Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor 2003. This work.

Slides:



Advertisements
Similar presentations
GT 4 Security Goals & Plans Sam Meder
Advertisements

The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,
Inter-Institutional Registration UNC Cause December 4, 2007.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Classroom Technologies Re-organization Copyright Kathy Bohnstedt, This work is the intellectual property of the author. Permission is granted for.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
The InCommon Federation The U.S. Access and Identity Management Federation
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
Integrating the Library into Next-Generation Course Management Systems Steve Acker, Jim Bracken, and Scott Cantor The Ohio State University Copyright Stephen.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.
Shibboleth: OSU Early Adoption Scenarios Scott Cantor April 10, 2003 Scott Cantor April 10, 2003.
©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
NSF Middleware Initiative and Enterprise Middleware: What Can It Do for My Campus? Renee Woodten Frost Internet2/University of Michigan.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Access Policy - Federation March 23, 2016
Federated Identity Management at Virginia Tech
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
What’s changed in the Shibboleth 1.2 Origin
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
Technical Topics in Privilege Management
Shibboleth 2.0 IdP Training: Introduction
Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.
Presentation transcript:

Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Advanced CAMP - July 9-11, From Genesis…

Advanced CAMP - July 9-11, …to Revelation Trust Metadata Site Metadata Attribute Resolution Metadata Attribute Release Policies Origin Origin Site PolicyFederation / Bilateral / Site Policy Target Attribute Acceptance Policies Target Site Policy (signed) XML HTTP LDAP ?

Advanced CAMP - July 9-11, Federations Lots of non-technical definitions, policies, contracts, risk and liability, dispute resolution, etc. In software, federations provide aggregation (and distribution) of machine-readable policy and trust. Scales bilateral agreements to NxN meshes. Software must permit deployments that cross federations (especially for inter- and intra- use)

Advanced CAMP - July 9-11, Federations: Technical Layer Control over naming goes hand-in-hand with any form of security. –Naming of sites, system entities, attributes Vouching for and distribution of site and trust metadata offloads significant roles and decisions to the federation as trusted third party. “The powers not delegated to the Federation by the Agreement, nor prohibited by it to the sites, are reserved to the sites respectively.”

Advanced CAMP - July 9-11, Federations: Examples InQueue (urn:mace:inqueue) –An insecure testbed for piloting the software in the Internet2 community with selected vendors. –Fairly open membership. InCommon (urn:mace:incommon) –A secure federation (probably a single CA) with light-weight policy obligations of its members. –Relatively restricted membership? ClubBuckeye (urn:mace:osu.edu:shibboleth) –Intra-domain federation of Ohio State sites with a single OSU CA

Advanced CAMP - July 9-11, Site Metadata Operational and technical “stuff” to enable the user experience to be as seamless as possible in the face of a dynamic, multi- organizational environment Mix of mandatory site identifying information and informal names, contact and resolution handling pointers Currently in a proprietary XML format, but APIs used between the provider and consumer to hide details

Advanced CAMP - July 9-11, Site Metadata: Example <OriginSite Name="urn:mace:inqueue:example.edu“ ErrorURL=" Example State University <HandleService Name="wayf.internet2.edu“ Location=" <AttributeAuthority Name="wayf.internet2.edu“ Location=“ example.edu

Advanced CAMP - July 9-11, Site Metadata: Multiple Federations Metadata keyed by site name Any number of metadata sources may be fed into a target as long as each site name is unique across them all Security of metadata is critical, but this is left up to providers

Advanced CAMP - July 9-11, Trust Metadata Identifies keys and authorities to use for securing message exchanges between system entities Binds keys to system entities for direct trust Binds PKI authorities to one or more system entities to permit indirect trust Separate from site metadata to more naturally parallel technologies like X.509 Currently in a proprietary XML format, but APIs used between the provider and consumer to hide details

Advanced CAMP - July 9-11, Trust Metadata: Example MIICpDCCAg2gAwIBAgICAm8wDQYJKoZIhvc……………………….. shib2.internet2.edu MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAw………………………… ^urn:mace:inqueue:.+$

Advanced CAMP - July 9-11, Trust Metadata: Multiple Federations Metadata keyed by system entity name May be provided by federation, but is essentially a distinct function that could be provided by standard operating system services (if they exist) Security of metadata is critical, but this is left up to providers

Advanced CAMP - July 9-11, Attribute Resolution Metadata Attribute Authority is a “shell” that uses metadata about attributes and Java classes to find user attributes from different sources

Advanced CAMP - July 9-11, Attribute Release Policies Act as a filter on the release of attributes based on the requester’s identity (via SSL) and possibly the resource being accessed by the principal Simplest possible ARP.

Advanced CAMP - July 9-11, Attribute Acceptance Policies In a universe of infinite attributes, a target/consumer defines: –the attributes it cares about –is willing to trust specific sites to provide to it –how it wants to consume them A mix of potentially externally imposed policy and local decision-making Currently in a proprietary XML format, but APIs used between the provider and consumer to hide details

Advanced CAMP - July 9-11, AAP: Example <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Header="Shib-EP-Affiliation" Alias="affiliation"> member faculty student staff alum affiliate employee <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Header="REMOTE_USER" Alias="user">

Advanced CAMP - July 9-11, Shibboleth 1.0 Summary Origin is architected around a single federation, expects to be multi-hosted as workaround Target is considerably but not fully multi- federation capable yet C++ APIs insulate target libraries from the sources of metadata, trust, and attribute policy

Advanced CAMP - July 9-11, Shibboleth 1.0 Summary Three system entities require credentials –Handle Service (signs XML) –Attribute Authority (SSL Server, optionally signs XML) –SHAR (Attribute Requester) (SSL Client) Credentials either exchanged in advance via trust metadata or verified via credible authorities Weakness of 1.0 is that SSL exchanges rely on monolithic hierarchical trust that weakens deployment across multiple federations.

Advanced CAMP - July 9-11, Liberty ID-FF 1.2 Metadata Latest spec includes an extensive metadata schema for exposing all the operational aspects of a Liberty system entity. Includes a DDDS-based resolution mechanism for finding someone’s metadata. Embeds point to point trust inside the metadata (here’s my public key…) May be donated to SAML 2.0, currently isn’t.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.