JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session B, 11: :00 John Paschoud and Peter Spring London.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.
Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.
Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Shibboleth Authenticate Locally, Act Globally A Penn State Case Study Renee’ Shuey May 4, 2004 ITS – Emerging Technologies.
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth: Status and Pilots. The Golden Age of Plywood.
Project Shibboleth Update, Demonstration and Discussion Michael Gettes May 20, 2003 TERENA Conference, Zagreb, Croatia Michael Gettes.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
Mairéad Martin The University of Tennessee December 16, 2015 Federated Digital Rights Management.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Shibboleth Update January, 2001 Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.
CAMP-Shib, Broomfield CO, 30-Jun-041 Exploring some Shibbolized portals models… John Paschoud PERSEUS Project, LSE Library.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Shibboleth Authenticate Locally, Act Globally A Penn State Case Study.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
Shibboleth for Middle Schools James Burger -
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
ALPSP Effective Customer Authentication 15-Jul The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library.
Blackboard Learning System r6 and Shibboleth Barry Ribbeck U.Texas Health Science Center at Houston Christopher Etesse Blackboard Inc.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Shibboleth Architecture
Shibboleth Project at GSU
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth Update a.k.a. “shibble-ware”
Michael R Gettes, Duke University On behalf of the shib project team
Federated Digital Rights Management
Supporting Institutions Towards a Shibbolized Infrastructure
Shibboleth: Status and Pilots
Presentation transcript:

JISC Shibboleth Briefing, 12-Mar Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to ask Alan Robiette

JISC Shibboleth Briefing, 12-Mar [contents] What is Shibboleth How it works Why Shibboleth Implications for Institutions (Origins) Implications for Resource-hosts (Targets) [with lots of credit and © to Michael Gettes, and others of the NSF Middleware Initiative, for making most of the slides for me ]

JISC Shibboleth Briefing, 12-Mar What is Shibboleth? (Biblical) A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) [Judges, ch12, v5-6 (New American Standard)] The Gileadites captured the fords of the Jordan opposite Ephraim. And it happened when {any of} the fugitives of Ephraim said, "Let me cross over," the men of Gilead would say to him, "Are you an Ephraimite?" If he said, "No," then they would say to him, "Say now, 'Shibboleth.' " But he said, "Sibboleth," for he could not pronounce it correctly. Then they seized him and slew him at the fords of the Jordan. The greatest needs of the Collectivist movement in England appear to me: Diffusion of economic and political knowledge of a real kind - as opposed to Collectivist shibboleths, and the cant and claptrap of political campaigning. [Sidney Webb: memorandum to LSE Trustees meeting on 8th Feb 1894]

JISC Shibboleth Briefing, 12-Mar What is Shibboleth? (modern era) An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: –Software for Origins (campuses) –Software for targets (vendors) –Operational Federations (scalable trust)

JISC Shibboleth Briefing, 12-Mar So… What is Shibboleth? A Web Single-Signon System (SSO)? An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?

JISC Shibboleth Briefing, 12-Mar Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. –Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards

JISC Shibboleth Briefing, 12-Mar Attribute-based Authorization Identity-based approach –The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. –This approach requires the user to trust the target to protect privacy. Attribute-based approach –Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. –This approach does not degrade privacy.

JISC Shibboleth Briefing, 12-Mar Shibboleth Status V1.1 available August 2003 Relatively straightforward to install, provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc.). Target - works with Apache and IIS targets; Java origins. V2.0 likely to include portal support. Work underway on some of the essential management tools such as attribute release managers, target resource management, etc. Can take between 3 hours and 3 years to install –How much infrastructure (core middleware) do you already have? provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc)

JISC Shibboleth Briefing, 12-Mar Shibboleth Status Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft. Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.)

JISC Shibboleth Briefing, 12-Mar How Does it Work? Hmmmm…. It’s magic.

JISC Shibboleth Briefing, 12-Mar High Level Architecture Federations provide common Policy and Trust Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user, asserts Attributes Destination site requests attributes about user directly from origin site Destination site makes an Access Control Decision Users (and origin organizations) can control what attributes are released

JISC Shibboleth Briefing, 12-Mar Technical Components Origin Site – Required Enterprise Infrastructure –Authentication –Attribute Repository Origin Site – Shib Components –Handle Server –Attribute Authority Target Site - Required Enterprise Infrastructure –Web Server (Apache or IIS) Target Site – Shib Components –SHIRE –SHAR –WAYF –Resource Manager

JISC Shibboleth Briefing, 12-Mar Shibboleth Architecture (still photo, no moving parts)

JISC Shibboleth Briefing, 12-Mar Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

JISC Shibboleth Briefing, 12-Mar From Shibboleth Arch doc OriginTarget

JISC Shibboleth Briefing, 12-Mar From Shibboleth Arch doc OriginTarget

JISC Shibboleth Briefing, 12-Mar From Shibboleth Arch doc OriginTarget SHIRE 3b Handle Service 3 Attribute Authority 4 Local Navigation Page 1

JISC Shibboleth Briefing, 12-Mar From Shibboleth Arch doc OriginTarget Resource Provider University Authentication System HTTP Server Enterprise Directory SHIRE 3b Handle Service 3 Attribute Authority 4 Local Navigation Page c

JISC Shibboleth Briefing, 12-Mar Why Shibboleth? Security Better security tools will make collaboration more “painless” and more secure Current "solutions" are primitive; we can do better today and without local overhaul Shibboleth Simplifies Management and Use of Distributed Systems

JISC Shibboleth Briefing, 12-Mar Why Shibboleth? Improved Access Control Use of attributes allows fine-grained access control Simplifies management of access to extended functionality –Librarians, based on their role, are given a higher- than-usual level of access to an online database to which a college might subscribe. –Librarians and publishers can enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers

JISC Shibboleth Briefing, 12-Mar Why Shibboleth? Federated Administration Leverages existing middleware infrastructure at origin (authN, dir) –Users registered only at their “home” or “origin” institution –Target does NOT need to create new userids Flexibly partitions responsibility, policy, technology, and trust Authorization information sent, instead of authentication information –when possible, use groups instead of people on ACLs –identity information still available for auditing and for applications that require it

JISC Shibboleth Briefing, 12-Mar Why Shibboleth? Privacy Higher Ed has privacy obligations –In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access –In UK, DPA places similar obligations on inst’s General interest and concern for privacy is growing Shibboleth has active (vs. passive) privacy provisions “built in”

JISC Shibboleth Briefing, 12-Mar Benefits to Campuses Much easier Inter-Domain Integration –With other campuses –With off-campus vendor systems Integration with other campus systems, intradomain –LMS –Med School…… Ability to manage access control at a fine-grained level Allows personalization, without releasing identity Implement Shibboleth once… –And then just manage attributes that are released to new targets

JISC Shibboleth Briefing, 12-Mar Benefits to Targets/Vendors Unified authentication mechanism from the vendor perspective –Much more scalable –Much less integration work required to bring a new customer online. Ability to implement fine-grained access control (e.g. access by role), allowing customer sites to effectively control access by attributes and thus control usage costs, by not granting access unnecessarily Once the initial Shibboleth integration work has been completed on the vendor’s systems –The incremental cost of adding new customers is relatively minimal –In contrast to the current situation -- requiring custom work for each new customer Ability to offer personalization If your customers have Shibboleth implemented, easy implementation for them

JISC Shibboleth Briefing, 12-Mar Implications for Resource- hosts Similar front-end implementation requirement as for Athens target No license fee OSS means customisations are possible (eg for personalisation, pass-thru of vendor portal to item-level links, etc) Need for agreement on role attributes (eduPerson) for access decisions

JISC Shibboleth Briefing, 12-Mar Implications for Institutions Less duplicated end-user admin than with Athens –(similar to AthensDA) Need for agreement on role attributes (eduPerson) for end-user description Many don’t yet have standards-based supporting services (SSO, enterprise directories) –(but new costs would largely replace & improve, rather than add-to, existing ad-hoc AM mechanisms)

JISC Shibboleth Briefing, 12-Mar [LSE/SECURe AM infrastructure]

JISC Shibboleth Briefing, 12-Mar Implications for UK infrastructure No dependency on a VERY LARGE centralised database Need for implementation of a national WAYF service –better than current end-user interface model –(new WAYF options being developed) Lower shared costs? –(but greater costs devolved to inst’s) oleth/WAYF/index.html

JISC Shibboleth Briefing, 12-Mar Got SHIB?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.