Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University

What Shibboleth is NOT Virtual/Meta Directory Identity management system Account provisioning system Authentication system Authorization system

What is Shibboleth? Web based single sign-on System … Providing user attributes to services … While protecting a user’s identity … Using a standard, open, protocol; SAML. Identity federation system … Based on multi-lateral trust & policy… With policy enforcement at IdP & SP.

Shibboleth Components Identity Provider (IdP) Home organization entity that Authenticates users Releases attributes Service Provider (SP) A restricted access service that speaks SAML WAYF – Where are You From? Web app for redirect user from SP to IdP

JSTOR Demo

Providing User Attributes Identity Provider (IdP) pulls attributes from ID systems (LDAP, RDMS, etc) Attributes available as HTTP headers Attributes can be anything: Academic: Major, school, classes Groups and Entitlements Provides the means for attribute-based authorization

Protecting User Identity Opaque identifier can be used _820d ad28-8ac94fb3e6a1 Different identifiers for each service Different identifiers for each new visit However identifiers… Need not be opaque: netid, address May be persistent across multiple visits

Multi-Lateral Trust & Policy Technical Trust: mutual, endpoint authentication via digital key pairs Business Trust: written and consented to operational agreements Trust is established bi-laterally with the federation and used multi-laterally; similar to PKI

Policy Enforcement IdP policy enforcement: What identifiers to release What attributes and values to release Which service providers to trust SP policy enforcement: What attributes and values to accept Which identity providers to trust

Shibboleth 2.0 Existing Shibboleth 1.3 functionality SAML 2.0 support Single Sign-On, Logout, Attribute query Persistent name identifiers Java Service Provider Better documentation Platform for developing new features: Non-web based systems Delegation/Proxy Support

What is it good for? Single Sign-on Federated identities Customization and personalization attributes, not just Authorization Abstracting the location and access of user information Why should your app speak LDAP or SQL?

IdP Barriers to Entry Clean Identity Management Systems It’s no longer just your mess/idiosyncrasies Policies FERPA/HIPAA? Micro-group attribute provisioning Education Chicken and Egg Where are the services?

SP Barriers to Entry Trust concerns How do I know you're doing the right thing? Application adaptation Can your app use info outside its store? Security concerns My castle, your gate Education Chicken & Egg

Use Case: Project Vivarium Professional organization wants member access to JSTOR journals Members come from a wide range of organizations (Higher ED, High Schools, personal accounts) IP & Proxy based restriction is not possible

Use Case: Project Vivarium Solution Establish entitlement attributes for each journal (not a collection of journals) urn:mace:jstor.org:entitlement:issn: Establish prof. org. membership attribute urn:mace:jstor.org:participant:vivarium Use persistent, but opaque, identifiers

The Prosperity Project

FEC & the Restricted Class Clearly defined audience for “advocacy” & “good government” messages –Managers, executives, shareholders PAC solicitation, advocacy for candidates –All employees Voter registration, voting records, grassroots involvement Penalties include substantial civil fines

States & the Restricted Class Each state regulates their own elections –Ranges from Unlimited corporate contributions and advocacy No corporate involvement whatsoever Penalties also vary –Most severe Large personal fines for corporate officers 10 Years jail time Corporate charter is disolved

BIPAC’s Goals for a Turnkey Solution Protect employee privacy Eliminate the need to give employee data to third-party vendors Provide information relevant to the employee without additional sign-on or registration

Without Liberty… Employers had these options –Do nothing – no political information shared with employees –Use paper-based communications only –Develop expensive in-house communications tools –Use third-party vendors to authenticate users and provide content

Turning Away 9 out of 10 Employees "Would you be MORE LIKELY or LESS LIKELY to visit a website that requires you to register before you are allowed to view political or voter information?" 91% Total Less Likely

Before… Copyright 2005, BIPAC

After…

Benefits

The Liberty Alliance Board and sponsor members include:

Benefits – Identity Protection Fewer authentication points –Easier to ‘get it right’ in fewer places –Easier to implement stronger authentication and anti-phishing mechanisms in fewer places –Users more likely to recognize imposter sites –Fewer places to update credentials after breaches

Benefits – Identity Protection Information in fewer places –With federation, less sensitive data shared –Information frequently identified differently at different sites – harder to correlate –Data from one service provider may not help at another –Ability to retrieve up-to-date information when you need it, then discard or rely on assertions

For More Information BIPAC th St NW, Suite 305 Washington DC 20006