David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

Slides:



Advertisements
Similar presentations
GT 4 Security Goals & Plans Sam Meder
Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
EduPerson is only part of the answer Leeds University David Holdsworth & Ray Powell
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
EDUCAUSE PKI Working Group Where Are We and Where are We Going.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)
Co Chairs C. W. Goldsmith University of Alabama at Birmingham David L. Wasley University of California Office of the President.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.
Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth for Local Attribute Delivery 21 June 2007.
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.
Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Shibboleth: Overview and Status The Shibboleth Architecture Team.
JISC Shibboleth Briefing, 12-Mar Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Shibboleth Update January, 2001 Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.
PAPI 2 Distributed trust model and AA interoperability.
Shibboleth Authenticate Locally, Act Globally A Penn State Case Study.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Shibboleth for Middle Schools James Burger -
e-Infrastructure Workshop 28th March 2006, University of Leeds
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
Michael R Gettes, Duke University On behalf of the shib project team
Overview and Development Plans
Federated Digital Rights Management
SharePoint Online Authentication Patterns
Supporting Institutions Towards a Shibbolized Infrastructure
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of California

2 Shibboleth & the PKI Puzzle

3 Internet2 Shibboleth v Middleware initiative to leverage existing campus authentication methods while encouraging Resource Providers to adopt better access management methodology l Usable by a wide variety of resources v The focus is on the trusted release of a User’s attributes to allow Resource Providers to make appropriate authorization decisions l Local authentication method is taken for granted

4 Typical Resources v Shibboleth design depends on web technology v Content providers l Shib should be a drop-in package (well, almost) l Should simplify the trust model l Access rules would be established in contracts v Portals - either local or remote l Remote would require negotiation for personal ID v ASPs etc…

5 Typical User Attributes v Primarily from eduPerson Object Class l See v “member of community” could be derived l What about specific “group” memberships? v Eligibility under terms of a specific contract v Personally identifying information v User-defined attributes are possible l e.g. for specific target use l Problematic from security point of view

6 Privacy is a serious design goal v User’s institution should have a default release policy that all Users (can) know l E.g. always give “member of the campus community” l Internal vs external defaults might be different v Users should be able to augment that policy l Separate interface to AA to edit release policy l Real-time interaction may be implemented too s Easier for non-technical Users to understand l May be required by FERPA or HIPAA or …

7 Shibboleth Elements v Local security domain Attribute Authority (AA) l Has access to User directory l Keeps a release policy database s May be modified to reflect User preferences v Target domain Attribute Requestor (SHAR) l Retrieves anonymous “handle” for the User l Gets User attributes from AA over SSL/TLS v Uses XML/SAML for messages l Critical messages are digitally signed

8 Helpers v Shib Handle Requestor (SHIRE) l Dynamically generated indexical reference to User v Where Are You From (WAYF) server l May be a third party (Club Shib) service v Local User Handle Server (HS) l Provides dynamic, anonymous query handle v Local campus authentication mechanism l WebLogin with PubCookie or PKI or UID/Pwd …

9 Shibboleth Message Flows

10 Some Interesting Issues v Who do you trust? l More properly - “How much trust do you require?” l SHAR must trust AA and vice versa s Probably requires an out of band agreement l Does the SHIRE trust the HS? s Club Shib could broker this trust l Club Shib may be a set of rules of the game v How do Users specify attribute release policy? l It’s hard enough for the experts to do it…

11 Shibboleth Summary v Leverage existing authentication methods l Including PKI v Inherent controlled release of User information l User privacy, FERPA, HIPAA, etc. … v A step towards the broader use of PKI l Reference implementations will be made available l Content providers are early “target of opportunity” v See

12 Shibboleth Status v Specification document in final draft v Coding to begin “any day now” l IBM is interesting in the coding v Demo prototype at I2 Fall meeting l If all goes well l Hope to get at least one content provider involved v Interest from JA-SIG uPortal, others …

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.