model 2 eduPersonEntitlement Learning Objectives Lab Components Overview Exercise 201.4.1 Create policy for wiki application Exercise 201.4.2 Add reference groups to policy Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement Exercise 201.4.4 Configure Shib to release ePE value for our SP Exercise 201.4.5 Thought exercise! Create accounts at target SP?
123 lines (92 sloc) 4.6 KB
Raw Blame

201.4 Access Control Model 2 eduPersonEntitlement

Learning Objectives

  • Understand ACM2 model and how to implement attribute based access control
  • Implement grouper security model
  • Configure PSPNG to provision eduPersonEntitlement values
  • Configure Shibboleth to release eduPersonEntitlement values

Lab Components

Overview

Grouper Deployment Guide access control model 2 (ACM2) is all about attribute based access control (ABAC) as defined in NIST SP 800-162. ACM2 is applicable across a broad range of services where access control policy can be based on subject attributes, policy decisions can be precomputed, and simple subject attributes are sufficient to drive the policy enforcement point.

In cases where the SAML Service Provider will accept an eduPersonEntitlement value for enforcing access control, implementing ACM2 can be distilled to these basic steps:

  1. Convert the natural language policy into reference and policy groups
  2. Provision policy group membership to OpenLDAP via PSPNG
  3. Release SP-specfiic eduPersonEntitlement values via Shibboleth

Exercise 201.4.1 Create policy for wiki application

  1. Navigate to the app folder.
  2. Create a new wiki application using the Application Template (More actions -> New template)
../figures/201-wiki-app.png
  1. Navigate to app:wiki:service:policy: and use the new policy template to create wiki_user

Exercise 201.4.2 Add reference groups to policy

wiki_user is an application-secific role. Subjects in this role have general access to the wiki. The natural language policy is, "All students have access to the student wiki, unless they are in the global deny group".

  1. Add ref:student:students to app:wiki:service:policy:wiki_allow.
  2. Add ref:iam:global_deny to app:wiki:service:policy:wiki_deny.
  3. Review policy defintion (wiki_user -> More -> Visualization)
../figures/201-wiki-policy.png

Exercise 201.4.3 Configure PSPNG to provision wiki_user to eduPersonEntitlement

  1. Assign PSPNG attribute, provision_to to wiki_user with a value of pspng_entitlements.
../figures/201-wiki-user-pspng.png

  1. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki and review in LDAP. The relevent configuration is below:

    .. literalinclude:: examples/201-4-4.pspng-epe.grouper-loader.properties
     :language: properties
     :caption: grouper-loader.properties
     :linenos:

  2. Run CHANGE_LOG_consumer_pspng_entitlements (Miscellaneous -> All daemon jobs -> Job actions -> Run job now)

../figures/201-pspng-entitlements-run-job.png

Exercise 201.4.4 Configure Shib to release ePE value for our SP

The demo Shibboleth IdP has been configured to release the eduPersonEntitlement attribute to the demo SP. The relevant configuration is below:

.. literalinclude:: examples/201-4-5.attribute-filter.xml
    :language: xml
    :caption: attribute-filter.xml
    :lines: 16-42
    :emphasize-lines: 17
    :linenos:
  1. Open a new browser to https://localhost:8443/app
  2. Log in with username aclark706 and password password
  3. Check eduPersonEntitlement value
../figures/201-ePE-value.png

Exercise 201.4.5 Thought exercise! Create accounts at target SP?

Can we use policy groups to create/manage accounts at target SP?

  • Native grouper SP specific provisioning components
  • RabbitMQ based provisioning
  • midPoint