4. Extension

Web server

Tomcat

IdP side

2

SP side

Request/Response

Redirect

Internal

DS

AuthnRequest

AssertionAttribute

SessionInitiator

AsserionConsumer

Service

SSO AttributeAuthority

AuthnHandlerCredential

1

345

6

7

8

9

10

11

1. Background

Authentication and Authorization exchange for University Federation

Informatization of higher education

Complex management

System cooperation

Increase convenience

e-Learning utilization

Merit

Introduction of many web systems

2. Problem User Organization• Many passwords

• Each authentication• Scattered identity

• Synchronization

3. Shibboleth

Identity Provider Service Provider Discovery Service

‣ Manage identity‣ Authentication

‣ Release attribute

‣ Protect resource‣ Query attribute

‣ Control access

‣ Find organization‣ Multiple IdPs

‣ SAML feature

5. Future work

M Nakagawa

How to solve?

Demerit Components

Features• Open source

• Developed by Internet2

• MACE Project

• SAML implementation

• Distributed infrastructure

• Building federation

FederationsName Country

InCommon United StatesSWITCHaai Switzerland

DFN-AAI GermanyUK Federation United Kingdom

Other federations...Other federations...

• ek4 federation

• Share educational materials• Federation policy

• Extensionʼs specification

Practical use Formulation Development• Anonymous user

• Reference implementation

‣ New federation in Japan

‣ 8 universities

‣ e-Learning, HRD, etc...

Identity Provider Service Provider Discovery Service

Merit Demerit

Authorization exchange Anonymous user

Attribute

Service Provider

System

Mapping server

Attribute’

UUID

AssertionUUID or NO

AccountManager

AnonymousIdP

AuthnRequest

Lock

SPside

WebInterface

• Decrease traceability

• For questionnaire

• One time account

• Each identity

• Activity restriction

Different identities

Access restriction

System A

Unidentify

System B

Image

Prototype

1

2

3

4

‣ UUID is user identifier

‣ Lock inactivates account

ProcessAbbrev

• Rewrite attribute

• Between SP and web system

• System architecture

• Mapping server

• Library called by web system

‣ Pattern matching

‣ Regular expression

‣ String

‣ XML base

1

2

3

4

Mapped result

Attribute

Library

Why? • Reduce operations

• Rule maintenance

• SP side < IdP side

• Authentication processing

• User normalization

Kochi UniversityThe University of TokushimaY YanoH MitsuharaY MiyoshiK MatsuuraK Kanenishi

† ††

†††† † †

†

SP side IdP side

AccountManager

Unidentify

Different identities

Access restriction

Mapped result