Presentation is loading. Please wait.

Presentation is loading. Please wait.

Weaving a Trust Fabric: Shibboleth & PKI & Grids Keith Hazelton, Copyright 2003 University of Wisconsin-Madison Senior IT Architect Internet2 MACE member.

Published byRose Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Weaving a Trust Fabric: Shibboleth & PKI & Grids Keith Hazelton, Copyright 2003 University of Wisconsin-Madison Senior IT Architect Internet2 MACE member."— Presentation transcript:

1 Weaving a Trust Fabric: Shibboleth & PKI & Grids Keith Hazelton, Copyright 2003 University of Wisconsin-Madison Senior IT Architect Internet2 MACE member

2 CAMP - June 4-6, 2003 2 Copyright Keith Hazelton 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 CAMP - June 4-6, 2003 3 Two (loosely) Connected Presentations I. Shibboleth (with AuthN shim) as “WebISO plus” II. Weaving a trust fabric –Trust agreements & architectures –…or when that gets too confusing, reframe as –Risk management agreements & architectures

4 CAMP - June 4-6, 2003 4 I. Shib (with AuthN shim) as WebISO plus UW-Madison’s AuthN/Z Roadmap (Yours, too?) –Roll out an AuthN service for campus (web) app developers & integrators –Roll out an Authority Information (AuthZInfo) Management service for campus managing biz-rule based group, affiliation & entitlement assignments Pops, Affils & Service Entitlements (PASE) Project –Roll out a service for delivering AuthZInfo to apps –Decide whether to take the big step of tackling a run- time AuthZ decision support service for campus

5 CAMP - June 4-6, 2003 5 UW-Madison AuthN/Z Roadmap Got as far as piloting PubCookie as AuthN service Along came Shibboleth …And local interest in PKI heated up with HIPAA So, we’re now looking at a roadmap with two routes And we’ll be comparing the alternative routes and making a choice

6 CAMP - June 4-6, 2003 6 The AuthN/Z Roadmap Alternative Routes The low road –AuthN service: PubCookie –AuthZInfo service: metadir functions + PASE –AuthZInfoAccess service: LDAP or SQL calls to ED The high road –AuthN service: Shibboleth SHIRE & HandleServer-plus-AuthN-shim –AuthZInfo service: metadir functions + PASE –AuthZInfoAccess: Shibboleth (SHAR & AA) The routes join again at the future decision point on AuthZ service for PDP

7 CAMP - June 4-6, 2003 7 The High Road Shibboleth Plus: Promise of a unified infrastructure for intra- as well as inter-domain AuthN/Z Note: Shib as delivered assumes an existing WebISO

8 CAMP - June 4-6, 2003 8 The High Road But in a pure Shib world –the only web thing that needs an authentication step is the Handle Server (HS) (!!!) –all target web apps leverage that single authentication step So what’s the simplest AuthN shim for the HS? (Traditional WebISO solutions would have lots of redundant moving parts)

9 CAMP - June 4-6, 2003 9 The High Road Well, getting techie, HS runs as an Apache app How do we protect Apache apps? URL/directory based authN schemes Use Apache config file fiddling to specify how Shib 0.8 as shipped has way to do this with PKI –Apache Asks for client SSL authentication via apache-ssl or mod_ssl –Right environment variables get populated, presto!

10 CAMP - June 4-6, 2003 10 The High Road: Shib & PKI U California System developed PKI support code (David Walker) Adopted & adapted by UT-HSC Houston (Barry Ribbeck & Mark Jones)..and by Dartmouth (Bob Brentrup, Omen Wild & Mark Franklin)

11 CAMP - June 4-6, 2003 11 The High Road: Shib & PKI Calif, Texas & Dartmouth pushing PKI, so happy to “force” its use for selected apps Meanwhile, Wisconsin not there yet We’re pushing AuthN/Z service idea generally –For us, PKI is NYRFPT (not prime-time ready) So, back to the drawing board What if we could try for PKI as above, but fail over to LDAP-supported un/pw AuthN over SSL

12 CAMP - June 4-6, 2003 12 The High Road: Shib & PKI More generally: Protect the HS app the Apache way with PKI, failover to {your favorite AuthN service here} So, coordinating with above named culprits, Ryan Muldoon at wisc.edu is developing an Apache module-based approach Apache config allows you to specify a list of AuthN methods in order of preference

13 CAMP - June 4-6, 2003 13 The High Road: Shib HS & AuthN Shim Apache security directives in config allow you to specify a list of AuthN methods in order of preference, So… Try PKI via above approach Second on the list is a module that does your favorite AuthN trick & populates env. vars. Like REMOTE_USER Ryan’s got one working at wisc.edu for un/pw with LDAP…intermittently (uses mod_perl)

14 CAMP - June 4-6, 2003 14 The High Road: Shib HS & AuthN Shim Kerberos shops could write a module for Kerberos AuthN, etc. Allows transparent… –migration to, or –experimentation with or –selective rollout… …of PKI behind Shib HS for a general web app AuthN solution

15 CAMP - June 4-6, 2003 15 The Journey Completed To extent we Shibbify our target resources, this takes us all the way to the roadmap junction with the runtime AuthZ service decision point We’ve authenticated by choice of methods (which can be passed along to targets) We’ve given targets controlled access to user attributes With all the knobs for privacy & anonymity we might want

16 CAMP - June 4-6, 2003 16 II. Weaving a Trust Fabric

17 CAMP - June 4-6, 2003 17 Weaving a Trust Fabric How do typical conversations about risks to IT resources go? –Alice: Please let my people use X –Bob: Sure, but how can I know over the ‘net that person Y really is one of your people? –Alice: Well, I’ll give them this nifty identity credential to present to you –Bob: But from what I know of your policies and procedures, I am not at all sure if I want to trust that credential for accessing my extremely valuable X. Guess I’ll just give them all accounts….

18 CAMP - June 4-6, 2003 18 Weaving a Trust Fabric Does this scale with all the conversations between all the Alices & all the Bobs about all the X’s? So what we really want is agreement on some coarse grained, graduated scale of risk/(trust) (e.g., low, medium, high) And agreed-upon mappings between –an identity credential and this quantized risk/(trust) measure –a resource and this quantized risk/(trust) measure

19 CAMP - June 4-6, 2003 19 Weaving a Trust Fabric So then Alice says my people have “medium” level identity credentials And Bob says, for my valuable X resource, I really want a “high” level credential (so he just gives them each a user account on his X system) This scales the risk/(trust) measure How do we scale the Alice / Bob problem? …federations or communities as the agreeing parties

20 CAMP - June 4-6, 2003 20 Federations as Agreeing Parties

21 CAMP - June 4-6, 2003 21 The Trust Diagram In the PKI world, a Registration Authority (RA) handles –Initial identity proofing –Issuing of identity credential (X.509 certificate) –…with level of assurance (risk measure) included Reframe our PhotoID offices and account creation services as RAs Then federation partners have potential basis of agreement on risk measure

22 CAMP - June 4-6, 2003 22 The Trust Diagram In the PKI world, the CA’s CP & CPS –Explain policies & procedures around identity proofing, protection of CA systems, etc. –On that basis different CAs can agree to map their respective risk measures (your “green” is my “medium”) For GOF un/pw world, we could create CP & CPS- like things to facilitate mapping REALITY CHECK TIME: –How have we assessed risk in our GOF un/pw worlds??? –Is all this pushing too hard on the security end of the security convenience balance?

23 CAMP - June 4-6, 2003 23 Finding the Balance on Security vs. Convenience Big win for members of federation if we could use the scaling benefits of agreed-upon mappings of identity credentials to risk and resources to acceptable risk So, maybe its worth the CP/CPS-like work if we want to leverage & interoperate across –GOF un/pw –PKI certs –Grid ® certs…

24 CAMP - June 4-6, 2003 24 Trust Weavers’ Guild Maximum benefit if we could map as equivalent –Campus GOF un/pw –PKI Lite certs –Grid CA issued identity certs –Federal AuthN Citizen & Commerce Class Cert (C4) –Some (probably lower assurance level of Fed Bridge community certificates) –InCommon resource providers levels of acceptable risk/(trust)

25 CAMP - June 4-6, 2003 25 Trust Weavers’ Guild Many, many ratholes & gotchas along the way But even a patchy fabric with some holes would be a welcome improvement over present state of affairs

26 CAMP - June 4-6, 2003 26 Weaving a Trust Fabric Q & A Do you expect to confront these issues in the next year or two? Where? What’s your biggest point of skepticism on all this trust/risk stuff?

Download ppt "Weaving a Trust Fabric: Shibboleth & PKI & Grids Keith Hazelton, Copyright 2003 University of Wisconsin-Madison Senior IT Architect Internet2 MACE member."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor 2003. This work.

Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Similar presentations

Ads by Google