Shibboleth Architecture

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Introduction to Identity Management Federation Kazu Yamaji, National Institute of Informatics, Japan.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Shibboleth Update a.k.a. “shibble-ware”

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

AAI with simpleSAMLphp

SWITCHaai Team Introduction to Shibboleth.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Integrating with UCSF’s Shibboleth system

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Shibboleth: An Introduction

Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

JISC Shibboleth Briefing, 12-Mar Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.

Campuses New to Shibboleth: WebSSO Barry Johnson

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

F5 APM & Security Assertion Markup Language ‘sam-el’

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Access Policy - Federation March 23, 2016

David Millman—Columbia January 2005

Secure Single Sign-On Across Security Domains

Mechanisms of Interfederation

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

e-Infrastructure Workshop 28th March 2006, University of Leeds

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Michael R Gettes, Duke University On behalf of the shib project team

Some data about the CBIC Federation

Overview and Development Plans

Agenda Introductions Brief review of our project charge

ISIS to Shibboleth Migration

Shibboleth Deployment Overview

Shibboleth 2.0 IdP Training: Introduction

Shibboleth Architecture and Requirements

Presentation transcript:

Shibboleth Architecture Technical Information Session for Developers Datta Mahabalagiri April 15. 2008

Identity Provider (IdP) The “server” side of Shibboleth HS: SSO/Authentication AA: Attributes One instance per campus

Service Provider (SP) The “consumer” side of Shibboleth Apache Module or IIS ISAPI filter plus daemon Handles all interactions with IdP ACS AR Attributes in HTTP header Provided by Internet2

Federation Federation WAYF

Application / Resource Architecture WAYF 2 3 4 5 6 1 Identity Provider Service Provider 7 Credentials SSO (ISIS) HS ACS 8 Handle User DB Handle Application / Resource 9 Handle AA Attributes AR Attribute Repository Attributes 10 © SWITCH

Identity Provider at UCLA 4 OK, I redirect your request now to the Handle Service of UCLA. 3 2 Please tell me where are you from? 1 ACS I don’t know you. Not even which home org you are from. Redirect your request to the WAYF WAYF HS 5 6 I don’t know you. Please authenticate Using ISIS Identity Provider at UCLA Service Provider 7 User DB Credentials OK, I know you now. Redirect your request to the SP, together with a handle Attributes 10 Manager Resoure OK, based on the attributes, I grant access to the resource AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Resource

Access Control Read Http header request.getAttribute(“eduPersonPrincipalName”) request.getAttribute(“Affiliation”) If (affiliation == student) allow Read access Else If (affiliation == faculty) allow Edit access

Bilateral vs Federated Establish trust & Exchange metadata with IdP directly Likely a simpler deployment model for UCLA-only applications User base limited to UCLA Can always move to a federated deployment mode

Bilateral vs Federated Register with a 3rd party hosting a Federation Interoperability & trust Common standards, Comply with federation requirements Security and Audit requirements Coordinated helpdesk support Expanded User base When to choose Federated deployment?