ProtectNetwork

Cloud based E-Credential Management service

Frequently Asked Questions: Website Administrators

What is Shibboleth?
Shibboleth is a widely adopted open Internet standard for web single sign-on and access management. Shibboleth uses the SAML open standard for exchanging authentication and authorization information across multiple security domains.
What is SimpleSAMLphp?
SimpleSAMLphp is a widely adopted implementation of the SAML standard for web single sign-on and access management. SimpleSAMLphp uses the SAML open standard for exchanging authentication and authorization information across multiple security domains.
What standards are supported by the ProtectNetwork SSO Cloud Service?
ProtectNetwork SSO Cloud is compatible with the following standards:

  • SAML 1.1
  • SAML 2
  • Shibboleth version 1.3+
  • Shibboleth version 2.x
  • OpenID
What SAML SP middleware do i need to use to interoperate with the ProtectNetwork SSO Cloud?
ProtectNetwork SSO cloud will work with any SAML2/SAML1.1 SP middleware implementation, such as:

  • Shibboleth
  • SimpleSAMLphp
  • Microsoft Geneva
  • IBM ITFIM
  • CA SiteMinder
  • Ping
  • Novell
  • Others….
I manage a Shibboleth/SAML enabled website, how can I use the ProtectNetwork SSO Cloud service for my site?
It is quite simple. Here are some simple steps you can follow for integrating secure ProtectNetwork logins into your website. Once it is integrated you can then Register for an Administrator Account on ProtectNetwork and Add your SP as a trusted site. This will enable your SP site to accept SAML user authentications and attributes from ProtectNetwork.
Why should i leverage and use the ProtectNetwork SSO Cloud service?
You have two options, build and setup your own local service or lease ProtectNetwork service on-demand. Here are the benefits of leveraging the ProtectNetwork service:

  • No hardware or software required
  • No hardware/software related costs: acquisition, setup, integration, maintenance, upgrades and support costs
  • We provide help desk support to your users
  • We host the service for you in our datacenter
  • Can be customized to your needs and requirements
  • Your website can receive any user attribute you like
  • No big upfront costs, pay as you go
What kind of uptime can ProtectNetwork provide for it’s identity services?
Our datacenter and customer support center is always open and available. We provide SLA to our customers that leverage our identity service. The datacenter is well equipped with highly redundant and reliable network and server infrastructure.
Can our students, staff and guests obtain and use ProtectNetwork UserID’s?
Yes. The ProtectNetwork site is open to all. Anyone who can access our site with a desktop web browser can request a userID. A ProtectNetwork UserID with LOA-1 is granted to anyone with a valid and verifyable email address.
Can you customize the process of acquiring and using ProtectNetwork identity services?
We can customize the process of registration, validation and authentication of ProtectNetwork UserID’s for your users and business use case for a fee.

Can ProtectNetwork help Shibboleth/SAML enable my website?
Yes. Our team has helped large campus/enterprise customers with their Shibboleth and SAML federated access deployment and integration projects. We have the credentials and experience to provide the necessary and relevant help. Please contact our sales team at sales@protectnetwork.org for further details.

I manage a Shibboleth/SAML based federation, how can I add ProtectNetwork service to my federation?
You can coordinate ProtectNetwork IDP service integration into your federation by simply contacting us at support@protectnetwork.org along with a link to your federation metadata. Our team will then contact you and provide you with ProtectNetwork SAML IDP metadata for your federation for integration purposes.

What is the attribute release policy (ARP) of ProtectNetwork?
ProtectNetwork attribute release policy is available for review anytime. Please note that it is not a static document or practice, it evolves over time based on changing needs of SP site owners.

Do i have to pay to Add my SP sites to ProtectNetwork?
SP site administrators can add any number of SP sites for consuming ProtectNetwork SAML assertions. All user authentications and attribute assertion are provided for free for the first thirty days.
Thereafter, we charge an annual subscription fee per SP site if you wish to continue receiving both the authentication and attribute assertions from ProtectNetwork.

You may however continue to consume only ProtectNetwork authentications for free for twelve months.

Please contact your sales representative for details at sales@protectnetwork.org.

I manage a Shibboleth/SAML enabled site, how can I tell if the ProtectNetwork UserID presented on our site is LOA-1 or LOA-2?
For transmission of the Level of Assurance (LOA) value, the ProtectNetwork service use a special attribute with the following ID:

http://protectnetwork.org/pn/loa

The permissible values for this attribute are:

  • LOA-1
  • LOA-2

A sample AAP.xml rule to accept this attribute would be:

<SiteRule Name="pnidm">
    <Value>LOA-1</Value>
    <Value>LOA-2</Value>
  </SiteRule>
</AttributeRule>
How can my SP consume the Entitlement attribute from ProtectNetwork?
To make use of the Entitlement attribute you will need to add the following into your Shibboleth SPs attribute-map.xml:

<Attribute name="http://protectnetwork.org/pn/entitlement" id="entitlement">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

<Attribute name="urn:oid:1.3.6.1.4.1.31573.1.1.1.7" id="entitlement">
     <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>

And within your attribute-policy.xml you should add a rule that will only accept this attribute that has the correct appended scope value that you trust:

<afp:PermitValueRule id="EntitlementRules" xsi:type="AttributeValueRegex"
     regex="@@yourdomain.com"/>

<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>

     ...

     <afp:AttributeRule attributeID="entitlement">
     <afp:PermitValueRuleReference ref="EntitlementRules"/>
     </afp:AttributeRule>

     ...

</afp:AttributeFilterPolicy>
How can I isolate my users on ProtectNetwork who sign-in to my SP sites using ProtectNetwork?
We provide two options to you to isolate your users in ProtectNetwork.

Option-I:

You can register for an Admin Account on ProtectNetwork and upload your users in bulk using a simple CSV file. The CSV file contains only the email addresses of your users. Once the users are uploaded into ProtectNetwork, using your ProtectNetwork Admin Account, you can organize your users into Groups and assign them one or more entitlement values. Entitlements are simple ascii strings (e.g. cs101, paidsubscribers, vendor125,..) which are then concatenated with a domain of your choice (in most cases this is your domain, e.g.mydomain.com). The entitlement attribute values therefore are unique to your users. Your SP sites can then simply filter for the entitlement attribute from ProtectNetwork and give access.

Most SP sites give access to ProtectNetwork users based on user attributes released by ProtectNetwork. Therefore, once you assign entitlement attribute values to your Users then only your users on ProtectNetwork will be given access to your SP sites, no one else. You can set your SP attribute filter policy to enable access based on the entitlement attribute easily using the guidelines provided earlier in this FAQ.

Option-II:

You can order the Private IDP Cloud service option with us. We can setup a private IDP service for you. The IDP is customized with your URL, domain, metadata and attribute policies. You can upload your users into the IDP and this IDP is dedicated for your personal use and trusted only by your SP’s of choice. Please review our Services for more details. Additionally you may contact one of our sales representatives at sales@protectnetwork.org.

How can I enable Role based access using ProtectNetwork?
Role is another user attribute for enabling access control for your SP site. Once you log in as an Administrator on ProtectNetwork, you can upload your users in bulk in to ProtectNetwork. You can organize your users into Groups and assign them Entitlement values which could be same as Roles. So you can, for example, create two user groups, say Group-A and Group-B. You can now easily assign these groups of users different Entitlement values, say, “Student” and “Vendor” respectively. So, Group-A is assigned the entitlement value of “Student” and Group-B is assigned “Vendor”. The entitlement attribute is released as an attribute by ProtectNetwork. Thus, your SP site can filter for the entitlement attribute which is essentially the Role of the user. You can easily set your SP attribute filter policy to enable authorization based on the entitlement attribute from ProtectNetwork.

If this does not work for your SP site and you would rather get the Role value as an Affiliation attribute (rather than Entitlement attribute) then we may have a custom solution for you. Please contact our technical support for additional details.

For any questions, please contact support@protectnetwork.org.

© Copyright 2004 - 2010 | 9Star Research, Inc. | All Rights Reserved
Find us on Facebook | Follow us on Twitter