Shibboleth Architecture and Requirements

Slides:



Advertisements
Similar presentations
NRL Security Architecture: A Web Services-Based Solution
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
WebFTS as a first WLCG/HEP FIM pilot
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Shibboleth for Local Attribute Delivery 21 June 2007.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Windows Role-Based Access Control Longhorn Update
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Shibboleth A Technical Overview
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
The FederID project The First Identity Management and Federation Free Software.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Shibboleth Architecture
Federated Identity Management at Virginia Tech
Federation made simple
Federation Systems, ADFS, & Shibboleth 2.0
Shibboleth Project at GSU
HMA Identity Management Status
John O’Keefe Director of Academic Technology & Network Services
e-Infrastructure Workshop 28th March 2006, University of Leeds
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
What’s changed in the Shibboleth 1.2 Origin
Overview and Development Plans
Federated Digital Rights Management
Open Source Web Initial Sign-On Packages
Technical Topics in Privilege Management
Shibboleth Deployment Overview
Groups and Permissions
Shibboleth 2.0 IdP Training: Introduction
Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.
Presentation transcript:

Shibboleth Architecture and Requirements Nate Klingenstein Internet2 Copyright Nate Klingenstein, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. http://shibboleth.internet2.edu/archive/architecture.ppt

Overview Shibboleth as implemented Key concepts in the code Identity Provider (IDP) structure, components, and functionality Service Provider (SP) structure, components, and functionality Federation functionality Deployment guidelines & resources 5/14/2019 2

The Architecture of Shibboleth Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Manager © SWITCH 5/14/2019 3

Shibboleth: The Project, the Architecture, and the Code Project encompasses design, direction Architecture describes what a Shibboleth implementation should do Code is “An” implementation of the architecture In the code, some logical architectural components combined; others don’t exist; some exist in strange form RM functionality exists in several places Cubist implementation 5/14/2019 4

Shibboleth as Implemented by Internet2 Java IdP, C++ SP for Apache and IIS, Java SP in development Extremely flexible and modular Built on included OpenSAML; supports SAML 1.0, 1.1, and will support 2.0 Supports Browser/POST profile Artifact will be supported in 1.3 Other implementations exist Three total implementations as of 16.11.04 5/14/2019 5

Key Concepts SAML Attributes in an Inter-Realm Context ProviderID’s & Relying Parties Attribute Release Policies (ARP’s) Attribute Acceptance Policies (AAP’s) 5/14/2019 6

SAML Security Assertion Markup Language Codified by OASIS’ SSTC with participation from MACE and other bodies Defines XML schema for Authentication and Attribute Assertions and XML schema for Queries and Responses Defines bindings to protocols for transport v2.0 expands to include concepts from Liberty Alliance 5/14/2019 7

Attributes in an Inter-Realm Context Provided by IdP, validated and evaluated by SP Converted to SAML form for transport Federations guide usage of common attributes and values, e.g. eduPerson, courseID Others defined within bilateral relationships Who can assert which attributes? What level of assurance is there that this data is accurate? 5/14/2019 8

LDAP to SAML as performed by AA objectclass: eduPerson dn: uid=magneto, ou=people, dc=supervillain, dc=edu eduPersonAffiliation: staff SAML: <Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"> <AttributeValue Scope=”supervillain.edu" xsi:type="typens:AttributeValueType"> staff </AttributeValue> </Attribute> Focus on AttributeName, scope 5/14/2019 9

ProviderID’s and Relying Parties ProviderID’s are the basic atoms of inter-realm policy and trust; the molecule is the enterprise URI (urn:mace:inqueue:supervillain.edu, or https://shibboleth.supervillain.edu/ShibMain) Each SP or IdP may support multiple providerId’s Must be carefully defined; defines distributed use of enterprise Shibboleth infrastructure Care must be taken when defining providerID’s for single or multiple federation use A Relying Party is the other end in a transaction, and may represent an individual site or a collection of sites Does that make the federation the solution? Stress difference between providerID’s and URL’s 5/14/2019 10

Attribute Release Policies (ARP’s) Policies at the IdP governing the release of attributes to various SP providerID’s ARP’s limit attributes released to a relying party on a per-site or per-user basis matched against a providerID Can match individual targets, groups of targets, or regular expressions; supports both positive and negative attribute rules 5/14/2019 11

ARP Example <Rule> <Target> <AnyTarget/> <Attribute name=“urn:mace:dir:attribute-def:eduPersonScopedAffiliation”> <AnyValue release=“permit”/> </Attribute> </Rule> 5/14/2019 12

Attribute Acceptance Policies (AAP’s) AAP’s filter received attributes before they are used by applications or as part of access control decisions Also enforces privacy by limiting information available to agents using the SHAR to make requests Partial answer to who can assert which attributes Collectively define the set of attributes available to the resource manager to make access decisions require eduPersonScopedAffiliation staff@supervillain.edu -- ARP engine locates all relevant ARPs and dynamically constructs an "effective ARP" 5/14/2019 13

Garbage Collection AA converts attributes for inter-realm use filtered by ARP’s chosen by the relying party’s providerID SAML transports attributes; processed by AAP’s Together, help define total set of information in a Shibboleth transaction 5/14/2019 14

Simplified Identity Service Provider Architecture WAYF Shibboleth IdP Authentication Service Target HS AA Attribute Store (LDAP) Identity Management / Provisioning 5/14/2019 15

Simplified Identity Provider Architecture Apache WebISO Tomcat Shibboleth HS Connectors Target Shibboleth AA ARP’s Attribute Store 5/14/2019 16

HS Mechanics & Interfaces The HS generates handles and authentication assertions per relying party Any authentication method that can protect a webapp works; must populate REMOTE_USER with principal Outside of Shibboleth’s concern Required part of the surrounding infrastructure Shibboleth as SSO? Would still require login piece 5/14/2019 17

AA Mechanics & Interfaces Attributes can be sourced through LDAP directories, MySQL databases, or any other source with a JDBC connector Custom attribute classes may be written in Java to generate attributes or interface with complex systems Frequently deployed on a separate port or server; distinct service from the HS, responds directly to AR requests All attributes filtered by ARP’s before released 5/14/2019 18

Required Campus Middleware Infrastructure Person management -- identity & login Attributes, attributes, attributes Shibboleth isn’t very valuable without the right information to transport about the right principals Level of Assurance begins at home Your assertions are only as good as your I&A and mechanics This really starts to matter in inter-realm scenarios Firewall configuration may be necessary The stuff we’ve talked about for years… 5/14/2019 19

System Requirements Tested with Tomcat Apache 1.3 or 2.0 with SSL Support Java JDK v1.4 mod_jk2 Server loads not severe; signing by far the heaviest operation 5/14/2019 20

Simplified (Apache-based) Service Provider Architecture mod_ssl OpenSSL mod_shib WAYF Origin MySQL Session DB 5/14/2019 21

Service Provider Request Mapping Architecture Web Server Webapps, pages, files, etc. AAP’s and access decisions Lazy Session Initiation ProviderID Bob pID Scott Attribute Release, Policy Atom App Alpha Request Plinko App Beta App Theta Sessions, Most Settings URL 1 URL 2 URL 3 URL 4 Externally Visible Resources Resource Requests 5/14/2019 22

Applications, ProviderID’s, and Webapps Decouples internal applications from externally visible services Access controls can be defined at many granularities Rules must be simple right now More complicated rules engines (XACML, SPOCP, complex XML booleans) under consideration/development Much of this should be hidden from users 5/14/2019 23

Lazy Sessions Allows an application to call for Shibboleth when needed without requiring Shibboleth for all access Construct a special URL Handle generation & attribute transport occur as usual 5/14/2019 24

Attribute Consumption and Use Exported via HTTP header variables Other information about the Shibboleth transaction available in header values Simple RM functionality included for Apache; using .htaccess, <Location> blocks, etc., require attribute values. Limited policy expression. 5/14/2019 25

System Requirements Built successfully on OS X 10.3, Solaris 2.8+, Debian, RedHat 7.2, 7.3, 9, Fedora, Enterprise, Windows NT/2000/XP/2003 Binaries available for Windows; RPM’s available for RedHat Apache 1.3 or 2.0 with SSL Support, or IIS 4.0+ OpenSSL Many prerequisite packages must be built 5/14/2019 26

Logging & Auditing All transactions can be logged; flat-file logging and log4j/log4cpp both supported Multiple logging levels The user’s privacy is preserved; so is their identity Federation may help define practices: some information storage requirements for SP’s may require co-operation from IdP’s. Decision logic may be hidden at either the IdP or SP by constructive use of attributes UTHSC-H example 5/14/2019 27

Federations in Practice May provide a WAYF Service Defines attribute & trust rules May issue certificates to participants Distributes 3 metadata files: ca-bundle.crt sites.xml trust.xml 5/14/2019 28

The Code of Shibboleth Service Provider Identity Provider Web Site Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Manager © SWITCH 5/14/2019 29

Current Development Shibboleth 1.2.1 released on Tuesday Shibboleth 1.3 early 2005 Reduces reliance on mod_ssl e-Auth, compliance WS-Fed compliance in 1.3.x Shibboleth 2.0, using SAML 2.0, represents greatly enhanced functionality; work begins after 1.3 is released Shibboleth project will be segmented and expanded Extended beyond the web; some flows may not use HS 5/14/2019 30

Deployment Guidelines Extensive Apache/IIS Experience Supports redundant production configurations Dedicated servers likely not necessary Surrounding infrastructure must be developed Primary authentication & WebSSO Attribute sources Enable webapps Good security practices Shibboleth expertise can be developed while in InQueue 5/14/2019 31

Deployment Resources http://shibboleth.internet2.edu http://inqueue.internet2.edu Origin: http://shibboleth.internet2.edu/guides/deploy-guide-origin-1.2.1.html http://shibboleth.internet2.edu/guides/identity-provider-checklist.html Target: http://shibboleth.internet2.edu/guides/deploy-guide-target-1.2.1.html shibboleth-users@internet2.edu 5/14/2019 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.