Re: [Unity-idm-discuss] Feedback from an AAI Workshop (about UNITY)

[Krzysztof B. <go...@ic...>]

Hi Shiraz,

Nice to hear from you&LSDMA!

W dniu 27.01.2014 13:47, Shiraz Memon pisze:
> Hi Krzysztof,
>
> Last week we had a workshop dedicated to AAI & IdM (as a part of the
> LSDMA project). Whereby Unity appears to be quite important and going to
> play a key role in the project. There were some initial but interesting
> questions by meeting participants, though:
>
> Querying User's Attributes:
> i)   Can one query a user's group information from unity "without" Web
> interface?

Yes. It is possible with the SAML SOAP endpoint. SAML Attribute query 
protocol allows you to query for regular attributes, but additionally 
Unity can be configured (and by default is) to provide an additional 
dynamic attribute with the subject's group information.

Unity allows for both self (what are my attributes?) and 3rd party (what 
are attributes of X?) queries, subject to site's authZ policy (see below).

In future also an another, RESTful endpoint is planned, which can be 
considered a more lightweight - but not standards compliant - 
alternative. However this is not yet scheduled so any requirements are 
welcome.


> ii)  Is it only the user who can query the group information about
> herself or any user holding specific (privileged) role, should be
> allowed to do that?

This is up to site's policy of course, but yes - you have a role (or 
actually several roles: Inspector, Contents Manager and System Manager) 
which can be assigned to users so they can read the information about 
other users. This applies to any access mean - web interface, SAML or 
anything that will be available in the future.

What is more, authZ in Unity is configured per-group, so you can provide 
those additional privileges to selected users only in a subset of Unity 
tree. However for listing all groups this makes no much sense as the 
information is global by definition (*all* groups).

> iii) In addition to that, what authentication (pki, username/password)
> as well as saml protocol (ECP, SOAP,... etc) will be used to perform
> such operation?

So you knew it will be SAML ;-)

You can use any protocol supported by Unity. Currently as noted above 
you have one non-web option: SAML with SOAP binding. Protocol: SAML 
Attribute Query protocol. You can also use SAML Authentication Protocol, 
but this is limited to self queries.

Authentication: as configured per endpoint. Currently user name & 
password via HTTP Basic and/or client authenticated TLS are implemented. 
Supporting other (as username&password via WS-Security Username Token) 
can be added almost immediately if needed - this is trivial in Unity.


> Support for external/upstream SAML IdPs: I am aware of the fact that the
> support for external IdPs is imminent in the next release, which is
> 1.1.0. Is there a tentative timeline we can anticipate?

2nd half of February. Currently this is nearly finished (e.g. all 
interop tests with Shib IdP are already passed), but also SAML Metadata 
support is planned and must be implemented.


> Group management: Are the ordinary members of a group (beside
> administrator) allowed to create sub-groups within?

Here the answer is no, currently. I.e. one needs at least the Contents 
Manager role to create a group. You can assign this role for a user in a 
particular group, what probably won't be enough for your use case, as 
such role allows also for many other management actions in the group.

I guess that this question is related to the self managed team work, 
where ordinary users can create their 'own' group, become its 
administrator, invite coworkers, (maybe even assign attributes in the 
group) and relaying services can use this information?

If so, this is already designed in details for Unity, but not yet 
implemented. Self-managed group API is even defined and its 
implementation will be pretty simple. The bigger issue is the UI part. 
Pure 'create a group' UI is trivial, but for such feature we will need 
also flexible invitation/application support, simplified group 
management etc etc.
Of course collaboration on this topic will be appreciated.


Best regards,
Krzysztof