Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Brown University Shibboleth at Brown University James Cramton April 2, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Brown University Shibboleth at Brown University James Cramton May 28, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
Identity Management: The Legacy and Real Solutions Project Overview.
Copyright Copyright Alayna Wadleigh and Blaine Hensley This work is the intellectual property of the author. Permission is granted for this material.
Copyright Dong Chen, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Beyond the Campus Gates: Bringing Alumni, Parents, and Prospects into the Campus Portal William P. Wilson Mark R. Albert John C. Duffy Gettysburg College.
SWITCHaai Team Federated Identity Management.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
The InCommon Federation The U.S. Access and Identity Management Federation
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Group Management at Brown James Cramton Brown University April 24, 2007.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Federations 101: The U.T. System Identity Management Federation Internet2 Member Meeting Fall 2006 Paul Caskey.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Openness and Extending Blackboard Software Asbed Bedrossian Otto Khera USC.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Shibboleth for Middle Schools James Burger -
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Open-Source Identity Management MACE Grouper, Shibboleth and OpenRegistry Benjamin Oshrin Rutgers University Copyright © James Cramton Benjamin Oshrin.
Seminar: Security / Identity Management Presentation: Elke Weber
Tom Barton, Senior Director for Integration, University of Chicago
David Millman—Columbia January 2005
Shibboleth Architecture
Federated Identity Management at Virginia Tech
LIGO Identity and Access Management
Federation Systems, ADFS, & Shibboleth 2.0
An authorization service for Virtual Organizations (VO)
Data and Applications Security Developments and Directions
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Federated Identity to Support Collaboration in the CIC
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say Shibboleth.' If anyone said, 'Sibboleth', because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. Judges 12:5-6, NJB

2 Topics Shibboleth terminology & use at Brown WebAuth vs. Shibboleth Now & later Shibboleth-enabled services Attribute release policies and ARPviewer Federation Rollout schedule and additional info

Shibboleth at Brown Standards-based web Single Sign On (SSO) service Can operate across domain boundaries Will replace WebAuth as Brown’s intra-campus SSO Currently supported by more than 100 applications Allows granular control of personal attribute release Provides access to many more attributes than WebAuth Can allow external federated users to access Brown resources without Brown credentials Can allow Brown users to access federated resources outside Brown using their Brown credentials 3

Shibboleth Terminology Identity Provider (IDP) –Performs user authentication for SP –Provides a customized set of attributes for each SP Service Provider (SP) –Runs on application host as an Apache OR IIS module or other interface –Authorizes user based on authentication & attributes from the IDP Attribute –A property describing a user within the system Human-friendly examples: brownType, brownStatus, displayName, isMemberOf Minimal identifier: an opaque (gibberish) identifier unique to each user at each SP –Typically used for authorization or UI customization Federation –A group of organizations who share a common trust framework 4

WebAuth vs. Shibboleth Brown’s WebAuth Proprietary, and compatible only with Apache and IIs (sort of) 10 years old, unsupported Dependent on Brown Grouper –Also proprietary and unsupported Limited and arbitrary set of attributes released to apps Limited to Brown users Not load balanced Not redundant Internet2’s Shibboleth Standards-based –LDAP, SQL, SAML 1.1 and 2.0, ADFS Actively supported by community source model, Internet2 and partners Used by more than 100 applications Policy driven attribute release User-controlled attribute release Supports federation with 15M users –Use of Brown resources by external users –Use of external resource by Brown users Load balanced and redundant 5

Previous Group Infrastructure 6

Updated Group Infrastructure 7

Shibboleth-capable Services Currently in use at Brown All Apache web servers –Webpub –LAMP –WebApps All IIs web servers WebCT Brown Confluence Wiki University Tickets Dining Service’s Interphaze Coeus Planned or Possible Sympa list manager People Admin Outsourced NIH, NSF, NASA Grants Mgmt Microsoft Dreamspark Free MS software for students Discount student airline tickets caBIG Cancer grid computing TerraGrid grid computing Cern Large Hadron Collider Virtual Organizations (VOs) Many more… 8

Attribute Release Policies Protect user identity by releasing only necessary attributes to SP Attribute release policies are configurable per SP, and per attribute Default attribute release policies –External SP sees only a unique, opaque identifier (gibberish) –Trusted Brown SPs see a more useful set of attributes, including: brownShortId, brownNetID, brownBruID, brownUUID, eduPersonPrincipalName mail, mailRoutingAddress DisplayName, givenName, sn, LOA (Level of Assurance) brownType, eduPersonPrimaryAffiliation, eduPersonAffiliation, eduPersonScopedaffiliation isMemberOf (full list of group memberships) –Default policies at SP owners may request exceptions to default policies Users can be required to manually approve attribute release –ARPViewer to present user an approval form –Approval or denial is audited 9

ARPViewer Example 10 ARPViewer can be triggered for each SP, or for a particular attribute condition for an SP When triggered, a user must confirm that they approve the release of the displayed information before the attributes are released to the SP. This process puts the attribute release decision in users’ hands. All responses are auditable.

Federation Shibboleth can leverage the federation’s trust relationships –Authenticate users at their local institution’s IDP –Pass attributes to a remote SP according to local attribute release policies –Grant access to remote resources based on released attributes Brown is a member of the InCommon federation, along with 2.2M users from more than 100 US higher ed institutions Inter-federation agreements can extend user base up to 15M A supportable solution to requests to grant access to Brown resources to non-Brown users –No need to establish Brown affiliate or guest accounts –External user’s home institution must belong to InCommon federation –Or user must use a credential from a supported provider like Protect Network Also allows Brown users to access external systems using Brown credentials: NIH grants, MS DreamSpark, University Tickets, etc. 11

Rollout Schedule Now: QA and Production testing –QA IDP and early adopter SPs Library applications –Production IDP and test SPs May 2009: –Early adopters in production Summer - Fall 2009 –Phased migration of WebAuth to Shibboleth –Confluence Wiki 12

Additional Information Brown’s Shibboleth project wiki: –Project schedule –Technical documentation for IDP and SP owners and administrators –Full attribute release policies and procedures for exception requests –Links to background information on Shibboleth Internet2’s Shibboleth wiki: –Background information on Shibboleth –Lists of Shibboleth-enabled software and services –Links to Shibboleth user list and other support options InCommon federation website: –Lists of participating institutions and vendors Protect Network website: –Information about obtaining InCommon-compatible credentials from Protect Network 13