Shibboleth: An Introduction

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Enabling Secure Internet Access with ISA Server

NRL Security Architecture: A Web Services-Based Solution

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Inter-Institutional Registration UNC Cause December 4, 2007.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Smart Card Single Sign On with Access Gateway Enterprise Edition

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.

An XML based Security Assertion Markup Language

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

F5 APM & Security Assertion Markup Language ‘sam-el’

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

The FederID project The First Identity Management and Federation Free Software.

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

Alain Bethuyne Web Security Architect BNPParibas Fortis

Access Policy - Federation March 23, 2016

Secure Single Sign-On Across Security Domains

GEOSS Federated Single Sign-On

Shibboleth Architecture

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

HMA Identity Management Status

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

What’s changed in the Shibboleth 1.2 Origin

Federated Digital Rights Management

Shibboleth 2.0 IdP Training: Introduction

InfiNET Solutions 5/21/

The Future of Campus Single Sign-On

Presentation transcript:

Shibboleth: An Introduction University of Pennsylvania SUG 13 October 2008

Agenda Web Authentication at Penn What is Shibboleth? Benefits How It Works Shibboleth Flow Next Steps

Web Authentication @ Penn Web Authentication services are in transition to a more secure and cost effective architecture Websec is targeted for decommissioning in June 2009 due to maintenance costs and security vulnerabilities CoSign is being implemented; it provides numerous benefits, from efficiencies in cost and security to positioning Penn for future strategic enhancements Shibboleth is a logical extension of the CoSign web authentication implementation and supports single sign on capabilities

What is Shibboleth? Authentication/Attribute query protocol Built upon Security Assertion Markup Language (SAML) – xml based standard Open source and standards based (Internet2 Middleware initiative) Increased use in the education community Shibboleth “solution” is comprised of: Central Identity Provider (CoSign) Performs authentication Responds to attribute queries from the service provider(s) Issues authentication assertion to the service provider(s) Issues attribute assertion to the service provider(s) Service Providers, which protect web content Apache Module or IIS ISAPI filter plus daemon Places returned attributes in HTTP header Federation is not a component of the initial Shibboleth deployment University School and Center applications 3rd party vendor applications hosted at the University or external vendor site

Benefits Shibboleth provides an alternative web authentication service for Penn applications CoSign as authentication service for internal University applications and as identity provider for Shibboleth It supports integrated authentication with academic and business applications from 3rd party vendors requiring PennKey authentication (e.g. Blackboard) Authentication services between trusted components based on common attributes Authenticating users’ privacy and identity are not compromised when accessing Shibboleth protected services, resources and applications Supports Web Single Sign On (SSO) for University services and applications Single Sign On (SSO) is a method of access control that provides the end user the ability to authenticate with their credentials and access resources in a secure realm without having to re-authenticate with each resource being accessed Applications within a realm share the logon credential Shibboleth will support federated authentication service (future initiative); interoperability between disparate identity management systems across systems, organizations and security domains

How It Works The user attempts to access a protected resource The Shibboleth service provider intercepts the request and redirects the user to the identity provider The user enters their PennKey and Password and authenticates via CoSign The identity provider collects a set of attributes for the user through the attribute resolver through backend sources

How It Works The Identity Provider releases the attributes in response to the service provider’s request The assertion is placed into a message and the user is redirected to the servicer provider The user ends up at an assertion consumer service at the service provider which unpacks the message, decrypts the assertion, and performs required security checks; it extracts attributes and other information from the message The service provider enforces the rules itself or passes the attributes to the application The Shibboleth service provider places authentication and attribute information in the web environment as HTTP headers or environment variables

Shibboleth Flow Web Grouper CoSign Kerberos Application Shibboleth Service Provider Shibboleth Identity Provider Shibboleth Attribute Authority Grouper CoSign Kerberos

Next Steps CoSign - Shibboleth Early 2009 pilot implementation and development of strategic implementation goals Mid-2009 available for supporting Penn authentication Early Adopter Support Shibboleth Internet2 Site for documentation, configuration and installation https://spaces.internet2.edu/display/SHIB2/Home