Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Update a.k.a. “shibble-ware”

Published byValerie Hicks Modified over 6 years ago

Similar presentations

Presentation on theme: "Shibboleth Update a.k.a. “shibble-ware”"— Presentation transcript:

1 Shibboleth Update a.k.a. “shibble-ware”
Michael R Gettes, Duke University On behalf of the project team June 2004 Copyright Michael R. Gettes, 2004

2 What is Shibboleth? (Biblical)
A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) 11/16/2018

3 What is Shibboleth? (modern era)
An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: Software for Identity Provider (Origins/campuses) Software for Service Providers (targets/vendors) Operational Federations (scalable trust) 11/16/2018

4 So… What is Shibboleth? A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications? 11/16/2018

5 Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards 11/16/2018

6 Attribute-based Authorization
Identity-based approach The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. This approach requires the user to trust the target to protect privacy. Attribute-based approach Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy. 11/16/2018

7 Stage 1 - Addressing Four Scenario’s
Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Intra-university information access Controlled by a variety of identifiers Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy. 11/16/2018

8 Shibboleth Status V1.1 available August 2003
Relatively straightforward to install, provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc.). Service Provider - works with Apache and IIS targets; Java Identity Providers. V1.2 available May, 2004 Work underway on some of the essential management tools such as attribute release managers, target resource management, etc. Can take between 3 hours and 3 years to install How much infrastructure (core middleware) do you already have? 11/16/2018

9 Shibboleth Status Will coexist with Liberty Alliance and highly likely work within the WS-* framework from Microsoft. OpenSAML.org is a derivative of this work Uses PKI underneath; can support client PKI Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.) 11/16/2018

10 How Does it Work? Hmmmm…. It’s magic. :-) 11/16/2018

11 High Level Architecture
Federations provide common Policy and Trust Service and Identity Provider site collaborate to provide a privacy-preserving “context” for Shibboleth users Identity Provider site authenticates user, asserts Attributes Service Provider site requests attributes about user directly from Identity Provider site Service Provider site makes an Access Control Decision Users (and Identity Provider organizations) can control what attributes are released 11/16/2018

12 Technical Components Identity Provider Site – Required Enterprise Infra Authentication Attribute Repository Identity Provider Site – Shib Components Handle Server Attribute Authority Service Provider Site - Required Enterprise Infra Web Server (Apache or IIS) Service Provider Site – Shib Components Assertion Consumer Service - SHIRE Attribute Requester - SHAR Where Are You From Service - WAYF Resource Manager 11/16/2018

13 Shibboleth AA Process Service Provider Identity Provider Web Site 4
OK, I redirect your request now to the Handle Service of your home org. 3 2 Please tell me where are you from? 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF WAYF HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN Identity Provider Service Provider Web Site 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Manager Resource OK, based on the attributes, I grant access to the resource AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Resource 11/16/2018

14 From Shibboleth Arch doc
Origin Target 11/16/2018

15 From Shibboleth Arch doc
Origin Target 11/16/2018

16 From Shibboleth Arch doc
Origin Target 1 SHIRE Local Navigation Page 3b 3 4 Handle Service Attribute Authority 11/16/2018

17 From Shibboleth Arch doc
Origin Target University Resource Provider HTTP Server 1 SHIRE Local Navigation Page 3b Authentication System 3 4 Enterprise Directory Handle Service 6 5 3c Attribute Authority 11/16/2018

18 Demo! 11/16/2018

19 Shibboleth Architecture (still photo, no moving parts)
Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Manager © SWITCH 11/16/2018

20 Shibboleth Architecture -- Managing Trust
engine Attribute Server Service Provider Web Server Browser 11/16/2018

21 Attribute Authority --Management of Attribute Release Policies
The AA provides ARP management tools/interfaces. Different ARPs for different targets Each ARP Specifies which attributes and which values to release Institutional ARPs (default) administrative default policies and default attributes Site can force include and exclude User ARPs managed via “MyAA” web interface Release set determined by “combining” Default and User ARP for the specified resource 11/16/2018

22 Typical Attributes in the Higher Ed Community
Affiliation “active member of community” EPPN Identity Entitlement An agreed upon opaque URI urn:mace:vendor:contract1234 OrgUnit Department Economics Department EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201 11/16/2018

23 Target – Managing Attribute Acceptance
Rules that define who can assert what….. MIT can assert Chicago can assert Brown CANNOT assert Important for entitlement values 11/16/2018

24 What are federations? Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Built on the premise of Initially “Authenticate locally, act globally” Now, “Enroll and authenticate and attribute locally, act federally.” Federation provides only modest operational support and consistency in how members communicate with each other Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Over time, this will all change… 11/16/2018

25 InCommon federation Federation operations – Internet2
Federating software – Shibboleth 1.1 and above Federation data schema - eduPerson or later and eduOrg or later Operational summer 2004, with several early entrants to help shape the policy issues. Precursor federation, InQueue, has been in operation for about six months and will feed into InCommon 11/16/2018

26 Other Technology Partners
LMS Systems Blackboard WebCT WebAssign Syquest/ Higher Markets Student Charge Card vendors Napster 11/16/2018

27 Other Pilot Projects American Association of Medical Colleges
NSDL (National Science Digital Library) SWITCH - The Swiss National Academic Community UK/JISC - Controlled Access to Licensed Resources Becta (British Educational Communications and Technology Agency) Univ Texas, Medical Center and instruction Washington Research Library Consortium (WRLC) 11/16/2018

28 Shibboleth -- Next Steps
Full implementation of Trust Fabric Supporting Multi-federation identity and service providers Support for Dynamic Content (Library-style Implementation in addition to web server plugins) Sysadmin GUIs for managing identity and service provider policy Grid, Virtual Organizations ? Saml V2.0, Liberty, WS-Fed NSF grant to Shibboleth-enable open source collaboration tools LionShare - Federated P2P 11/16/2018

29 U.S. Federal Government The E-Authentication Project
NIST Technical Guidance Credential Assessment Framework E-RA Risk Assessment Methodology PKI ??? SAML Strategic Plan EAuthentication Guidance E-Authentication Technical Approach E-Authentication Interface Specifications for the SAML Artifact Profile SAML Artifact Profile as an Adopted Scheme for E-Authentication Technical Approach for the E-Authentication Service Component E-Authentication Mission Specs Adopted Federated Identity Schemes Technical/Policy Framework 11/16/2018

30 The e-Authentication Project 3 approaches
CS AAx Step #1: User goes to Portal to select the AA and CS Portal Step #2: The user is redirected to the selected CS with an AA identifier. The portal also issues a cookie to the user that identifies his selected CS Step #3: The CS authenticates the user and hands him off to the selected AA with his identity information. The CS also issues a cookie to the user to assert his authentication status ©c MD SSO Options: SAML Liberty WS-Federation Shibboleth Other Figure 2: Base Case AAs CSs Users AuthZ Step #2: The user is redirected to the Portal with the AAid Step #1: User Starts at AA ©p AAx Portal AA ©c Step #4: The user is handed off to the AA as usual Step #3: After selecting his CS, the user receives a session cookie and is redirected as usual CS Figure 3: User Starts at AA Step #2: The user is redirected to the Portal with the CSid Step #1: User Starts at CS ©p AAx Portal AA ©c Step #4: The user is handed off to the AA as usual CS Step #3: After selecting his AA, the user is redirected back to the CS as usual Figure 4: User Starts at CS 11/16/2018

31 U.S. Federal Government The e-Authentication Project
Provide glue between browsers and apps; allow for different Credential Providers interacting with different Agency Apps Starting points: at “portal” (wayf?), at Agency App, at Credential Provider SAML 2.0 is the end-game “Vapor”-ware at this point They have an interoperability lab 11/16/2018

32 So… What is Shibboleth? A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications? 11/16/2018

33 Acknowledgements Design Team: David Wasley (UCOP); RL ‘Bob’ Morgan (Washington); Keith Hazelton (Wisconsin-Madison); Marlena Erdos (IBM/Tivoli); Steven Carmody (Brown); Scott Cantor (Ohio State) Important Contributions from: Ken Klingenstein (Internet2); Michael Gettes (Georgetown, Duke); Scott Fullerton (Wisconsin-Madison) Coding: Derek Atkins (MIT); Parviz Dousti (CMU); Scott Cantor (OSU); Walter Hoehn (Columbia, Memphis) 11/16/2018

34 Duke Considerations Technical
Duke Locally written, Shibby in nature, addresses N-Tier + LDAP by Karsten Huneycutt 2 weeks ago a Duke campus bus struck a Duke employee at Trent & Erwin Roads. It was not Karsten! Whew! What if ???? Should we switch to Shib? Shib as WebISO? Should we use somebody else’s weblogin? When will Shib address N-Tier *and* LDAP? PAML (PAM + SAML)? 11/16/2018

35 Duke Considerations Organizational
Duke: Campus + Health System One Corporate Entity NetID = Duke Corporate HIPAA Training includes regional clinicians Library has non-Duke patrons “Friends of” departments and colleges Considering a Duke Federation To join different communities within Duke having different policies and ID mgmt profiles Identity Providers: NetID, University Affiliates, Training How will this factor into communities of applications? 11/16/2018

36 Global? Trust Diagram (TWD)
11/16/2018

37 Sample InterFederation
11/16/2018

38 Shib/PKI Inter-Federations
This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion. 11/16/2018

39 Got SHIB? 11/16/2018

40 11/16/2018

Download ppt "Shibboleth Update a.k.a. “shibble-ware”"

Similar presentations

Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.

Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.

Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.

Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.
Shibboleth Update RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes, Georgetown Keith.

Shibboleth Update RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes, Georgetown Keith.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Similar presentations

Ads by Google