federated authentication - roleplay - aarc · pdf filefederated authentication - roleplay what...
TRANSCRIPT
Federatedauthentication-roleplayWhathappensinthefederatedauthenticationworkflow?Atthe2016LIBERconferenceweheldaworkshop:FederatetoWin!Partofthisworkshopwasaroleplaygame,whichillustratestheworkflowinafunway.Daretoplayityourself?TheworkflowTheworkflowweplayedwasfromaschemafromtheSWITCHAAIdemo.Studytheimagecarefully,takeyourtime.Doyouunderstandwhat’sgoingon?
TheplayersIntheroleplaythereareseveral‘characters’tobeplayed:
● User● LibraryPortal(aserviceprovider)● IdentityProvider(attheuser’shomeorganisation)● WhereAreYouFrom/DiscoveryService● Guide● SAMLProtocol
Attachedyoucanfindsignsfortheusergroups.Youcanprintthem(ormakethemyourself),anddistributethemamongtheplayers.Startplaying!Theroleplayisbothfunanduseful,hereishowyoucanplaythefederatedauthenticationworkflow:
1. TheLibraryPortalanswers:“Hallo,welcome!Whereareyoufrom?”.2. TheUsergoestoWhereAreYouFrom/DiscoveryServiceandchooseshis/herhome
organisation,andcomesbacktotheLibraryPortal.3. NowtheLibraryPortalaskstheUser:“Couldyouloginatyourhomeorganisation
now,please,soIknowdetailsaboutyousoIcanprovideyoutheserviceyouareaskingfor?”
4. TheUsergoestohis/herHomeOrganisation/IdentityProviderandtheIdentityProvideraskstheUser:“Hithere,couldyouenteryourcredentialshereinmysecureform,please?”.
5. TheUserentersthecredentials,theIdentityProviderrecognisestheUserandtellstheUser:“Thankyou,Iknowyou,IamsecurelypassingallnecessarydetailsaboutyoutotheLibraryPortal”.
6. TheUsergoesbacktotheLibraryPortal.MeanwhileSAMLProtocolpasseshis/heruserattributessecurelyinanenvelopefromtheIdentityProvidertotheServiceProvider/LibraryPortal.
7. TheLibraryPortalcheerstheUser:“NowIknowallthedetailsaboutyouIneedtoprovideyouwiththeserviceyouareaskingfor.Hereyougo!”.TheUserishappynowwithaserviceheneedsfromtheLibraryPortal.
ToillustrateSingle-Sign-On,tryaddinganotherServiceProvider.WhentheUserapproachesanotherServiceProvider,theServiceProvideragainsendstheUsertotheDiscoveryService.TheUserchooseshisHomeOrganisationagain,butnowtheIdentityProviderdoesn’taskfortheUsercredentialsashecanremembertheUserandsecurelypassesallnecessarydetailsabouttheUsertotheotherServiceProviderandtheUserisallowedbytheServiceProvidertoaccessrequestedservice.
Figuresforposters
FurtherReading
● LIBER2016workshopreport:FederatetoWin!AnAARCWorkshopattheLIBER● SWITCHAAIDemo