3. Problem Statement
• Original requirement from the Schools Sector;
• SP Business Case:
– Primary market is individual home users;
– Secondary sales to schools for pupils ‘on network’;
• Need to distinguish these cases;
• Desire to move from SP recognising IP to IdP
asserting location.
4. Why not IP authentication?
• Often not granular enough;
• Easy to ‘fake’;
• Difficult to maintain accurately;
• Prone to keying errors;
• Low tech implementations.
5. Location Assertion Extension
• Extension to Shibboleth;
• Downloadable and implementable
now;(https://github.com/ukf/ua-attribute-idp-
ext);
• Creates attributes at the time of
authentication based on IP address of the user
agent;
• SP can make decisions based on known
location as well as other assertions.
6. What Does it Look Like?
New Subsidiary attribute and use of eduPersonEntitlement
resolver:DataConnector id=”userAgentAttributes”
xsi:type=”uadc:UserAgentMappedAttributes”
uadc:Mapping cidrBlock=”217.155.0.0/16″
attributeId=”userAgent”
attributeValue=”http://iay.org.uk/networks/zenInternet”/
uadc:Mapping cidrBlock=”82.68.0.0/14″
attributeId=”userAgent”
attributeValue=”http://iay.org.uk/networks/zenInternet”/
uadc:Mapping cidrBlock=”192.168.117.19/32″
attributeId=”eduPersonEntitlement”
attributeValue=”http://iay.org.uk/entitlements/kestrel”/
7. Solving Walk-in?
• Allows Walk-in with BYOD;
• Easy to provision guest accounts that don’t
work outside the institutional boundary;
• Able to configure walk-in at a granular level
for SPs that don’t allow.
BUT…