Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

Slides:

Advertisements

Similar presentations

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)

Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

Dspace – Digital Repository Dawn Petherick, University Web Services Team Manager Information Services, University of Birmingham MIDESS Dissemination.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Interoperability Tests for IEC Scott Neumann November 12, 2009.

Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Assuring e-Trust always 1 Status of the Validation and Authentication service for TACAR and Grids.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

Integrating with UCSF’s Shibboleth system

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Presented by: Alicia Goodwin

Secure Credential Manager Claes Nilsson - Sony Ericsson

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

Shibboleth: An Introduction

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Windows Role-Based Access Control Longhorn Update

Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.

Shibboleth: OSU Early Adoption Scenarios Scott Cantor April 10, 2003 Scott Cantor April 10, 2003.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.

Google Code Libraries Dima Ionut Daniel. Contents What is Google Code? LDAPBeans Object-ldap-mapping Ldap-ODM Bug4j jOOR Rapa jongo Conclusion Bibliography.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Analyn Policarpio Andrew Jazon Gupaal

Shibboleth SP Update Spring 2012 Scott Cantor

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Adding Distributed Trust Management to Shibboleth

Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.

What’s changed in the Shibboleth 1.2 Origin

Overview and Development Plans

Shibboleth Deployment Overview

Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.

Shibboleth Architecture and Requirements

Presentation transcript:

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor The Ohio State University and Internet2

Trust Metadata Operational Metadata Attribute Resolution Metadata Attribute Release Policies Origin Origin Site PolicyFederation / Bilateral / Site Policy Target Attribute Acceptance Policies Target Site Policy Configuration by Relying Party Revocation Metadata Request Mapping Configuration by Application Implementation Inputs

Origin Site Inputs: Attribute Resolution Mostly similar to 1.1 and backward compatible JDBC data connector revamped Pooling fixed Queries can be parameterized by other data Large degree of control over result set size Support for client-side failover/redundancy

Origin Site Inputs: Attribute Release Policies 1.1 ARP expressed in terms of the requesting SHAR’s credential name 1.2 supports older approach, but uses more abstracted “providerId” identifier for 1.2 requesters, using operational metadata to establish accepted credential names “Resource” no longer part of the ARP model.

Origin Site Inputs: Configuration by Relying Party New XML-based configuration of software settings, credential lookup, and policy: Target requests for authentication and attributes mapped to “Relying Party” (1.1 requests map to a default “legacy” section) Origin can vary key configuration settings on a per-relying-party basis: –Signing Credentials –Name Identifier Format

Shared Inputs: Operational/Site Metadata 1.1 “Sites” format has been extended for 1.2. Origin-related additions are backward- compatible and ignored by 1.1 targets. New target-related metadata can be published in separate file for 1.2 origins to consume without affecting 1.1 targets. Eventually a SAML 2.0-based format will be adopted and will be pluggable into 1.2 via replacement libraries.

Operational/Site Metadata Additions includes elements to allow 1.2 targets to properly find and validate the AA to contact. Target always supported contacting multiple locations for redundancy, but metadata permits origins to actually publish these locations (1.1 origins could only specify one in band). element identifies service providers in federation and identifies: Assertion Consumer Service (SHIRE) locations Credential Names usable during attribute queries

Shared Inputs: Trust Metadata 1.2 uses an altered, but similar, XML format as 1.1 Changes were made to better leverage element and supporting code in XML libraries. Regular expression matching eliminated to reduce complexity. Supports external references to certificates in file system using.

Shared Inputs: Revocation Metadata Implementation focus is not on X.509 revocation, but some support is available for loading CRLs during certificate path validation. CRLs can be placed inside trust metadata files or loaded from the file system. Large CRL size = terrible OpenSSL performance. Opportunity for research into OCSP / XKMS, but not really about revocation so much as trust.

Target Site Inputs: Request Mapping Central tension is “integrate vs. duplicate”; strategy moving sharply toward duplication to achieve portability while adding features. With 1.2, Apache 1.x/2.x and IIS share a common pluggable model for mapping web requests to Shibboleth configuration; Apache commands also supported (and required in some cases). Control of “protection scope” and session establishment is now fully flexible.

Target Site Inputs: Configuration by Application New XML-based configuration of software settings, credential lookup, and policy: All browser requests input to RequestMapper to produce an “applicationId” that locates proper configuration. Target can vary key configuration settings on a per- application basis: –Origin-visible “providerId” (basis of ARPs) –TLS and Signing Credentials (origin uses metadata to validate credentials against requester’s providerId –Metadata to use for sites, trust, revocation –Session behavior, cookie settings –Attributes to request, AAP filtering/export rules to apply

Target Site Inputs: Attribute Acceptance Policies Uses same format as 1.1 Supports exporting NameIdentifier from selected origins by “Format” Supports mapping multiple attributes to a single request header

Shibboleth 1.2 Summary Origin Architected around multiple 1.2 relying party definitions, with a legacy mode for 1.1 targets. Does not use trust metadata, X.509 validation still handled by mod_ssl, so trust list is still global (1.3 will complete this transition). Supports multiple NameIdentifier formats for wider variety of deployments.

Shibboleth 1.2 Summary Target Target is multi-federation capable, can select credentials at runtime based on the origin site queried. All cryptographic checks and validation are done dynamically based on each Application’s configuration. Extends session model to go beyond vhosts to an “application” model using the Request Mapper to carve up the document space.

Shibboleth 1.2 Summary Target Target implementation more C++-oriented, defines abstract plugin APIs for: Apache/IIS – SHAR communication Session Caching (and Session ID generation) Request Mapper Metadata, Trust, Revocation AAP Access Control (preliminary)