Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team June 2004 Copyright Michael R. Gettes, 2004
What is Shibboleth? (Biblical) A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) 11/16/2018
What is Shibboleth? (modern era) An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: Software for Identity Provider (Origins/campuses) Software for Service Providers (targets/vendors) Operational Federations (scalable trust) 11/16/2018
So… What is Shibboleth? A Web Single-Signon System (SSO)? An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications? 11/16/2018
Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards 11/16/2018
Attribute-based Authorization Identity-based approach The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. This approach requires the user to trust the target to protect privacy. Attribute-based approach Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy. 11/16/2018
Stage 1 - Addressing Four Scenario’s Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Intra-university information access Controlled by a variety of identifiers Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy. 11/16/2018
Shibboleth Status V1.1 available August 2003 Relatively straightforward to install, provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc.). Service Provider - works with Apache and IIS targets; Java Identity Providers. V1.2 available May, 2004 Work underway on some of the essential management tools such as attribute release managers, target resource management, etc. Can take between 3 hours and 3 years to install How much infrastructure (core middleware) do you already have? 11/16/2018
Shibboleth Status Will coexist with Liberty Alliance and highly likely work within the WS-* framework from Microsoft. OpenSAML.org is a derivative of this work Uses PKI underneath; can support client PKI Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.) 11/16/2018
How Does it Work? Hmmmm…. It’s magic. :-) 11/16/2018
High Level Architecture Federations provide common Policy and Trust Service and Identity Provider site collaborate to provide a privacy-preserving “context” for Shibboleth users Identity Provider site authenticates user, asserts Attributes Service Provider site requests attributes about user directly from Identity Provider site Service Provider site makes an Access Control Decision Users (and Identity Provider organizations) can control what attributes are released 11/16/2018
Technical Components Identity Provider Site – Required Enterprise Infra Authentication Attribute Repository Identity Provider Site – Shib Components Handle Server Attribute Authority Service Provider Site - Required Enterprise Infra Web Server (Apache or IIS) Service Provider Site – Shib Components Assertion Consumer Service - SHIRE Attribute Requester - SHAR Where Are You From Service - WAYF Resource Manager 11/16/2018
Shibboleth AA Process Service Provider Identity Provider Web Site 4 OK, I redirect your request now to the Handle Service of your home org. 3 2 Please tell me where are you from? 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF WAYF HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN Identity Provider Service Provider Web Site 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Manager Resource OK, based on the attributes, I grant access to the resource AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Resource 11/16/2018
From Shibboleth Arch doc Origin Target 11/16/2018
From Shibboleth Arch doc Origin Target 11/16/2018
From Shibboleth Arch doc Origin Target 1 SHIRE Local Navigation Page 3b 3 4 Handle Service Attribute Authority 11/16/2018
From Shibboleth Arch doc Origin Target University Resource Provider HTTP Server 1 SHIRE Local Navigation Page 3b Authentication System 3 4 Enterprise Directory Handle Service 6 5 3c Attribute Authority 11/16/2018
Demo! http://shibboleth.blackboard.com/ 11/16/2018
Shibboleth Architecture (still photo, no moving parts) Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Manager © SWITCH 11/16/2018
Shibboleth Architecture -- Managing Trust engine Attribute Server Service Provider Web Server Browser 11/16/2018
Attribute Authority --Management of Attribute Release Policies The AA provides ARP management tools/interfaces. Different ARPs for different targets Each ARP Specifies which attributes and which values to release Institutional ARPs (default) administrative default policies and default attributes Site can force include and exclude User ARPs managed via “MyAA” web interface Release set determined by “combining” Default and User ARP for the specified resource 11/16/2018
Typical Attributes in the Higher Ed Community Affiliation “active member of community” member@washington.edu EPPN Identity gettes@duke.edu Entitlement An agreed upon opaque URI urn:mace:vendor:contract1234 OrgUnit Department Economics Department EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201 11/16/2018
Target – Managing Attribute Acceptance Rules that define who can assert what….. MIT can assert student@mit.edu Chicago can assert staff@argonne.gov Brown CANNOT assert student@mit.edu Important for entitlement values 11/16/2018
What are federations? Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Built on the premise of Initially “Authenticate locally, act globally” Now, “Enroll and authenticate and attribute locally, act federally.” Federation provides only modest operational support and consistency in how members communicate with each other Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Over time, this will all change… 11/16/2018
InCommon federation Federation operations – Internet2 Federating software – Shibboleth 1.1 and above Federation data schema - eduPerson200210 or later and eduOrg200210 or later Operational summer 2004, with several early entrants to help shape the policy issues. Precursor federation, InQueue, has been in operation for about six months and will feed into InCommon http://incommon.internet2.edu 11/16/2018
Other Technology Partners LMS Systems Blackboard WebCT WebAssign Syquest/ Higher Markets Student Charge Card vendors Napster 11/16/2018
Other Pilot Projects American Association of Medical Colleges NSDL (National Science Digital Library) SWITCH - The Swiss National Academic Community UK/JISC - Controlled Access to Licensed Resources Becta (British Educational Communications and Technology Agency) Univ Texas, Medical Center and instruction Washington Research Library Consortium (WRLC) 11/16/2018
Shibboleth -- Next Steps Full implementation of Trust Fabric Supporting Multi-federation identity and service providers Support for Dynamic Content (Library-style Implementation in addition to web server plugins) Sysadmin GUIs for managing identity and service provider policy Grid, Virtual Organizations ? Saml V2.0, Liberty, WS-Fed NSF grant to Shibboleth-enable open source collaboration tools LionShare - Federated P2P 11/16/2018
U.S. Federal Government The E-Authentication Project NIST Technical Guidance Credential Assessment Framework E-RA Risk Assessment Methodology PKI ??? SAML Strategic Plan EAuthentication Guidance E-Authentication Technical Approach E-Authentication Interface Specifications for the SAML Artifact Profile SAML Artifact Profile as an Adopted Scheme for E-Authentication Technical Approach for the E-Authentication Service Component E-Authentication Mission Specs Adopted Federated Identity Schemes Technical/Policy Framework 11/16/2018
The e-Authentication Project 3 approaches CS AAx Step #1: User goes to Portal to select the AA and CS Portal Step #2: The user is redirected to the selected CS with an AA identifier. The portal also issues a cookie to the user that identifies his selected CS Step #3: The CS authenticates the user and hands him off to the selected AA with his identity information. The CS also issues a cookie to the user to assert his authentication status ©c MD SSO Options: SAML Liberty WS-Federation Shibboleth Other Figure 2: Base Case AAs CSs Users AuthZ Step #2: The user is redirected to the Portal with the AAid Step #1: User Starts at AA ©p AAx Portal AA ©c Step #4: The user is handed off to the AA as usual Step #3: After selecting his CS, the user receives a session cookie and is redirected as usual CS Figure 3: User Starts at AA Step #2: The user is redirected to the Portal with the CSid Step #1: User Starts at CS ©p AAx Portal AA ©c Step #4: The user is handed off to the AA as usual CS Step #3: After selecting his AA, the user is redirected back to the CS as usual Figure 4: User Starts at CS 11/16/2018
U.S. Federal Government The e-Authentication Project Provide glue between browsers and apps; allow for different Credential Providers interacting with different Agency Apps Starting points: at “portal” (wayf?), at Agency App, at Credential Provider SAML 2.0 is the end-game “Vapor”-ware at this point They have an interoperability lab 11/16/2018
So… What is Shibboleth? A Web Single-Signon System (SSO)? An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications? 11/16/2018
Acknowledgements Design Team: David Wasley (UCOP); RL ‘Bob’ Morgan (Washington); Keith Hazelton (Wisconsin-Madison); Marlena Erdos (IBM/Tivoli); Steven Carmody (Brown); Scott Cantor (Ohio State) Important Contributions from: Ken Klingenstein (Internet2); Michael Gettes (Georgetown, Duke); Scott Fullerton (Wisconsin-Madison) Coding: Derek Atkins (MIT); Parviz Dousti (CMU); Scott Cantor (OSU); Walter Hoehn (Columbia, Memphis) 11/16/2018
Duke Considerations Technical WebAuth @ Duke Locally written, Shibby in nature, addresses N-Tier + LDAP by Karsten Huneycutt 2 weeks ago a Duke campus bus struck a Duke employee at Trent & Erwin Roads. It was not Karsten! Whew! What if ???? Should we switch to Shib? Shib as WebISO? Should we use somebody else’s weblogin? When will Shib address N-Tier *and* LDAP? PAML (PAM + SAML)? 11/16/2018
Duke Considerations Organizational Duke: Campus + Health System One Corporate Entity NetID = Duke Corporate HIPAA Training includes regional clinicians Library has non-Duke patrons “Friends of” departments and colleges Considering a Duke Federation To join different communities within Duke having different policies and ID mgmt profiles Identity Providers: NetID, University Affiliates, Training How will this factor into communities of applications? 11/16/2018
Global? Trust Diagram (TWD) 11/16/2018
Sample InterFederation 11/16/2018
Shib/PKI Inter-Federations This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion. 11/16/2018
Got SHIB? 11/16/2018
11/16/2018