shibboleth attribute release policy editing tools sharpe and autograph

38
06/24/22 06/24/22 META ACCESS MANAGEMENT SYSTEM 1 Shibboleth Shibboleth Attribute Release Policy Attribute Release Policy Editing Tools Editing Tools ShARPE and Autograph ShARPE and Autograph I2MM April 2006 I2MM April 2006 Neil Witheridge Neil Witheridge MAMS Project Manager MAMS Project Manager [email protected] [email protected] http://federation.org.au/ http://federation.org.au/

Upload: shiela

Post on 13-Feb-2016

51 views

Category:

Documents


0 download

DESCRIPTION

Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph. I2MM April 2006 Neil Witheridge MAMS Project Manager [email protected] http://federation.org.au/. Problem Statement. ARP Administration (ShARPE) - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23META ACCESS MANAGEMENT SYSTEM

11

ShibbolethShibbolethAttribute Release PolicyAttribute Release Policy

Editing ToolsEditing Tools

ShARPE and AutographShARPE and AutographI2MM April 2006I2MM April 2006

Neil WitheridgeNeil WitheridgeMAMS Project ManagerMAMS Project [email protected]@melcoe.mq.edu.au

http://federation.org.au/http://federation.org.au/

Page 2: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 22META ACCESS MANAGEMENT SYSTEM

Problem StatementProblem StatementARP Administration (ShARPE)ARP Administration (ShARPE)

ARP administrators need a ‘zero effort’ ARP administrators need a ‘zero effort’ approach to implementing an access approach to implementing an access agreement with a SP – setting up site and agreement with a SP – setting up site and group ARPs to supply required attributes.group ARPs to supply required attributes.

User Privacy Control (Autograph)User Privacy Control (Autograph)There is a ‘real world’ requirement for privacy There is a ‘real world’ requirement for privacy

management, for end-user control of release management, for end-user control of release of privacy sensitive attributes.of privacy sensitive attributes.

A ‘zero-effort’ GUI interface is required.A ‘zero-effort’ GUI interface is required.

Page 3: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 33META ACCESS MANAGEMENT SYSTEM

Evaluation ReleaseEvaluation Release

ShARPE and Autograph (version 0.7) ShARPE and Autograph (version 0.7) released for evaluation purposesreleased for evaluation purposes

Elicitation of ‘real world’ requirementsElicitation of ‘real world’ requirementsAs Shibboleth stakeholders, IdP and SP As Shibboleth stakeholders, IdP and SP

administrators and users, do these tools administrators and users, do these tools satisfy your requirements for ARP satisfy your requirements for ARP management?management?

Feedback requested on usefulness and Feedback requested on usefulness and usability.usability.

Page 4: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 44META ACCESS MANAGEMENT SYSTEM

Shibboleth Attribute Release PolicyShibboleth Attribute Release PolicyShibboleth provides for privacy control Shibboleth provides for privacy control

through Attribute Release Policies (ARPs)through Attribute Release Policies (ARPs)Rules specifying which attributes may be Rules specifying which attributes may be

released to a SP for IdP members in general, released to a SP for IdP members in general, or for specific individualsor for specific individuals

After user authentication & opaque handle delivery to SPAfter user authentication & opaque handle delivery to SPProtectedService

SPIdP

Attribute Authority Attribute ConsumerService

ARPs AAPUserAttributes

(1) SAMLAttribute

Request + handle

(2) SAMLAttribute

Response

Page 5: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 55META ACCESS MANAGEMENT SYSTEM

Info Available To Protected AppInfo Available To Protected App Via HTTP headerVia HTTP header

(standard header parameters)(standard header parameters)

hosthost = demo.federation.org.au = demo.federation.org.auuser-agentuser-agent = Mozilla/5.0; = Mozilla/5.0; acceptaccept = …; = …; accept-encodingaccept-encoding = …; = …; accept-charsetaccept-charset = = Keep-AliveKeep-Alive = 300 ; = 300 ; connectionconnection = keep-alive = keep-aliverefererreferer = https://openidp.mams.org.au/shibboleth-idp/SSO ... = https://openidp.mams.org.au/shibboleth-idp/SSO ... cookiecookie = … = …

(Shibboleth specific parameters)(Shibboleth specific parameters)

Shib-Identity-ProviderShib-Identity-Provider = = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au

Shib-Authentication-MethodShib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified = urn:oasis:names:tc:SAML:1.0:am:unspecified

(User Attributes)(User Attributes)

Shib-EP-UnscopedAffiliationShib-EP-UnscopedAffiliation = Staff;Physics = Staff;Physics

Shib-Person-nicknameShib-Person-nickname = Sue= Sue

Page 6: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 66META ACCESS MANAGEMENT SYSTEM

Attributes – IdP contextAttributes – IdP contextKey:Value pairs Key:Value pairs

e.g. eduPersonAffiliation:Physicse.g. eduPersonAffiliation:PhysicsUser information stored within institutional User information stored within institutional

directory e.g. LDAPdirectory e.g. LDAPDirectory schema determines available Directory schema determines available

keys (attribute names)keys (attribute names)Standardised schema Standardised schema

e.g. person, organizationalPerson, inetOrgPerson, eduPerson…e.g. person, organizationalPerson, inetOrgPerson, eduPerson…

Custom schema - institution specific dataCustom schema - institution specific dataCustom schema for elements that don't have a clear mapping to standard Custom schema for elements that don't have a clear mapping to standard schemasschemas

Page 7: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 77META ACCESS MANAGEMENT SYSTEM

Attributes – SP contextAttributes – SP context Received user attributes (in SAML assertion Received user attributes (in SAML assertion

from IdP) are basis of access controlfrom IdP) are basis of access control Service or service feature accessibilityService or service feature accessibility Service Levels – not necessarily hierarchicalService Levels – not necessarily hierarchical

Potential for complex attribute-based access Potential for complex attribute-based access controlcontrol university, campus, role, discipline, course, year, university, campus, role, discipline, course, year,

group…group… SP Attribute requirements must conform to SP Attribute requirements must conform to

standard schema or be mappable from IdP standard schema or be mappable from IdP attribute schemaattribute schema

Page 8: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 88META ACCESS MANAGEMENT SYSTEM

Current Shib FederationsCurrent Shib FederationsCurrent generation of Shib FederationsCurrent generation of Shib Federations

11stst generation ? generation ?Simple approach to access control, attributes Simple approach to access control, attributes

& attribute management& attribute managementHow will SPs use attributes as Federated How will SPs use attributes as Federated

IAM evolves ?IAM evolves ?Greater use of user attributes for service Greater use of user attributes for service

differentiationdifferentiation Increasing service complexity (service Increasing service complexity (service

features) and demand for user attributesfeatures) and demand for user attributes

Page 9: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 99META ACCESS MANAGEMENT SYSTEM

Emerging Federated ServicesEmerging Federated Services Institutional Repositories and CMSsInstitutional Repositories and CMSs

More fine-grained protection of resources More fine-grained protection of resources based on user attributes based on user attributes

Virtual Organisations & GRID ServicesVirtual Organisations & GRID Services Inter-organisational, national ->international Inter-organisational, national ->international

collaborationcollaborationVirtual Librarian Virtual Librarian (MAMS service development)(MAMS service development)

Example MAMS Shibbolised ServiceExample MAMS Shibbolised ServiceNeeds relatively rich set of attributesNeeds relatively rich set of attributes

Page 10: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1010META ACCESS MANAGEMENT SYSTEM

Current ARP ManagementCurrent ARP ManagementSP attribute requirements agreed SP attribute requirements agreed

negotiated manually (not scalable)negotiated manually (not scalable)Site and User ARPs, no Group ARPsSite and User ARPs, no Group ARPsLack of service information for users (what Lack of service information for users (what

attributes are required, released, for what attributes are required, released, for what reason) reason)

Lack of interface for user ARP controlLack of interface for user ARP controlUser can’t access ARP filesUser can’t access ARP files

Page 11: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1111META ACCESS MANAGEMENT SYSTEM

Shibboleth ARP Editing ToolsShibboleth ARP Editing ToolsProvide a GUI-based editor to enable Provide a GUI-based editor to enable

ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPsUsers to manage their ARPs

Provide visibility to user of:Provide visibility to user of:attributes required by servicesattributes required by servicesattributes released to servicesattributes released to servicesService received in return for attributesService received in return for attributes

Enable users to change their ARPs hence Enable users to change their ARPs hence exercise privacy controlexercise privacy control

Page 12: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1212META ACCESS MANAGEMENT SYSTEM

New featuresNew features(In order to provide comprehensive GUI for (In order to provide comprehensive GUI for

creation of ARPs)creation of ARPs)Group ARPsGroup ARPs

Current Shibboleth supports site and user ARPsCurrent Shibboleth supports site and user ARPsService DescriptionsService Descriptions

Comprehensive information about SP’s service, Comprehensive information about SP’s service, service levels, attribute requirementsservice levels, attribute requirements

Attribute MappingAttribute Mapping Support for mapping between IdP and SP Support for mapping between IdP and SP

schemasschemas

Page 13: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1313META ACCESS MANAGEMENT SYSTEM

ShARPE – ARP AdministratorShARPE – ARP Administrator ARP AdminARP Admin

Import Service Description (Physics research Import Service Description (Physics research database from Sandstone Uni)database from Sandstone Uni)

Create site ARP (all communities get bronze Create site ARP (all communities get bronze access)access)

Create group ARP (Physics community gets gold Create group ARP (Physics community gets gold access)access)

Page 14: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1414META ACCESS MANAGEMENT SYSTEM

Page 15: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1515META ACCESS MANAGEMENT SYSTEM

SandstoneUniServiceDescription.xml

Page 16: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1616META ACCESS MANAGEMENT SYSTEM

arp.site.xml

Page 17: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1717META ACCESS MANAGEMENT SYSTEM

Page 18: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1818META ACCESS MANAGEMENT SYSTEM

arp.group.Physics.xml

Page 19: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 1919META ACCESS MANAGEMENT SYSTEM

Autograph – IdP MemberAutograph – IdP Member IdP member:IdP member:

Susannah Halmay, Physics staff memberSusannah Halmay, Physics staff member

View attributes releasedView attributes released

Deny release of attributes required for Gold Deny release of attributes required for Gold accessaccess

Page 20: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2020META ACCESS MANAGEMENT SYSTEM

Page 21: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2121META ACCESS MANAGEMENT SYSTEM

Page 22: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2222META ACCESS MANAGEMENT SYSTEM

arp.user.sue.xml

Page 23: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2323META ACCESS MANAGEMENT SYSTEM

Group ARPsGroup ARPsHow will contracts be established between How will contracts be established between

an IdP and SPs ?an IdP and SPs ?Groups within institutions (IdPs) create Groups within institutions (IdPs) create

agreements, maybe requiring subscription agreements, maybe requiring subscription involving formal T&Cs and/or paymentinvolving formal T&Cs and/or payment

Attribute release policy defined for the Attribute release policy defined for the groupgroupAppropriate static values (contract number)Appropriate static values (contract number)Members attribute release policy by virtue of Members attribute release policy by virtue of

group membershipgroup membership

Page 24: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2424META ACCESS MANAGEMENT SYSTEM

Group Information sourcesGroup Information sourcesList of Groups & IdP member group List of Groups & IdP member group

membership informationmembership information Institutional DirectoryInstitutional DirectoryFlat filesFlat files

Responsibility for Group ARP Responsibility for Group ARP Administration ?Administration ?

Future: Grouper & SignetFuture: Grouper & Signet

Page 25: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2525META ACCESS MANAGEMENT SYSTEM

Service DescriptionsService Descriptions SP’s Service and Service Level descriptions and SP’s Service and Service Level descriptions and

attribute requirementsattribute requirements Services may provide service-levels - different Services may provide service-levels - different

functionality - based on supplied attributesfunctionality - based on supplied attributes e.g. for a institutional repository or publisher: read e.g. for a institutional repository or publisher: read

access, adding comments/rank/annotations, submit access, adding comments/rank/annotations, submit access… access…

Comprehensive Service Provider information Comprehensive Service Provider information needed by both admins and users for ‘sensible’ needed by both admins and users for ‘sensible’ attribute managementattribute management

ShARPE introduces ‘Service Description’ ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUImetadata to support ‘fully informative’ GUI

Page 26: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2626META ACCESS MANAGEMENT SYSTEM

Service Description EditorService Description Editor

Page 27: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2727META ACCESS MANAGEMENT SYSTEM

Service Description EditorService Description Editor

Page 28: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2828META ACCESS MANAGEMENT SYSTEM

Attribute MappingAttribute Mapping Requirement to map between IdP and SP Requirement to map between IdP and SP

schemas schemas (standard/custom to standard/custom...)(standard/custom to standard/custom...) Attribute mapping functionsAttribute mapping functions

One-to-One MappingOne-to-One Mapping ConcatenationConcatenation Static Value assignmentStatic Value assignment Hashing (e.g. TargetedID)Hashing (e.g. TargetedID)

Examples:Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedIDComplex: creating targetedID

(e.g. hash(concat(SPname, email))) (e.g. hash(concat(SPname, email)))

Page 29: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 2929META ACCESS MANAGEMENT SYSTEM

Attribute Mapping GUIAttribute Mapping GUI

Page 30: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3030META ACCESS MANAGEMENT SYSTEM

Evaluating ShARPE & AutographEvaluating ShARPE & AutographView Flash DemonstrationsView Flash Demonstrations

viavia http://www.federation.org.au/twiki/bin/view/Federation/ShARPE

Experiment with Autograph using a pre-Experiment with Autograph using a pre-configured ‘openIdP’configured ‘openIdP’ http://opensharpe.mams.org.au

Install your own evaluation IdP including Install your own evaluation IdP including ShARPE and AutographShARPE and Autograph

NMI Edit software release 9NMI Edit software release 9 http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip

MAMS’ Easy Installation IdP with ShARPEMAMS’ Easy Installation IdP with ShARPE http://www.federation.org.au/software/installcd/

Page 31: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3131META ACCESS MANAGEMENT SYSTEM

Evaluating ShARPE & Autograph Evaluating ShARPE & Autograph (cont’d)(cont’d)

Install on top of existing IdPInstall on top of existing IdPhttp://www.federation.org.au/software/Autograph_ShARPE-0.7.zip

Qualifications: Qualifications: Attribute Mapping is optional functionality (can be Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be complex and changes resolver file, not intended to be deployed on production systems. deployed on production systems. ShARPE and Autograph without attribute mapping ShARPE and Autograph without attribute mapping only writes to ARPs.only writes to ARPs.

Page 32: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3232META ACCESS MANAGEMENT SYSTEM

Thank you

Questions ?

Page 33: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3333META ACCESS MANAGEMENT SYSTEM

Shibboleth ArchitectureShibboleth Architecture Shibboleth Federation componentsShibboleth Federation components

ServiceProvider

Provide Services accessiblevia the web

Want to focus on core business& avoid risks of managing

users’ confidential info.

WAYF

Belongs to an organisation whichmanages her identity

User

Privacy concerns

IdentityProvider

Secure identity management is a

core business requirement

Page 34: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3434META ACCESS MANAGEMENT SYSTEM

Background: ShibbolethBackground: ShibbolethStandards based (SAML)Standards based (SAML)Open source middlewareOpen source middlewareProvides Web Single Sign-On (SSO) Provides Web Single Sign-On (SSO)

across or within institutional boundariesacross or within institutional boundariesSSO using session cookiesSSO using session cookies

Provides secure transfer of user attributes Provides secure transfer of user attributes between user’s Identity Provider (IdP) and between user’s Identity Provider (IdP) and Service Providers (SPs)Service Providers (SPs)

Page 35: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3535META ACCESS MANAGEMENT SYSTEM

Group Information sourcesGroup Information sources <ReleasePolicyEngine> <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile> <GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing> </GroupLookup> </ArpRepository> </ReleasePolicyEngine>

Page 36: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3636META ACCESS MANAGEMENT SYSTEM

Group Information sourcesGroup Information sources Example of group names in flat fileExample of group names in flat file

debian> cd /usr/local/shibboleth-idp/etcdebian > cat sample.grouplookup.properties

#Sample group lookup using PropertyFileGroupLookup

#this defines institutional-wide groupsinstitutionalGroupList=Administrator, Staff, Researcher

#an example of local groupsgroupList=Library, Physics, Biology, Walk-in

#user based attributes specifying the groups#ann.eduPersonAffiliation=Researcher#staff.eduPersonAffiliation=Staff#librarian.eduPersonAffiliation=HeadOfSchool, Staff, Librarian>

debian >

Page 37: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3737META ACCESS MANAGEMENT SYSTEM

Service Description SchemaService Description SchemaThe SD XML schema includes the The SD XML schema includes the

following @attributes and elements:following @attributes and elements:Service ProviderService Provider identifier, name, location, identifier, name, location,

description, service-independent attributesdescription, service-independent attributesServiceService @identifier, name, description, @identifier, name, description,

location, reference, service-specific level-location, reference, service-specific level-independent attributesindependent attributes

Service LevelService Level @identifier, name, description, @identifier, name, description, reference, level-specific attributesreference, level-specific attributes

Page 38: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph

04/22/2304/22/23 3838META ACCESS MANAGEMENT SYSTEM

Service Description ExampleService Description Example<ServiceProvider …><ServiceProvider …> <ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</<ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</

ServiceProviderIdentifier>ServiceProviderIdentifier> <ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName><ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName> <ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation><ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation> <ServiceProviderDescription xml:lang="en">Online Services for Physics <ServiceProviderDescription xml:lang="en">Online Services for Physics

Researchers</ServiceProviderDescription>Researchers</ServiceProviderDescription> <Service identifier=“sandstoneuni:physicsdatabase"><Service identifier=“sandstoneuni:physicsdatabase"> <ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName><ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName> <ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription><ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription> <ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</<ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</

ServiceLocation>ServiceLocation> <ServiceLevel identifier="gold"><ServiceLevel identifier="gold"> <ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName><ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName> <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on

Data</ServiceLevelDescription>Data</ServiceLevelDescription> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your

affiliation" isRequired="true"/>affiliation" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your

nickname" isRequired="true"/>nickname" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname" <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname"

isRequired="true"/>isRequired="true"/> </ServiceLevel></ServiceLevel> <ServiceLevel identifier="silver">…</ServiceLevel><ServiceLevel identifier="silver">…</ServiceLevel> <ServiceLevel identifier="bronze">…</ServiceLevel><ServiceLevel identifier="bronze">…</ServiceLevel> </Service></Service></ServiceProvider></ServiceProvider>