GTE 201.4 ACM2 eduPersonEntitlement

Learning Objectives

  • Understand ACM2 model and how to implement attribute based access control
  • Implement grouper security model
  • Configure PSPNG to convert membership to eduPersonEntitlement values in LDAP
  • Configure Shibboleth to release specific eduPersonEntitlement values to SP

Lab Components

Overview

Grouper Deployment Guide access control model 2 is all about subject attribute based access control. ACM2 is applicable across a broad range of services where access control policy can be based on subject attributes, the policy decision can be precomputed, and simple subject attributes are sufficient to drive the enforcement point.

ACM2

Implementing ACM2 can be distilled to these basic steps:

  1. Convert natural language policy to reference groups and policy groups
  2. Provisioning to LDAP– Grouper group → LDAP attribute via PSPNG
  3. Release eduPersonEntitlement value in SAML authentication response

Exercise 201.4.1

Create policy for wiki application

  1. Create folder app:wiki.
  2. Create policy groups app:wiki:service:policy:wiki_authorized|allow|deny.
  3. Edit composite wiki_authorized to make it wiki_allow minus wiki_deny.

Exercise 201.4.2

Create security group

  1. Create folder app:wiki:security.
  2. Create security group app:wiki:security:wiki_admin.
  3. Add ADMIN privileges to wiki_admin for app:wiki:service, and inherit to all child objects (folders, groups, and attributes).

Exercise 201.4.3

Add reference groups to policy

  1. Add ref:student:students to app:wiki:service:policy:wiki_allow.
  2. Add ref:iam:global_deny to app:wiki:service:policy:wiki_deny.

Exercise 201.4.4

Configure PSPNG to reflect policy to eduPersonEntitlement in LDAP

  1. Assign PSPNG attribute, provision_to to wiki_authorized with a value of pspng_entitlements.

  2. Configure PSPNG to convert membership to ePE value of http://sp.example.org/wiki and review in LDAP. The relevent configuration is below:

    grouper-loader.properties
    1
2
3
4
5
6
7
8
9
    changeLog.consumer.pspng_entitlements.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim
changeLog.consumer.pspng_entitlements.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner
changeLog.consumer.pspng_entitlements.quartzCron = 0 * * * * ?
changeLog.consumer.pspng_entitlements.ldapPoolName = demo
changeLog.consumer.pspng_entitlements.provisionedAttributeName = eduPersonEntitlement
changeLog.consumer.pspng_entitlements.provisionedAttributeValueFormat = ${group.name.equalsIgnoreCase('app:wiki:service:policy:wiki_authorized') ? 'http://sp.example.org/wiki' : 'urn:mace:example.edu:' + group.extension}
changeLog.consumer.pspng_entitlements.userSearchBaseDn = ou=people,dc=internet2,dc=edu
changeLog.consumer.pspng_entitlements.userSearchFilter = uid=${subject.id}
changeLog.consumer.pspng_entitlements.allProvisionedValuesPrefix=*

Exercise 201.4.5

Configure Shib to release ePE value for our SP

The demo shibboleth IdP has been configured to release the ePE attribute to the demo SP. The relevant configuration is below:

attribute-filter.xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    <!-- Release some attributes to an SP. -->
    <AttributeFilterPolicy id="example1">
        <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />

        <AttributeRule attributeID="cn">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="eduPersonAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

Exercise 201.4.6

(Thought exercise!) Create accounts at target SP

Use policy groups to create/manage accounts at target SP.

  • Native grouper SP specific provisioning components
  • RabbitMQ based provisioning / deprovisioning
  • midPoint