SWITCHaai Team Introduction to Shibboleth.

Slides:

Advertisements

Similar presentations

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Advertisements

31242/32549 Advanced Internet Programming Advanced Java Programming

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Inter-Institutional Registration UNC Cause December 4, 2007.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

WebFTS as a first WLCG/HEP FIM pilot

Session-01. What is a Servlet? Servlet can be described in many ways, depending on the context: 1.Servlet is a technology i.e. used to create web application.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Enabling Embedded Systems to access Internet Resources.

TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, (updated version)

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.

An XML based Security Assertion Markup Language

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Shibboleth: An Introduction

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Shibboleth 2.0 Update Ken Klingenstein. 2 Topics Shib v1.3 Status SAML new features Shibboleth 2.0 Features Shibboleth 2.x Features We Need Feedback.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Shibboleth A Technical Overview

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Access Policy - Federation March 23, 2016

Using Your Own Authentication System with ArcGIS Online

Shibboleth Architecture

SFS-HTTP: Securing the Web with Self-Certifying URLs

Mechanisms of Interfederation

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

HMA Identity Management Status

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Office 365 Identity Management

Shibboleth 2.0 IdP Training: Introduction

Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.

Presentation transcript:

SWITCHaai Team Introduction to Shibboleth

© 2012 SWITCH Agenda What is Shibboleth? IdP/SP Communication Shibboleth 1 & 2 Support Resources 2

© 2012 SWITCH Shibboleth – Origin and Consortium The Origin Internet2 in the US launched the open source project The name Word Shibboleth was used to identify members of a group The standard Based on Security Assertion Markup Language (SAML) The Consortium The new home for Shibboleth development collect financial contributions from deployers worldwide 3

© 2012 SWITCH What is Shibboleth? Technically it’s a project group, like Apache or Eclipse, whose core team maintains a set of software components Most people think of it as the set of software components OpenSAML C++ and Java libraries Shibboleth Identity Provider (IdP) Shibboleth Service Provider (SP) Shibboleth Discovery Service (DS) Shibboleth Metadata Aggregator (MA) Taken together these components make up a federated identity management (FIM) platform. You might also think of Shibboleth as a multi-protocol platform that enforces a consistent set of policies. 4

© 2012 SWITCH The Components 5 Discovery Service home organization Service Provider Authentication System User Information Identity Provider

© 2012 SWITCH Shibboleth Components: Identity Provider What is it? A Java Servlet (2.4) web application What does it do? Connects to existing authentication and user data systems Provides information about how a user has been authenticated Provides user identity information from the data source 6

© 2012 SWITCH Shibboleth Components: Service Provider What is it? mod_shib: A C++ web server (Apache/IIS) module shibd: A C++ daemon - keeps state when web server processes die What does it do? Optionally initiates the request for authentication and attributes Processes incoming authentication and attribute information Optionally evaluates content access control rules 7

© 2012 SWITCH Shibboleth Components: Discovery Service What is it? A Java Servlet (2.4) web application What does it do? Asks the user to select their home organization from a list 8 See also an Alternative Implementation:

© 2012 SWITCH Terminology (1) SAML - Security Assertion Markup Language The standard describing the XML messages sent back and forth by the Shibboleth components (two versions: 1.1, 2.0) Profile - Standard describing how to use SAML to accomplish a specific task (e.g. SSO, attribute query) Binding - Standard that describes how to take a profile message and send it over a specific transport (e.g. HTTP) Front-channel - A binding that sends message through a user’s browser via redirects or form posts Back-channel - A binding where the entities connect directly to each other 9

© 2012 SWITCH Terminology (2) entityID - Unique identifier for an IdP or SP Assertion - The unit of information in SAML NameID - An identifier by which an IdP knows a user Attribute - A named piece of information about a user 10

© 2012 SWITCH Shibboleth Supported Profiles SAML 1 Shibboleth SSO Attribute Query Artifact Resolution SAML 2 SSO Attribute Query Artifact Resolution Enhanced Client Single Logout (SP-only) 11 Discovery Shibboleth 1 Discovery (WAYF) SAML 2 Discovery Service

© 2012 SWITCH Shibboleth Communication Flow: Shibboleth 1 12

© 2012 SWITCH Problems with Shibboleth 1 SSO Flow The SP does not know which IdP will receive its request and so it can not tailor the authentication request Which protocol to use? Which keys to use for encryption? The IdP must have a second SSL port in order for the SP to make its attribute query (attribute pull model) Twice the number of crypto operations Two request/response pairs for every authentication 13

© 2012 SWITCH Shibboleth Communication Flow: Shibboleth 2 SSO 14

© 2012 SWITCH Odds and Ends Shibboleth knows nothing about federations, it just consumes metadata in order to: locate the entity to which messages are sent determine what protocols the entity supports determine what signing/encryption keys to use The IdP is CPU bound, unlike most web apps No support for crypto-acceleration currently Support for clustering though 15

© 2012 SWITCH Shibboleth 1.3 to 2.X migration Shibboleth 2 is backwards compatible with 1.3 Obviously new SAML 2 features don’t work with Shibboleth 1.3 Entity’s should embed their certificates in their metadata This is required in order to support SAML 2 encryption The Shibboleth team recommends URLs for entityIDs IdP entityID: SP entityID: These URLs can then be used to get the metadata for the entity 16

© 2012 SWITCH SP Migration: Attribute Names Version 1.3 placed attributes in HTTP Headers HTTP_SHIB_EP_AFFILIATION staff HTTP_SHIB_INETORGPERSON_GIVENNAME Lukas Version 2.0 (when using Apache) places attributes in server environment and uses slightly different names as a result Shib-EP-Affiliation staff Shib-InetOrgePerson-givenName Lukas Version 2.0 supports the old method but the new method guarantees that information can not be spoofed 17

© 2012 SWITCH Support Resources First, check with your Federation Shibboleth Wiki Shibboleth User’s Mailing List Archive Shibboleth User’s Mailing List 18