Chad La Joie Shibboleth’s Future.

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).

 Jan Alexander Program Manager Microsoft Corporation BB43.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Securing Insecure Prabath Siriwardena, WSO2 Twitter

WSO2 Identity Server Road Map

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

SAML 2.0 og ”Geneva” OIOSAML Workshop 31. marts 2009 Århus René Løhde, Microsoft

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Introduction To Windows NT ® Server And Internet Information Server.

Christian Paquin May 1 st, 2007 Identity Management Techniques – CFP 2007 Tutorial – Copyright © 2007 Credentica Inc. All Rights Reserved.

SaaS Software Container By Brian Moore Paul Kopacz.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

SWITCHaai Team Federated Identity Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

What’s new in Stack 3.2 Michael Youngstrom. Disclaimer This IS a presentation – So sit back and relax Please ask questions.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Shibboleth: An Introduction

Shibboleth and IIS Integration Tips, Tricks, Alternatives

Samba – Good Just Keeps Getting Better The new and not so new features available in Samba, and how they benefit your organization. Copyright 2002 © Dustin.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October

Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.

Jasig CAS Roadmap Scott Battaglia Rutgers, the State University of New Jersey.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.

Secure Mobile Development with NetIQ Access Manager

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Web SSO with Cloud Resources using AD Federation Services

Shibboleth Identity Provider Version 3

Access Policy - Federation March 23, 2016

Secure Single Sign-On Across Security Domains

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

Federation Systems, ADFS, & Shibboleth 2.0

HMA Identity Management Status

Identity Federations - Overview

Data and Applications Security Developments and Directions

Géant-TrustBroker Dynamic inter-federation identity management

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

OpenID Connect Working Group

Identity Federations - Installation and operation

Dynamic DNS support for EGI Federated cloud

OpenID Connect Working Group

Office 365 Identity Management

Mechanisms for Distributed Global Authentication David R Newman.

SharePoint Online Authentication Patterns

Shibboleth 2.0 IdP Training: Introduction

OpenID Connect Working Group

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Chad La Joie Shibboleth’s Future

2 © 2009 SWITCH Where are we now? Current releases: –Discovery Service –IdP –SP Shibboleth 1.3 classified as “previous stable release” –fixes for security issues, no new features, limited on-list support –end of life on June 30, no support after this time Java 5 end of life was October 30, 2009 –no plans to require Java 6 but we reserve the right to do so Moving to Jetty 7, away from Tomcat, as preferred Servlet container –still compliant with Servlet 2.4 spec so IdP/DS will still work in Tomcat

3 © 2009 SWITCH Next Major IdP Release Shibboleth IdP 3.0 is next major release –main goal: clean up APIs hindering new work –2.x configs will automatically be updated to 3.x configs during install –3.0 is not a major rewrite Major new features –distribution option that includes configured servlet container –clustering option that does not require separate install/config –N-Tier delegation support –integration of uApprove (attribute release consent) in to core code About a dozen or so minor features

4 © 2009 SWITCH Post-3.0 IdP Single log out support –working plugin developed by NIIF, the Hungarian NREN SPNEGO authentication support –no login required at IdP once you log in to a Windows domain Non-browser use case support –initial focus on username/password and X.509 authentication Configuration tools IdP user interface –IdP-initiated SSO/SLO –persistent ID disassociation –removal of attribute release consent

5 © 2009 SWITCH Shibboleth + Buzzwords: User-centric Identity Claim: All data about a person is property of that person and, as such, should be kept and controlled by that person –allows freedom of movement from provider to provider –allows a consistent identity across sites –allows individuals to choose what information they release to whom In practice though: –user isn’t authoritative for most of their data –self-asserted data is inherently non-verifiable (in-band) –a consistent identity across sites allow for correlation attacks –users can’t operate identity providers and so end up locked in to that provider The goal should probably be to bring information release consent to organization-centric identity –e.g. Shibboleth + uApprove

6 © 2009 SWITCH Shibboleth + Buzzwords: OpenID OpenID (OID) claims to be simple, user-centric, SSO –user’s have an OID provider that they run –OID is a URL entered at the SP (removes the need for a WAYF/DS) –authenticate via a process similar to Shibboleth 1 –proves ownership of a URL –white/blacklist based trust system Usage litmus test: Would you be willing to give out the restricted information to a random person who asked? –this is perfectly okay for many sites Shibboleth OpenID provider: –uses metadata as basis of trust/security (on by default) –attribute exchange (off by default) with attribute filter and release consent –OpenID support off by default because of the inherent insecurity of OpenID

7 © 2009 SWITCH Shibboleth + Buzzwords: OAuth OAuth is an access delegation protocol –You log in to service B. Service B wants your information from service A. You log in to A, get a token, give it to B. B uses the token to get your information from A. OAuth is independent of the means by which a user is authenticated or the format of the token –OAuth is orthogonal to federated identity management –so no real connection with Shibboleth OAuth is currently under-specified –creating interoperable systems tends to be a trial-and-error exercise –there are many, different, protocol flows that all claim to be OAuth –IETF WG attempting to provider a more clear standard

8 © 2009 SWITCH Shibboleth + Buzzwords: Cardspace CardSpace generally refers to two things: –Microsoft’s (MS) evolution of Passport in to a decentralized service  known by MS not as CardSpace but as the Identity Metasystem –MS’s client for the Identity Metasystem  this is what MS means when it says CardSpace Primarily focused on avoiding phishing –the operating system controls the UI during authentication Secondary focus –support for multiple authentication methods: SAML, OpenID, Kerb –support for user-centric identity through unmanaged cards –support for organization-centric identity through managed cards CardSpace is a client without a server Shibboleth Inforcard plugin provides a server

9 © 2009 SWITCH Shibboleth + Buzzwords: Geneva (ADFSv2) Server-side implementation of Identity Metasystem –non-interoperable successor to Active Directory Federation Services Appears to integrate with Exchange and Sharepoint Currently available released does not interoperate with other products –not using published CardSpace protocols –not compliant with standard specifications (XML DSIG/ENC, SAML) Shibboleth and Geneva –interoperation will require MS to publish the protocols in use –lack of meaningful metadata support will make running Geneva within a federation very work intensive