Seminar: Security / Identity Management Presentation: Elke Weber

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
WebFTS as a first WLCG/HEP FIM pilot
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.
Integrating with UCSF’s Shibboleth system
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth: An Introduction
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Shibboleth for Middle Schools James Burger -
F5 APM & Security Assertion Markup Language ‘sam-el’
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The FederID project The First Identity Management and Federation Free Software.
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Analyn Policarpio Andrew Jazon Gupaal
Federation made simple
Shibboleth Project at GSU
HMA Identity Management Status
CAS and Web Single Sign-on at UConn
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
John O’Keefe Director of Academic Technology & Network Services
Evolution of Internet.
e-Infrastructure Workshop 28th March 2006, University of Leeds
Identity management Aalto University, autumn 2013.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
BY: SHIVI AGRAWAL ( ) CSE-(6)C
Overview and Development Plans
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Seminar: Security / Identity Management Presentation: Elke Weber WS 09/10 Seminar: Security / Identity Management Single Sign-on Shibboleth Presentation: Elke Weber 01 December 2009

Structure Single sign-on Introduction Pros & Cons Overview Shibboleth Applications, federations Functionality: Single sign-on / Single logout Discussion Summary

What is single sign-on? Access control of multiple, related, but independent software systems User logs in once and gains access to all systems → Single sign-out

Pros & Cons Uniform authentication meachanism Users only have to remind one login name and password Password can be chosen more complex Reduction of costs (easier to maintain) Single Point of Failure (security problems and traffic load) Central storing of personal data (data protection laws) Data tracking

Solutions Central sign-on server e.g. Passwort-Manager, e.g. Yahoo!, MSN(Passport), Central Authentication Servie (CAS) e.g. Passwort-Manager, Microsoft's Identity Metasystem Circle of Trust e.g. Kerberos, Liberty Alliance Project

Single sign-on to multiple services PEP = "Policy Enforcement Point"

Shibboleth Standards based, open source software package for web single sign-on released under the Apache Software License Implements OASIS'1 Security Assertion Markup Language (SAML) Extended privacy functionality allowing the browser user and their home site to control the attributes released to each application → Attribute-Based Access Control (ABAC) 1Organization for the Advancement of Structured Information Standards

Shibboleth The term originates from the Hebrew word "shibbólet" Book of Judges, chapter 12: Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say Shibboleth.' If anyone said, 'Sibboleth', because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.

Shibboleth

Shibboleth Federations universities, companies and government agencies DFN-AAI (Germany) InCommon (US) SWITCHaai (Switzerland) The UK federation Federation Education-Recherche (France) ...

Shibboleth® Enabled Applications and Services Information Providers: American Chemical Society Elsevier ScienceDirect H.W. Wilson National Science Digital Library (NSDL) Online Computer Library Center (OCLC) Schweizerisches Bundesgericht ... Learning Management Systems: Blackboard Moodle OLAT - Online Learning and Training WebAssign WebCT ... Other Systems: DokuWiki Google Apps/Email GridShib Horde Microsoft Napster WordPress ...

Shibboleth Requirements and Specifications No modification of client software Identity Provider (IdP) is written in Java Service Provider (SP) runs in Apache, Internet Locator Server (IIS) or Netscape Server Application Programming Interface (NSAPI) → can be proxied into Java and other web servers Supports the SAML 2.0 Web Browser SSO Profile, Cardspace, Shibboleth Profile, SAML 1.1, LDAP, Kerberos ...

Shibboleth Login Procedure – Simple Overview 1

Shibboleth Login Procedure – Simple Overview 2 wayf-test.switch.ch dukono.switch.ch kohala.switch.ch/secure/ DEMO! Identity Provider Service Provider

Shibboleth Situation Overview

Shibboleth Discovery STEP 2: STEP 3: GET https://wayf-test.switch.ch/SWITCHaai/WAYF ?entityID=https://aai-demo.switch.ch/shibboleth &return=https://aai-demo.switch.ch/Shibboleth.sso/DS?SAMLDS=1&target=cookie STEP 3: POST https://wayf-test.switch.ch/SWITCHaai/WAYF POSTDATA entityID=https://aai-demo.switch.ch/shibboleth return=https://aai-demo.switch.ch/Shibboleth.sso/DS?SAMLDS=1&target=cookie user_idp=https://aai-demo-idp.switch.ch/idp/shibboleth STEP 2: 200 OK [WAYF DROPDOWN HTML PAGE] STEP 3: 302 FOUND (REDIRECT) Location: https://aai-demo.switch.ch/Shibboleth.sso/DS? ?SAMLDS=1 &target=cookie &entityID=https://aai-demo-idp.switch.ch/idp/shibboleth STEP 1: GET https://aai-demo.switch.ch/secure STEP 1: 302 FOUND (REDIRECT) Set-Cookie: _shibstate_64656661756c7468747470733a2f2... value=https://aai-demo.switch.ch/secure path=/ Location: https://wayf-test.switch.ch/SWITCHaai/WAYF ?entityID=https://aai-demo.switch.ch/shibboleth &return=https://aai-demo.switch.ch/Shibboleth.sso/DS?SAMLDS=1&target=cookie

Shibboleth Session initiation and authentication request STEP 5: POST https://aai-demo-idp.switch.ch/idp/profile/SAML2/POST/SSO POSTDATA RelayState=cookie SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczp... STEP 4: GET https://aai-demo.switch.ch/Shibboleth.sso/DS ?SAMLDS=1 &target=cookie &entityID=https://aai-demo-idp.switch.ch/idp/shibboleth Cookie: _shibstate_64656661756c7468747470733a2f2... value=https://aai-demo.switch.ch/secure STEP 6: GET https://aai-demo-idp.switch.ch/idp/Authn/UserPassword Cookie: JSESSIONID value=C22C16A197CB9606067A1A577EF5D996 STEP 6: 302 MOVED TEMPORARILY (REDIRECT) Location: https://aai-demo-idp.switch.ch/idp/login.jsp ?actionUrl=/idp/Authn/UserPassword STEP 5: 302 MOVED TEMPORARILY (REDIRECT) Set-Cookie: JSESSIONID value=C22C16A197CB9606067A1A577EF5D996 Path=/idp Secure Location: https://aai-demo-idp.switch.ch/idp/Authn/UserPassword STEP 4: 200 OK [AUTHN REQUEST POST FORM HTML PAGE] STEP 7: GET https://aai-demo-idp.switch.ch/idp/login.jsp? actionUrl=/idp/Authn/UserPassword Cookie: JSESSIONID value=C22C16A197CB9606067A1A577EF5D996 STEP 7: 200 OK [USERNAME PASSWORD LOGIN FORM HTML PAGE]

Shibboleth Authentication, attribute statement and access STEP 9: POST https://aai-demo.switch.ch/Shibboleth.sso/SAML2/POST POSTDATA RelayState=cookie SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGl... Cookie: _shibstate_64656661756c7468747470733a2f2... value=https%3A%2F%2Faai-demo.switch.ch%2Fsecure STEP 10: GET https://aai-demo.switch.ch/secure Cookie: _shibstate_64656661756c7468747470733a2f2... value= Cookie: _shibsession_64656661756c7468747470733a2f2... value=_0b6d4e89d2e9c4481738094f2a2c9de0 STEP 8: 200 OK Set-Cookie: _idp_session value=4m2ETlKYtvbNEmBzVNo3UHLuKSdo3HqTUqAmeZiar94= Path=/idp [ASSERTION POST FORM HTML PAGE] STEP 10: 200 OK [RESOURCE HTML PAGE] STEP 8: POST https://aai-demo-idp.switch.ch/idp/Authn/UserPassword POSTDATA j_username=demouser j_password=demo Cookie: JSESSIONID value=C22C16A197CB9606067A1A577EF5D996 STEP 9: 302 FOUND (REDIRECT) Set-Cookie: _shibstate_64656661756c7468747470733a2f2... value= path=/ Set-Cookie: _shibsession_64656661756c7468747470733a2f2... value=_0b6d4e89d2e9c4481738094f2a2c9de0 Location: https://aai-demo.switch.ch/secure STEP 10: # content of secure/.htaccess AuthType shibboleth ShibRequireSession On require valid-user

Shibboleth The whole login procedure

Shibboleth Single Logout 1 SAML2 Single Logout profile IdP-initiated & SP-initiated Logout UI is located in two JSP files: sloQuestion.jsp (logout one/all service providers?) sloController.jsp (session participants, logout status) SLOServlet Rendering the logout question and controller page Initiating logout to one SP Front-channel → browser via HTTP POST or Redirect Back-channel → direct IdP/SP SOAP messages Returning the logout status as a JSON string

Shibboleth Single Logout 2 With javascript: iframe for every active session participant logout request is issued for the given session participant front-channel SAML message exchange logout status: LOGGED_IN, LOGOUT_ATTEMPTED, LOGOUT_FAILED, LOGOUT_UNSUPPORTED, LOGOUT_TIMED_OUT, LOGOUT_SUCCEEDED Without javascript: one link for each session participant → initiate the logout process for that particular SP Logout failed message, Logout succeeded message

Shibboleth Single Logout 3 Security: SAML Single Logout Profile requires the logout requests and responses to be signed or otherwise authenticated Session lifetime: IdP session lifetime must be longer than any SP session lifetime Optional: limit the maximum lifetime of the SP session

Shibboleth – Meets requirements? Easy to implement? Maintenance effort? Data protection? Security? Service provider → trust in identity provider? User → understanding of SSO/SLO concepts? ...

Summary Shibboleth Useful in some szenarios (universities, libraries...) Installing & configuring quite extensive Easy to maintain Participants have to agree on policies, ... Crucial factor: Trust in identity provider!

References Single sign-on: Shibboleth: http://de.wikipedia.org/wiki/Single_Sign-on http://entwickler.de/zonen/portale/psecom,id,101,online,910,p,0.html http://it-republik.de/jaxenter/artikel/Single-Sign-On-Systeme-1499.html Shibboleth: http://shibboleth.internet2.edu/ http://www.switch.ch/aai/demo/ https://spaces.internet2.edu/display/SHIB2/SLOIssues https://wiki.aai.niif.hu/index.php/ShibIdpSLO

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.