Shibboleth Authenticate Locally, Act Globally A Penn State Case Study Renee’ Shuey May 4, 2004 ITS – Emerging Technologies.

Slides:

Advertisements

Similar presentations

Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL Bob Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.

Advertisements

Shibboleth at Penn State Renee Shuey Academic Services and Emerging Technologies Information Technology Services June 29, 2005.

Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Penn State Steve Kellogg Penn State University 4/20/2004.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth Update a.k.a. “shibble-ware”

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.

InCommon Update Internet2 Meeting April 20, 2004 Ken Klingenstein and Carrie Regenstein.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

23 April 2004 Shibboleth: Federated Identity Management Renee Woodten Frost, Internet2 Middleware and Security.

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.

Shibboleth Update RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes, Georgetown Keith.

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,

Shibboleth at Columbia Update David Millman R&D July ’05

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.

Michael R Gettes, Duke University On behalf of the shib project team

US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.

Shibboleth: Status and Pilots. The Golden Age of Plywood.

Project Shibboleth Update, Demonstration and Discussion Michael Gettes May 20, 2003 TERENA Conference, Zagreb, Croatia Michael Gettes.

Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Shibboleth Penn State Case Study Renée Shuey Senior Systems Engineer ITS – Emerging Technologies October 13, 2003.

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.

Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

JISC Shibboleth Briefing, 12-Mar Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Shibboleth Authenticate Locally, Act Globally A Penn State Case Study.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Welcome to CAMP Directory Workshop Ken Klingenstein, Internet2 and University of Colorado-Boulder.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)

ALPSP Effective Customer Authentication 15-Jul The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library.

Shibboleth Architecture

Shibboleth Project at GSU

e-Infrastructure Workshop 28th March 2006, University of Leeds

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.

Shibboleth Update a.k.a. “shibble-ware”

Michael R Gettes, Duke University On behalf of the shib project team

Overview and Development Plans

Open Source Web Initial Sign-On Packages

Shibboleth Deployment Overview

Shibboleth: Status and Pilots

Presentation transcript:

Shibboleth Authenticate Locally, Act Globally A Penn State Case Study Renee’ Shuey May 4, 2004 ITS – Emerging Technologies

Agenda Shibboleth - Background and Status Technical Review -- how does it work? Shibboleth - Why? Penn State Background “Shibbified” Penn State Applications Integrating Shibboleth with the PSU infrastructure Future opportunities

What is Shibboleth? An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services Built on a “Federated” Model A project delivering an open source implementation of the architecture and framework Deliverables: Software for Origins (campuses) Software for targets (vendors) Operational Federations (scalable trust)

Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. Attribute-based Access Control Foster inter-realm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogeneity and open standards

So… What is Shibboleth? A Web Single-Signon System (SSO) An Access Control Mechanism for Attributes A Standard Interface and Vocabulary for Attributes A Standard for Adding AuthN and AuthZ to Applications

Shibboleth Status Software Availability Version 1.1 available August, 2003 Version 1.2 available April, 2004 Version 1.3 available Summer, 2003 Target implementation - works with Apache and IIS targets Campus Adoption accelerating… Working with second round of information vendors Java target implementation underway Work underway on some of the essential management tools such as attribute release managers, target resource management, etc.

Shibboleth Status Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft. Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.)

High Level Architecture Federations provide common Policy and Trust Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user, asserts Attributes Destination site requests attributes about user directly from origin site Destination site makes an Access Control Decision Users (and origin organizations) can control what attributes are released

Technical Components Origin Site – Required Enterprise Infrastructure Authentication Attribute Repository Origin Site – Shib Components Handle Server Attribute Authority Attribute Release Policy Target Site - Required Enterprise Infrastructure Web Server (Apache or IIS) Target Site – Shib Components SHIRE SHAR WAYF Resource Manager

Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

Shibboleth Architecture (still photo, no moving parts)

Attribute Authority --Management of Attribute Release Policies The AA provides ARP management tools/interfaces. Different ARPs for different targets Each ARP Specifies which attributes and which values to release Institutional ARPs (default) administrative default policies and default attributes Site can force include and exclude User ARPs managed via “MyAA” web interface Release set determined by “combining” Default and User ARP for the specified resource

Typical Attributes in the Higher Ed Community Affiliation“active member of community” EntitlementAn agreed upon opaque URI urn:mace:vendor:contract 1234 OrgUnitDepartmentEconomics Department EnrolledCourseOpaque course identifierurn:mace:osu.edu:Physics 201

Trust, and Identifying Speakers Federations distribute files defining the trust fabric Individual sites can create bilateral trust When a target receives a request to create a session, the AuthN Assertion must be signed by the origin (PKI validation), and the origin must be a member of a common Federation. When an Origin receives a request for attributes, it must be transported across SSL. The name of the Requestor (from the certificate) and the name of the user (mapped from the Handle) are used to locate the appropriate ARP.

Target – Managing Attribute Acceptance Rules that define who can assert what….. MIT can assert Chicago can assert Brown CANNOT assert Important for entitlement values

Managing Authorization Federations will NOT require members to do business with each other Target manages Access Control Policy specifying what attributes must be supplied and from which origins in order to gain access to specific resources Rules are attribute based

What are federations? Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Built on the premise of Initially “Authenticate locally, act globally” Now, “Enroll and authenticate and attribute locally, act federally.” Federation provides only modest operational support and consistency in how members communicate with each other Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Over time, this will all change…

Shibboleth -- Next Steps Full implementation of Trust Fabric Supporting Multi-federation origins and targets Support for Dynamic Content (Library-style Implementation in addition to web server plugins) Sysadmin GUIs for managing origin and target policy Grid, Virtual Organizations SAML V2.0, Liberty, WS-Fed NSF grant to Shibboleth-enable open source collaboration tools LionShare - Federated P2P

Penn State Background 24 campus locations Distributed Computing Environment (DCE) 184,556 Principals User managed groups MIT Kerberos V Fully populated, production 4/1 IBM’s LDAP 5.1 eduPerson schema

Why Shibboleth at Penn State? True collaborative effort Open Source/Open Standards Solves today’s problems Leverages existing infrastructure Authentication agnostic Emphasis on privacy (FERPA) Position to co-exist/support other federated identity solutions on the horizon We like Ken….

Pilot with WebAssign Summer 2002 –~ 20 students, 2 weeks, 1 course Fall 2002 –~200 students –3 courses Spring 2003 –~1800 students –Successful login: 63,026 –All courses at UP location can use Shibboleth Now in “Limited Production”

WebAssign Historically, first two weeks -  25 to 30 questions/day  Almost all are login problems This semester - Numbers of queries in the “Shibbilized” courses …..~1 or 2/day A reduction of ~85% Numbers of queries in the normal courses remain at ~15/day

Napster – online music service Requirement to “Authenticate locally, Act Globally”. Sound Familiar…. Created 2 teams of PSU/Napster staff –MDS Caching Server, Networking, etc –Authentication/Registrationprocess –Shibboleth

Penn State Origin Site 7 Origin servers 2 WebAssign 5 Napster Load balance using SLB Software Shibboleth 1.1 Hardware IBM Blade HS20 proc 2.4GHz mem 2.5Gig

Penn State Origin Site Currently member of InQueue One of first sites to join InCommon Reviewing process, providing feedback Participating in several workgroups Not using WAYF Used to access external web resources

Future Shibboleth Meteor Gateway AT&T Wireless Use Shibboleth to access AES from student web applications Use Shibboleth Phase II for non Web applications such as LionShare (P2P) Continue to pilot with library vendors –Currently working with JSTOR, OCLC –eZProxy Incorporate University of Michigan’s Cosign (WebISO) with our origin site

THE END Acknowledgements: Design Team: David Wasley (U of C); RL ‘Bob’ Morgan (U of Washington); Keith Hazelton (U of Wisconsin (Madison));Marlena Erdos (IBM/Tivoli); Steven Carmody (Brown); Scott Cantor (Ohio State) Important Contributions from: Ken Klingenstein (I2); Michael Gettes (Duke), Scott Fullerton (Madison) Coding: Derek Atkins (MIT), Parviz Dousti (CMU), Scott Cantor (OSU), Walter Hoehn (Columbia)