Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Administrative Information Systems Today’s Goals Demystify Shibboleth Provide a technical overview of Shibboleth Outline Application considerations when migrating to Shibboleth Sketch Migration plan Q/A

Administrative Information Systems Shibboleth Overview Shibboleth is a standards-based, open source middleware software designed to provide web Single Sign-On (SSO) solution within or across organization boundaries Authentication/Attribute Query protocol Standards Based. Built on SAML Developed by Internet2

Administrative Information Systems Shibboleth Overview Emphasis on protecting user privacy Fine grained Attribute Release control mechanism Browser based authentication only Quickly gaining momentum in higher education community UC is adopting Shibboleth as its standard federated authentication mechanism: UCTrust

Administrative Information Systems Shibboleth Benefits Standards Based, SAML etc. Focus on Privacy and Security Adapted by lot of Organizations Manage Identity for local users only Federated Open Source Software, supported by Internet2 –Client Modules –No coding necessary –Works with static web sites

Administrative Information Systems What is not SSO but not Authentication No Authorization

Administrative Information Systems Shibboleth Vocabulary Federation Identity Provider (IdP) Service Provider (SP) Where Are You From Service (WAYF) Handle Service (HS) Attribute Authority (AA) Attribute Requester (AR) Assertion Consumer Service (ACS) Attribute Release Policy (ARP) Attribute Acceptance Policy (AAP) Bilateral deployment

Administrative Information Systems Shibboleth: Federation Provides standard approach to policies, practices, technologies that members adopt Interoperability & trust Which Federation to join? Not a must to operate Shibboleth

Administrative Information Systems Shibboleth: Identity Provider (IdP) The “server” side of Shibboleth Performs authentication Issues Authentication Assertion Responds to attribute queries Issues Attribute Assertion Analogous to the ISIS Login Server and Web Service One instance per campus

Administrative Information Systems Shibboleth: Service Provider (SP) The “consumer” side of Shibboleth Apache Module or IIS ISAPI filter plus daemon Handles all communications with WAYF and IdP Places returned attributes in HTTP header Provided by Internet2

Administrative Information Systems Shibboleth: Where Are Your From (WAYF) Service Part of the Federation services A directory service of Identity Providers Hosted by the federation operator * * In Shibboleth 2.0, WAYF function will be part of the Service Provider module

Administrative Information Systems Shibboleth: IdP Components Handle Service (HS) –Directs the incoming user to the authentication authority (i.e., login page) –Issues Shibboleth Handle (similar to a session token, ala ISIS ticket) Attribute Authority (AA) –Responds to attribute requests –Queries data repositories –Constructs and returns Attribute Assertion (XML document containing requested user data)

Administrative Information Systems Shibboleth: SP Components Attribute Consumer Service (ACS) –Processes the Shibboleth handled returned by the IdP –Initiates an optional attribute request –Establishes a security context at the SP, and redirects the client to the desired target resource. Attribute Requester (AR) –Establishes a direct connection to the Attribute Authority at the IdP –Exchanges attribute query and attribute response

Administrative Information Systems Shibboleth: Attribute Release Policy Rules for releasing attributes, XML format Fine grained control for the release of attributes Individual & Organization have control over release of attributes Site ARP & User ARP

Administrative Information Systems ARP Examples eduPersonAffiliation release policy

Administrative Information Systems Shibboleth: Attribute Acceptance Policy (AAP) Rules for accepting attributes, XML format Regular Expression check Places attributes in http headers for use by applications

Administrative Information Systems AAP Examples eduPersonAffiliation acceptance rules FACULTY STUDENT $$$

Administrative Information Systems Shibboleth Architecture Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Resource Manager Attributes © SWITCH

Administrative Information Systems Resource WAYF Identity Provider at UCLA Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. Redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using ISIS 4 OK, I redirect your request now to the Handle Service of UCLA. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource 7 User DB Credentials OK, I know you now. Redirect your request to the SP, together with a handle

Administrative Information Systems UCLA Shibboleth IdP already running in production Leverages ISIS authentication engine Running in parallel with ISIS 5 Attributes in ED

Administrative Information Systems UCLA Will eventually replace the ISIS Web Service API Early adopters include CCLE, MyEvents, Plone site ARP Administration is still a manual process Customized login page Supports Bilateral and Federated deployment

Administrative Information Systems ToDo’s ISIS Login Server will continue to serve login form Integrate Shibboleth SP administration with ISIS Administration Incorporate data release approval from data stewards into the SP set up process Need more attribute data! Improve user experience during redirects More support materials (Confluence) Helpdesk coordination Metadata generation Logout?

Administrative Information Systems Migrating to Shibboleth Migration Philosophy –Parallel support for ISIS 5 and ISIS/Shib –Gradual Migration: Move when it’s a good time for your application to move –… within reason, of course –Emphasis on user experience

Administrative Information Systems Migrating to Shibboleth 2007 –Early adopters and new applications –Applications with unique requirements –Applications could choose between ISIS 5 and Shibboleth 2008 –All MI Team supported apps –All new applications –Voluntary migration 2009 –Mandatory migration –End ISIS support

Administrative Information Systems Preparing Your Application for Shibboleth Choose your Web Server –IIS –Apache Separate test and production environments Deployment Scenario –Federated –Bilateral

Administrative Information Systems Federated Deployment With federated deployment, your application joins a Shibboleth federation (InCommon, UCTrust) Need to register and obtain federation issued digital certificate Application enjoys common standards, but needs to comply with all federation requirements –Security and audit requirements –Attribute Assertion agreements (more work on IdP side than SP side) –Coordinated helpdesk support Choose federated deployment if: –You plan to accept authentication assertions from multiple IdP’s –You have business requirements to participate in a federation

Administrative Information Systems Bilateral Deployment With bilateral deployment, your application exchanges credentials and negotiates attribute exchanges directly with IdP No need to obtain federation digital certificates Likely a simpler deployment model for UCLA-only applications Choose bilateral deployment if: –You plan to accept authentication assertions only from UCLA’s IdP Can always move to a federated deployment mode

Administrative Information Systems Preparing Your Application for Shibboleth Rethink your user access provisioning process –Shib’s privacy policy may mean that you won’t get all the attributes you want from all the users. You may need to ask for more information –Especially with federated deployment, you will receive login attempts from unexpected users. –An on-demand access provisioning model is preferred –Need to provide much more descriptive help information on screen

Administrative Information Systems Preparing Your Application for Shibboleth Login Failed: Access Denied. The user may be confused if you show him:

Administrative Information Systems Preparing Your Application for Shibboleth Thank you for your interest in using the Foobar system. It appears that you authenticated successfully. However, you have not registered to become a user with Foobar. Foobar is a restricted system. If you believe you should have access, please click here to complete an access request. For additional inquires, please contact our helpdesk at This may make it just a bit clearer to the user why he cannot continue, and what he can do to remedy the situation:

Administrative Information Systems Preparing Your Application for Shibboleth Rethink your logging and helpdesk support model –Especially with federated deployment, the user’s IdP may not be UCLA. –Helping a user through the troubleshooting process is critical –Think about your hours of support –Think about the kind of information you need to keep in your application log

Administrative Information Systems Preparing Your Application for Shibboleth: Next Steps Install Fest? Usability Workshops? Diagnostic/Testing modules? Common Logging format? Helpdesk Coordination –KB: kb.ucla.edu? Something else? –Shared diagnostics support scripts?

Administrative Information Systems Resources Official Shibboleth Website: Shibboleth Wiki: InCommon Federation: UCTrust Federation: cool demos of how Shib works from the Swiss Shibboleth Federation folks: Middleware Infrastructure Group’s Website:

Administrative Information Systems Q & A