Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seminar: Security / Identity Management Presentation: Elke Weber

Published by舌怒 戈 Modified over 7 years ago

Similar presentations

Presentation on theme: "Seminar: Security / Identity Management Presentation: Elke Weber"— Presentation transcript:

1 Seminar: Security / Identity Management Presentation: Elke Weber
WS 09/10 Seminar: Security / Identity Management Single Sign-on Shibboleth Presentation: Elke Weber 01 December 2009

2 Structure Single sign-on Introduction Pros & Cons Overview Shibboleth
Applications, federations Functionality: Single sign-on / Single logout Discussion Summary

3 What is single sign-on? Access control of multiple, related, but independent software systems User logs in once and gains access to all systems → Single sign-out

4 Pros & Cons Uniform authentication meachanism
Users only have to remind one login name and password Password can be chosen more complex Reduction of costs (easier to maintain) Single Point of Failure (security problems and traffic load) Central storing of personal data (data protection laws) Data tracking

5 Solutions Central sign-on server e.g. Passwort-Manager,
e.g. Yahoo!, MSN(Passport), Central Authentication Servie (CAS) e.g. Passwort-Manager, Microsoft's Identity Metasystem Circle of Trust e.g. Kerberos, Liberty Alliance Project

6 Single sign-on to multiple services
PEP = "Policy Enforcement Point"

7 Shibboleth Standards based, open source software package for web single sign-on released under the Apache Software License Implements OASIS'1 Security Assertion Markup Language (SAML) Extended privacy functionality allowing the browser user and their home site to control the attributes released to each application → Attribute-Based Access Control (ABAC) 1Organization for the Advancement of Structured Information Standards

8 Shibboleth The term originates from the Hebrew word "shibbólet"
Book of Judges, chapter 12: Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say Shibboleth.' If anyone said, 'Sibboleth', because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion.

9 Shibboleth

10 Shibboleth Federations
universities, companies and government agencies DFN-AAI (Germany) InCommon (US) SWITCHaai (Switzerland) The UK federation Federation Education-Recherche (France) ...

11 Shibboleth® Enabled Applications and Services
Information Providers: American Chemical Society Elsevier ScienceDirect H.W. Wilson National Science Digital Library (NSDL) Online Computer Library Center (OCLC) Schweizerisches Bundesgericht ... Learning Management Systems: Blackboard Moodle OLAT - Online Learning and Training WebAssign WebCT ... Other Systems: DokuWiki Google Apps/ GridShib Horde Microsoft Napster WordPress ...

12 Shibboleth Requirements and Specifications
No modification of client software Identity Provider (IdP) is written in Java Service Provider (SP) runs in Apache, Internet Locator Server (IIS) or Netscape Server Application Programming Interface (NSAPI) → can be proxied into Java and other web servers Supports the SAML 2.0 Web Browser SSO Profile, Cardspace, Shibboleth Profile, SAML 1.1, LDAP, Kerberos ...

13 Shibboleth Login Procedure – Simple Overview 1

14 Shibboleth Login Procedure – Simple Overview 2
wayf-test.switch.ch dukono.switch.ch kohala.switch.ch/secure/ DEMO! Identity Provider Service Provider

15 Shibboleth Situation Overview

16 Shibboleth Discovery STEP 2: STEP 3:
GET ?entityID= &return= STEP 3: POST POSTDATA entityID= return= user_idp= STEP 2: 200 OK [WAYF DROPDOWN HTML PAGE] STEP 3: 302 FOUND (REDIRECT) Location: ?SAMLDS=1 &target=cookie &entityID= STEP 1: GET STEP 1: 302 FOUND (REDIRECT) Set-Cookie: _shibstate_ c a2f2... value= path=/ Location: ?entityID= &return=

17 Shibboleth Session initiation and authentication request
STEP 5: POST POSTDATA RelayState=cookie SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczp... STEP 4: GET ?SAMLDS=1 &target=cookie &entityID= Cookie: _shibstate_ c a2f2... value= STEP 6: GET Cookie: JSESSIONID value=C22C16A197CB A1A577EF5D996 STEP 6: 302 MOVED TEMPORARILY (REDIRECT) Location: ?actionUrl=/idp/Authn/UserPassword STEP 5: 302 MOVED TEMPORARILY (REDIRECT) Set-Cookie: JSESSIONID value=C22C16A197CB A1A577EF5D996 Path=/idp Secure Location: STEP 4: 200 OK [AUTHN REQUEST POST FORM HTML PAGE] STEP 7: GET actionUrl=/idp/Authn/UserPassword Cookie: JSESSIONID value=C22C16A197CB A1A577EF5D996 STEP 7: 200 OK [USERNAME PASSWORD LOGIN FORM HTML PAGE]

18 Shibboleth Authentication, attribute statement and access
STEP 9: POST POSTDATA RelayState=cookie SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGl... Cookie: _shibstate_ c a2f2... value=https%3A%2F%2Faai-demo.switch.ch%2Fsecure STEP 10: GET Cookie: _shibstate_ c a2f2... value= Cookie: _shibsession_ c a2f2... value=_0b6d4e89d2e9c f2a2c9de0 STEP 8: 200 OK Set-Cookie: _idp_session value=4m2ETlKYtvbNEmBzVNo3UHLuKSdo3HqTUqAmeZiar94= Path=/idp [ASSERTION POST FORM HTML PAGE] STEP 10: 200 OK [RESOURCE HTML PAGE] STEP 8: POST POSTDATA j_username=demouser j_password=demo Cookie: JSESSIONID value=C22C16A197CB A1A577EF5D996 STEP 9: 302 FOUND (REDIRECT) Set-Cookie: _shibstate_ c a2f2... value= path=/ Set-Cookie: _shibsession_ c a2f2... value=_0b6d4e89d2e9c f2a2c9de0 Location: STEP 10: # content of secure/.htaccess AuthType shibboleth ShibRequireSession On require valid-user

19 Shibboleth The whole login procedure

20 Shibboleth Single Logout 1
SAML2 Single Logout profile IdP-initiated & SP-initiated Logout UI is located in two JSP files: sloQuestion.jsp (logout one/all service providers?) sloController.jsp (session participants, logout status) SLOServlet Rendering the logout question and controller page Initiating logout to one SP Front-channel → browser via HTTP POST or Redirect Back-channel → direct IdP/SP SOAP messages Returning the logout status as a JSON string

21 Shibboleth Single Logout 2
With javascript: iframe for every active session participant logout request is issued for the given session participant front-channel SAML message exchange logout status: LOGGED_IN, LOGOUT_ATTEMPTED, LOGOUT_FAILED, LOGOUT_UNSUPPORTED, LOGOUT_TIMED_OUT, LOGOUT_SUCCEEDED Without javascript: one link for each session participant → initiate the logout process for that particular SP Logout failed message, Logout succeeded message

22 Shibboleth Single Logout 3
Security: SAML Single Logout Profile requires the logout requests and responses to be signed or otherwise authenticated Session lifetime: IdP session lifetime must be longer than any SP session lifetime Optional: limit the maximum lifetime of the SP session

23 Shibboleth – Meets requirements?
Easy to implement? Maintenance effort? Data protection? Security? Service provider → trust in identity provider? User → understanding of SSO/SLO concepts? ...

24 Summary Shibboleth Useful in some szenarios (universities, libraries...) Installing & configuring quite extensive Easy to maintain Participants have to agree on policies, ... Crucial factor: Trust in identity provider!

25 References Single sign-on: Shibboleth:
Shibboleth:

Download ppt "Seminar: Security / Identity Management Presentation: Elke Weber"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Similar presentations

Ads by Google