Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Slides:



Advertisements
Similar presentations
Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.
Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Shibboleth Update a.k.a. “shibble-ware”
Understanding Active Directory
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
(ITI310) SESSIONS : Active Directory By Eng. BASSEM ALSAID.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
SWITCHaai Team Federated Identity Management.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Digital Object Architecture
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Rethinking Privacy As Bob Blakley says, “It’s not about privacy, it’s about discretion.” Passive privacy - The current approach. A user passes identity.
Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Shibboleth at Columbia Update David Millman R&D July ’05
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
State of e-Authentication in Higher Education August 20, 2004.
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Shibboleth: Overview and Status The Shibboleth Architecture Team.
Introduction to Active Directory
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Origins: The Requirements of Participating in Federations CAMP Shibboleth June 29, 2004 Barry Ribbeck & David Wasley.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Shibboleth for Middle Schools James Burger -
Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.
The Policy Side of Federations Kenneth J. Klingenstein and David L. Wasley Tuesday, June 29, CAMP Shibboleth Implementation Workshop.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Blackboard Learning System r6 and Shibboleth Barry Ribbeck U.Texas Health Science Center at Houston Christopher Etesse Blackboard Inc.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Module Overview Installing and Configuring a Network Policy Server
e-Infrastructure Workshop 28th March 2006, University of Leeds
(ITI310) SESSIONS 6-7-8: Active Directory.
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the origin attribute authority at the club level, for target and origin at the target resource level Typical campus target management strategies

Shibboleth/SAML Communities (aka Clubs) A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using the SAML/Shibboleth protocols. In doing so they implicitly or explicitly agree to abide by a common set of by-laws. The rules and functions associated with a community include: A registry to process applications and distribute club A URI that provides information on local authentication and authorization practices A set of agreements or best practices within the group on policies and business rules governing the exchange and use of attributes. The set of attributes that are regularly exchanged (syntax and semantics). A mechanism (WAYF) to identify a user’s security domains

Club Shib A co-op for higher education and its information providers Members can be organizations that are origins (IdSP’s), targets (student loan services, content providers) or both (universities, museums, etc.) Associated functions Registry service to be operated by I2, and open to all.. eduOrg pointer to campus account management practices Conventions on the management of exchanged attributes Attribute sets (eduPerson and eduOrg) to use to exchange attributes WAYF done via Wayfarer service

Club Shib In-laws Operational requirements system PKI certificate profiles install handle server at hs.yourschool.edu etc Trust conventions targets don’t misuse attributes origins answer faithfully origins post their account management policies

Club Shib Registry service Receives and processes applications Operates Wayfarer (tm Jeff Hodges) origin sites are listed target sites can use Insures uniqueness of key identifiers among community members Houses PKI components of Shib institutional signing keys bridging if important

Club Shib Application Process Complete origin/target Shibboleth tech info as required Implement eduPerson and eduOrg? Plug origins (campuses) into Wayfarer

Campus Account Practices Account affiliations /authorizations are set appropriately Initial identification/password assignment process for accounts Authentication mechanisms for account use Policy on the reuse of account names (ePPN) Business logic for key attributes, as the need surfaces –“member of community” –primary affiliation

Target Policy Decision Points the Club level (basic firewall level) at the target resource level at the origin attribute authority

Campus Management Strategies Technical SHAR for general Club Shib access SHAR for more restricted sites (exclude origins with overly broad or sloppy practices) Cluster sites with similar restrictions in a web tree Policy Account management Directory and attribute management Setting the defaults Operating an attribute authority

Multiple Clubs and their consequence Communities form clubs – Meteor, NDSL, Liberty by-laws and membership committees Within a club, members decide per-site policies that are consistent with the overall club policies and procedures Balancing where and what to manage Strength of I/A a repeated theme within and among clubs User interface issues attribute management levels of authentication – logging in and out A virtual Border Gateway Protocol (BGP)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.