Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd.

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

DT211/3 Internet Application Development Active Server Pages & IIS Web server.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

The EC PERMIS Project David Chadwick

Dr Tony McDonald - FMSC Breaking Boundaries Dr Tony McDonald - FMSC

Infrastructure for Multi-Professional Education and Training Using Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth Update a.k.a. “shibble-ware”

Senior Technical Writer

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Napster Shibboleth Target PSU/Napster Technical Integration R. Ramos

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.

Shibboleth for Local Attribute Delivery 21 June 2007.

Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel

Delegation of Authority David Chadwick

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.

Day12 Network OS. What is an OS? Provides resource management and conflict resolution. –This includes Memory CPU Network Cards.

Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

TOPIC: AUTHENTICITY CREATED BY SWAPNIL SAHOO AuthenticityAuthorisation Access Control Basic Authentication Apache BASIC AUTHENTICATIONDIGEST ACCESS AUTHENTICATIONDHCP.

JISC Shibboleth Briefing, 12-Mar Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

PAPI 2 Distributed trust model and AA interoperability.

WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.

Shibboleth for Middle Schools James Burger -

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Blackboard Learning System r6 and Shibboleth Barry Ribbeck U.Texas Health Science Center at Houston Christopher Etesse Blackboard Inc.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Seminar: Security / Identity Management Presentation: Elke Weber

Authentication & Authorisation Is the user allowed to access the site?

Using Your Own Authentication System with ArcGIS Online

Shibboleth Architecture

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication & .htaccess

CAS and Web Single Sign-on at UConn

Radius, LDAP, Radius used in Authenticating Users

e-Infrastructure Workshop 28th March 2006, University of Leeds

Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.

ESA Single Sign On (SSO) and Federated Identity Management

Michael R Gettes, Duke University On behalf of the shib project team

Overview and Development Plans

Agenda Introductions Brief review of our project charge

SharePoint Online Authentication Patterns

KC-ROLO Project Kidderminster College – Repository Of Learning Objects

“Anonymous” Claim Reporting through Origami

Presentation transcript:

Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd

Accessing a Web Resource Client user accesses a free resource Client user is authenticated via a username and password to access a protected resource Client user is responsible for setting up that account Server W W W Client Request Response

Web Resources for Education Educational establishments subscribe to resources on behalf of many users Parts of a given resource may only be accessible by some of the users in a given educational establishment The resources to which a given user has access change periodically

Authentication School Students Directory/Database Student data … Directory/Database Student data … Resource Available to all Available to year 3 and above Available to year 6 and above Authentication Authorisation

Authentication Common Issues –Exposure of personal information –High administrative burden –Lack of traceability –Password leakage –Many passwords problem –Resource accessibility is restricted –Complicated to use

Shibboleth Aims to: –Ensure no personal information is exposed unless necessary –Minimise the number of passwords a user needs to remember –Minimise the administrative burden –Enable user traceability –Be transparent to the user –Enable access from any location

Shibboleth User Authentication LEA/RBC (Origin)Resource (Target) SHIRE SHAR Handle Service Attribute Authority Request User Authentication User Attributes (LDAP/SQL) Resource(s) Bash Street St Trinians Hogwarts LGfL Oxford … WAYF

9. User Attributes 4. Username + password Shibboleth User Authentication Resource (Target) SHIRE SHAR Handle Service Attribute Authority 1.Request URL User Authentication User Attributes (LDAP/SQL) Resource(s) 2. Request URL + SHIRE URL 3. Request URL + SHIRE URL 5. Request URL + Handle + AA URL 6. Request URL + Handle + AA URL 7. Request URL + Handle 8. Handle returns User ID 10. Request URL + User Attributes 11. User Attributes LEA/RBC (Origin) Bash Street St Trinians Hogwarts LGfL Oxford … WAYF

Shibboleth User Authentication Resource (Target) SHIRE SHAR Handle Service Attribute Authority 1.Subsequent Request URL (Same Domain) User Authentication User Attributes (LDAP/SQL) Resource(s) SHIRE has Cached Session & Handle = OK SHAR has Cached Attributes = OK LEA/RBC (Origin) Bash Street St Trinians Hogwarts LGfL Oxford … WAYF

Bash Street St Trinians Hogwarts LGfL Oxford … Shibboleth User Authentication Resource (Target) WAYF SHIRE SHAR Handle Service Attribute Authority 1.Subsequent Request URL (Different Domain) User Authentication User Attributes (LDAP/SQL) Resource(s) SHIRE has Cached Session & Handle = OK SHAR has no Cached Attributes for the new Domain so ask AA Handle returns User ID Request New Domain Attributes Return New Domain Attributes LEA/RBC (Origin)

User Authentication Shibboleth User Authentication Resource (Target) SHIRE SHAR Handle Service Attribute Authority User Attributes (LDAP/SQL) Resource(s) PortalPortal LEA/RBC (Origin)

Shibboleth User Authentication Pros –Low administrative burden –Exposure of personal information under user’s control –Same identity for all resources –User traceability –Resources can be accessed from any location Cons –(Possible) multi-stage authentication

Shibboleth Demonstration Browser Shibboleth Origin Windows XP Pro Apache Server LDAP Directory (Active Directory) Windows 2003 Server WAYF Service Windows 2003 Server IIS 6.0 Shibboleth Target Windows 2003 Server IIS

Shibboleth Demonstration Browser Shibboleth Origin Windows 2003 Server Apache Server LDAP Directory (Active Directory) WAYF Service Shibboleth Target Windows 2003 Server IIS

Shibboleth “Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.” Judges 12:6