Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Published byClarence Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA."— Presentation transcript:

1 shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu NCSA

2 shibboleth-intro-dec052 What is Shibboleth? Shibboleth provides cross-domain single sign-on and attribute-based authorization while preserving user privacy Shibboleth is simultaneously: 1.A project 2.A specification 3.An implementation

3 shibboleth-intro-dec053 Shibboleth Project Shibboleth, a project of Internet2-MACE: –Advocates a federated identity management policy framework focused on user privacy –Develops middleware architectures to facilitate inter-institutional attribute sharing –Manages an open source reference implementation of the Shibboleth spec Shibboleth has made significant contributions to the SAML-based identity management space

4 shibboleth-intro-dec054 Collaborations Shibboleth Internet2 E-Auth Liberty Vendors OASIS Educause

5 shibboleth-intro-dec055 Shibboleth Specification Shibboleth is an extension of the SAML 1.1 browser profiles: –Shibboleth Browser/POST Profile –Shibboleth Browser/Artifact Profile –Shibboleth Attribute Exchange Profile See the Shibboleth spec for details: S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005.Shibboleth spec

6 shibboleth-intro-dec056 Shibboleth Implementation The Shibboleth implementation consists of two components: 1.Shibboleth Identity Provider 2.Shibboleth Service Provider The Identity Provider is a J2EE webapp The Service Provider is a C++ Apache module –A pure Java Service Provider is in beta

7 shibboleth-intro-dec057 The Shibboleth Experience

8 shibboleth-intro-dec058 The Shibboleth Wiki For example, the Shibboleth wiki (hosted at ohio-state.edu) is “shibbolized”: https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome To edit wiki pages, a user must be known to the wiki Users have wikiNames but do not have wiki passwords Users log into their home institution, which asserts user identity to the wiki

9 shibboleth-intro-dec059

10 10 Shib Browser Profile The user clicks the link “Login via InQueue IdP” This initiates a sequence of steps known as the Shibboleth Browser Profile 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

11 shibboleth-intro-dec0511

12 shibboleth-intro-dec0512 Shib Browser Profile InQueue provides a “Where Are You From?” service The user chooses their preferred identity provider from a menu 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

13 shibboleth-intro-dec0513

14 shibboleth-intro-dec0514 Shib Browser Profile The user is redirected to UIUC login page After login, the user is issued a SAML assertion and redirected back to the wiki 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

15 shibboleth-intro-dec0515

16 shibboleth-intro-dec0516 Shib Browser Profile After validating the assertion, the wiki@OSU retrieves user attributes via back-channel Shib attribute exchange 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

17 shibboleth-intro-dec0517 Asserting Identity Initially, the user is unknown to the wiki After querying the home institution, the wiki knows the user’s identity “trscavo-uiuc.edu” is wiki-speak for trscavo@uiuc.edu The latter is eduPersonPrincipalName, an identity attribute asserted by the user’s home institution

18 shibboleth-intro-dec0518 OpenIdP.org By design, a user with an account at an institution belonging to InCommon, InQueue, or SDSS can log into the wiki: https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome Other users can register at openidp.org, which is a zero-admin Shibboleth IdP The openidp asserts an alternate form of identity (email addresses as opposed to eduPersonPrincipalName)

19 shibboleth-intro-dec0519 Shibboleth SSO Profiles

20 shibboleth-intro-dec0520 Identity Provider Service Provider The Actors Identity Provider –The Identity Provider (IdP) creates, maintains, and manages user identity –A Shibboleth IdP produces SAML assertions Service Provider –The Service Provider (SP) controls access to services and resources –A Shibboleth SP consumes SAML assertions Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Artifact Resolution Service Attribute Requester

21 shibboleth-intro-dec0521 Shib SSO Profiles Shibboleth SSO profiles are SP-first Shibboleth specifies an Authentication Request Profile Shibboleth Browser/POST Profile = Shib Authn Request Profile + SAML Browser/POST Profile Shibboleth Browser/Artifact Profile = Shib Authn Request Profile + SAML Browser/Artifact Profile

22 shibboleth-intro-dec0522 Shib AuthN Request Profile A Shibboleth authentication request is an ordinary GET request: https://idp.org/shibboleth/SSO? providerId=https://sp.org/shibboleth/& shire=https://sp.org/shibboleth/SSO& target=https://sp.org/myresource& time=1102260120 The client is redirected to this location after requesting a protected resource at the SP without a security context

23 shibboleth-intro-dec0523 8 7 1 2 5 6 3 4 Identity Provider Service Provider Shib Browser/POST Profile Browser/POST is an SP-first profile The IdP produces an assertion at step 4, which the SP consumes at step 5 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

24 shibboleth-intro-dec0524 Attributes

25 shibboleth-intro-dec0525 Shib Attribute Exchange A Shibboleth SP often queries an IdP for attributes after validating an authN assertion An opaque, transient identifier called a handle is embedded in the authN assertion The SP sends a SAML AttributeQuery message with handle attached

26 shibboleth-intro-dec0526 Browser/POST Profile The first 5 steps of this profile are identical to ordinary Browser/POST Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange 10 9 1 2 5 8 3 4 Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

27 shibboleth-intro-dec0527 1 Identity Provider Service Provider Browser/POST Step 1 The Client requests a target resource at the SP CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

28 shibboleth-intro-dec0528 2 1 Identity Provider Service Provider Browser/POST Step 2 The SP performs a security check on behalf of the target resource If a valid security context at the SP does not exist, the SP redirects the Client to the single sign-on (SSO) service at the IdP CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

29 shibboleth-intro-dec0529 3 2 1 Identity Provider Service Provider Browser/POST Step 3 The Client requests the SSO service at the IdP CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

30 shibboleth-intro-dec0530 4 3 2 1 Identity Provider Service Provider Browser/POST Step 4 The SSO service processes the authN request and performs a security check If the user does not have a valid security context, the IdP identifies the principal (details omitted) The SSO service produces an authentication assertion and returns it to the Client CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

31 shibboleth-intro-dec0531 4 3 5 2 1 Identity Provider Service Provider Browser/POST Step 5 The Client issues a POST request to the assertion consumer service at the SP The authN assertion is included with the request CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

32 shibboleth-intro-dec0532 6 4 3 5 2 1 Identity Provider Service Provider Browser/POST Step 6 The assertion consumer service validates the request, creates a security context at the SP The attribute requester sends a (mutually authenticated) attribute query to the AA CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester

33 shibboleth-intro-dec0533 7 6 4 3 5 2 1 Identity Provider Service Provider Browser/POST Step 7 The IdP returns an attribute assertion subject to attribute release policy The SP filters the attributes according to attribute acceptance policy CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester

34 shibboleth-intro-dec0534 1 2 5 8 3 4 Identity Provider Service Provider Browser/POST Step 8 The assertion consumer service updates the security context and redirects the Client to the target resource CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

35 shibboleth-intro-dec0535 9 1 2 5 8 3 4 Identity Provider Service Provider Browser/POST Step 9 The Client requests the target resource at the SP (again) CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

36 shibboleth-intro-dec0536 10 9 1 2 5 8 3 4 Identity Provider Service Provider Browser/POST Step 10 Since a security context exists, the SP returns the resource to the Client CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

37 shibboleth-intro-dec0537 Directory Schema Neither Shibboleth nor SAML define any attributes per se It is left to individual deployments to define their own attributes A standard approach to user attributes is crucial Without such standards, interoperability is impossible

38 shibboleth-intro-dec0538 eduPerson Internet2 and EDUCAUSE have jointly developed a set of attributes and associated bindings called eduPerson The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798] Approximately 40 attributes have been defined by InCommon as common identity attributes

39 shibboleth-intro-dec0539 InCommon Attributes InCommon’s 6 “highly recommended” attributes: Attribute NameAttribute Value givenNameMary sn (surname)Smith cn (common name)Mary Smith eduPersonScopedAffiliationstudent@example.org eduPersonPrincipalNamemary.smith@example.org eduPersonTargetedID? (eduPersonTargetedID does not have a precise value syntax)

Download ppt "Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google