1. Brown University Shibboleth at Brown University James Cramton May 28, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say Shibboleth.' If anyone said, 'Sibboleth', because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. Judges 12:5-6, NJB

2. 2 Topics Shibboleth terminology & use at Brown WebAuth vs. Shibboleth Shibboleth-capable services Attribute release policies Federation & uApprove Best practice for writing ACLs with groups Rollout schedule and additional info

3. Shibboleth at Brown Standards-based web Single Sign On (SSO) service Can operate across domain boundaries Will replace WebAuth as Brown’s intra-campus SSO Currently supported by more than 100 applications Allows granular control of personal attribute release Provides access to many more attributes than WebAuth Can allow external federated users to access Brown resources without Brown credentials Can allow Brown users to access federated resources outside Brown using their Brown credentials 3

4. Shibboleth Terminology Identity Provider (IDP) –Performs user authentication for SP –Provides a customized set of attributes for each SP Service Provider (SP) –Runs on application host as an Apache OR IIS module or other interface –Authorizes user based on authentication & attributes from the IDP Attribute –A property describing a user within the system Human-friendly examples: brownType, brownStatus, displayName, isMemberOf Minimal identifier: an opaque (gibberish) identifier unique to each user at each SP –Typically used for authorization or UI customization Federation –A group of organizations that share a common trust framework 4

5. WebAuth vs. Shibboleth Brown’s WebAuth Proprietary, and compatible only with Apache and IIs (sort of) 10 years old, unsupported Dependent on Brown Grouper –Also proprietary and unsupported Limited and arbitrary set of attributes released to apps Limited to Brown users Not load balanced Not redundant Internet2’s Shibboleth Standards-based –LDAP, SQL, SAML 1.1 and 2.0, ADFS Actively supported by community source model, Internet2 and partners Used by more than 100 applications Policy driven attribute release User-controlled attribute release Supports federation with 15M users –Use of Brown resources by external users –Use of external resource by Brown users Load balanced and redundant 5

6. Shibboleth-capable Services Currently in use at Brown All Apache web servers –Webpub –LAMP –WebApps All IIs web servers WebCT iTunes @ Brown Confluence Wiki University Tickets Dining Service’s Interphaze Coeus Planned or Possible Sympa email list manager People Admin Outsourced Email NIH, NSF, NASA Grants Mgmt Microsoft Dreamspark Free MS software for students Discount student airline tickets caBIG Cancer grid computing TerraGrid grid computing Cern Large Hadron Collider Virtual Organizations (VOs) Many more… 6

7. Attribute Release Policies Protect user identity by releasing only necessary attributes to SP Attribute release policies are configurable per SP, and per attribute Default attribute release policies –External SP sees only a unique, opaque identifier (gibberish) –Trusted Brown SPs see a more useful set of attributes, including: brownShortId, brownNetID, brownBruID, brownUUID, eduPersonPrincipalName mail, mailRoutingAddress DisplayName, givenName, sn, LOA (Level of Assurance) brownType, eduPersonPrimaryAffiliation, eduPersonAffiliation, eduPersonScopedaffiliation isMemberOf (full list of group memberships) –Default policies at https://wiki.brown.edu/confluence/x/x4IwAQhttps://wiki.brown.edu/confluence/x/x4IwAQ SP owners may request exceptions to default policies Users can be required to manually approve attribute release –uApprove to present user an approval form –Approval or denial is audited 7

8. Federation Shibboleth can leverage the federation’s trust relationships –Authenticate users at their local institution’s IDP –Pass attributes to a remote SP according to local attribute release policies –Grant access to remote resources based on released attributes Brown is a member of the InCommon federation, along with 2.2M users from more than 100 US higher ed institutions Inter-federation agreements can extend user base up to 15M A supportable solution to requests to grant access to Brown resources to non-Brown users –No need to establish Brown affiliate or guest accounts –External user’s home institution must belong to InCommon federation –Or user may use a credential from a supported provider like Protect Network Also allows Brown users to access external systems using Brown credentials: NIH grants, MS DreamSpark, University Tickets, etc. 8

9. Federated Access Examples External user access to Brown resource https://james.cis.brown.edu/secure/info.php https://james.cis.brown.edu/secure/info.php Brown user access to external resource https://spaces.internet2.edu https://spaces.internet2.edu 9

10. uApprove Example 10 uApprove can be triggered for each SP, or for a particular attribute condition for an SP When triggered, a user must confirm that they approve the release of the displayed information before the attributes are released to the SP. This process puts the attribute release decision in users’ hands. All responses are auditable.

11. Brown’s Group Infrastructure 11

12. Creating ACLs Example.htaccess ACLs https://wiki.brown.edu/confluence/x/HgBLAw https://wiki.brown.edu/confluence/x/HgBLAw Best practice for leveraging groups in ACLs https://wiki.brown.edu/confluence/x/x4IwAQ https://wiki.brown.edu/confluence/x/x4IwAQ 12

13. Rollout Schedule Now: QA and Production testing –Production SPs https://dropbox.brown.edu/secure/ https://uhallapps.brown.edu/app1/test –Production IDP with early adopter SPs https://apps.biomed.brown.edu/secure/info.php https://reslife.brown.edu/secure/info.php https://groups.cis-qas.brown.edu/secure/info.jsp –QA IDP and test SPs https://james.cis.brown.edu https://stc-test2.cis.brown.edu Summer - Fall 2009 –Phased migration of WebAuth to Shibboleth –uApprove implementation –Confluence Wiki –iTunes@Brown? 13

14. Additional Information Brown’s Shibboleth project wiki: https://wiki.brown.edu/confluence/x/uYIwAQ https://wiki.brown.edu/confluence/x/uYIwAQ –Project schedule –Technical documentation for IDP and SP owners and administrators –Full attribute release policies and procedures for exception requests –Best practices –Links to background information on Shibboleth Internet2’s Shibboleth wiki: http://shibboleth.internet2.edu http://shibboleth.internet2.edu –Background information on Shibboleth –Lists of Shibboleth-enabled software and services –Links to Shibboleth user email list and other support options InCommon federation website: http://www.incommon.org http://www.incommon.org –Lists of participating institutions and vendors Protect Network website: http://protectnetwork.net http://protectnetwork.net –Information about obtaining InCommon-compatible credentials from Protect Network 14