SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Contrail and Federated Identity Management

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.

WebFTS as a first WLCG/HEP FIM pilot

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

Identity-Enabling Web Applications Scott Cantor Internet2/The Ohio State University.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.

SWITCHaai Team Introduction to Shibboleth.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Cross-Enterprise User Assertion IHE Educational Workshop 2007 Cross-Enterprise User Assertion IHE Educational Workshop 2007 John F. Moehrke GE Healthcare.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

CaGrid 2.0 Security Prototype 1. Goals Prototype some proposed security solutions – Ensure interoperability across programming models – Ensure interoperability.

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Review of Liberty Alliance 1.1 Web Browser Profiles Prateek Mishra Netegrity.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.

Web SSO with Cloud Resources using AD Federation Services

HMA-S Project User Management for EO Services OGC r9

Access Policy - Federation March 23, 2016

Dr. Michael B. Jones Identity Standards Architect at Microsoft

Using Your Own Authentication System with ArcGIS Online

Federation made simple

Identity and Certificates

HMA Identity Management Status

Identity Federations - Overview

Grid accounting system

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.

Presentation transcript:

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University

Quick History Shibboleth announced for browser-based authentication to web sites, first lines of code written Next day, first post to mailing list asking about web services

Change in Direction Architectural emphasis in SAML / WS-* is on message-based security and SOAP Developers want session-based security and REST

Technical Requirements HTTP-based services (SOAP or REST) Security no weaker than browser-based SSO (i.e., bearer tokens) Evolutionary path to stronger security based on private keys controlled by delegates Attribute-based Federated Privacy-capable (hide user information from delegate) Standards-based where possible Application transparency

SAML-based Solution Leverage SAML 2 Enhanced Client / Proxy SSO profile in place of Browser SSO profile between delegate and web service Leverage WS-Security and WS-Addressing profiles between delegate and IdP, influenced by or directly reused from Liberty Alliance work

Identity Provider Enhancements Assertions issued for SSO optionally extended such that a delegate can authenticate back to IdP as user SAML 2 ECP SSO profile using extended assertion + SSL client auth Policy controls: Which SPs can be delegates What WSPs an SP can access as delegate Length of delegation chain Attribute release based on use of delegation

Service Provider Enhancements Decision made to "break" existing applications if a delegated assertion presented Revamp policy and SSO profile code to make assertion evaluation easily extensible (e.g., accepting delegated assertions) Expose delegation chain to applications via SP-defined header/variable

Application Changes Targeting applications using Shibboleth SP for authentication Disallow delegation: no changes Accept but ignore: add policy rule to SP configuration Accept and process: add policy rule and process chain from header/variable

Phase II Initial prototype treats portal and portlets as a single security principal/identity in chain Technical proposal allows for portal to acquire new tokens on behalf of portlets to give them presence in final token Requires stand-alone token exchange between portal and IdP

Phase III Holder of key adaptation of ECP, binding delegation token to delegate's client certificate If necessary, support for message signing between delegate and IdP as alternative to SSL client authentication

A Note on OAuth As in, why not OAuth? Feel free, what's stopping you? OAuth relies on a service to define its own security token; you don't need Shibboleth or SAML if that's your model You do need capability to redirect client to the service