Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAMP Integration Provisioning and Relaying: The Integration Story provrel-050628-01.ppt Keith Hazelton

Published byMorgan Conley Modified over 9 years ago

Similar presentations

Presentation on theme: "CAMP Integration Provisioning and Relaying: The Integration Story provrel-050628-01.ppt Keith Hazelton"— Presentation transcript:

1 CAMP Integration Provisioning and Relaying: The Integration Story http://arch.doit.wisc.edu/keith/camp/ provrel-050628-01.ppt Keith Hazelton (hazelton@doit.wisc.edu) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE CAMP Integration, Denver, June 28, 2005

2 CAMP Integration 2 Shibboleth v 1.2.1a Integration Overview Shibboleth Introduction (The Relay tool from NMI / Internet2 / MACE) Identity Provider (Origin) Deployment, Integration –Authentication/Identifier Assertion Phase Components & Dependencies –Identity Attribute Assertion Phase Service Provider (Target) Deployment, Integration Two scenarios for each: –Shib “classic” e-Lib: accessing licensed resources –Shib federation across a state system: shared services The craft of federation

3 CAMP Integration 3 Basic IAM functions mapped to the NMI / MACE components Systems of Record Enterprise Directory GrouperSignet WebISO Shibboleth Apps / Resources

4 CAMP Integration 4 Basic IAM functions mapped to the NMI / MACE components Systems of Record Enterprise Directory GrouperSignet WebISO Shibboleth Apps / Resources

5 CAMP Integration 5 Basic IAM functions mapped to the NMI / MACE components Systems of Record Enterprise Directory GrouperSignet WebISO Shibboleth Apps / Resources

6 CAMP Integration 6 Alternatives to IP Address Based Access Restriction 1.User-based access restriction A.Each service provider manages credentials for all of its users B.One big credential database of all users used by all service providers C.Each user has a “home organization” whose credential database can, by magic, be used by each service provider 2.???

7 CAMP Integration 7 Federated Identities “Federated identities” is option C on previous slide –A hierarchical approach to decompose the problem into manageable pieces –Analogous to the problem that IAM addresses, and rests upon IAM infrastructure “Federating technology” is the “magic” part of option C “Identity federation” (noun) is a set of service providers, identity providers, and other context in which the magic happens

8 CAMP Integration 8 Federating Technologies SAML implementations –Security Assertion Markup Language –Shibboleth –Bodington/Guanxi –AthensIM –SourceID –SAMUEL –MS ADFS –Other proprietary Liberty Identity Federation implementations –SourceID –Lasso –Proprietary Others –MS Inter-Forest Trust

9 CAMP Integration 9 Shibboleth Athenticate at home org Authorize at resource without knowing user’s identity

10 CAMP Integration 10 Swiss Research/Education Network Demo http://www.switch.ch/aai/demo/

11 CAMP Integration 11 Shibboleth Underpinnings Elements of shibboleth infrastructure must identify and authenticate each other –Home org or Identity Provider (IdP) pieces –Resource or Service Provider (SP) pieces Attribute assertions about authenticated principals are sent from IdPs to SPs For it all to work, IdPs and SPs must agree about which attributes and values are tossed around, and their semantics

12 CAMP Integration 12 Federation Value Proposition Set of cooperating IdPs and SPs forms a community needing agreement on: –Trust Fabric X.509 certs IdP and SP identifiers & other metadata –Community standard for attribute semantics –Community standards for IdP and SP operational practices Strength of authentication Confidentiality For N IdPs and M SPs, which is easier? –N*M agreements –N+M agreements

13 CAMP Integration 13 Federations … Might support trust fabric maintenance –Operate a metadata distribution service Might be the locus for attribute standards Might be the locus for “minimum but sufficient” IdP and SP operational practice standards Are not a party to the transactions between IdPs and SPs Are not involved with entitling access to resources

14 CAMP Integration 14 The Research and Education Federation Space REF Cluster InQueue (a starting point) InComm on SWITC H The Shib Rese arch Club Other national nets Other clusters Othe r pote ntial US R+E feds State of Penn Fin Aid Assoc NSDLNSDL Slippery slope - Med Centers, etc Indiana

15 CAMP Integration 15 Shib Identity Provider / (Origin) Ident. Provider (wasabi) Service Provider (gari) Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container “HS” Attribute Authority Inspired by SWITCH (Swiss REN) HTTP://www.switch.ch/aai/demo/ WAYF

16 CAMP Integration 16 Identity Provider / (Origin): AuthN, Identifier Identity Provider (wasabi) Apache (1.3 or 2.0) / Tomcat Web server / Servlet container “HS” Attribute Authority Campus WebISO

17 CAMP Integration 17 WebISO requirements from Shib WebISO can authenticate a set of users based on locally issued/registered credentials Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide. For details & download, see http://middleware.internet2.edu/webiso/ Campus WebISO

18 CAMP Integration 18 WebISO alternatives But end-user PKI certs work fine, too (configurable filter) And there are ways to support multiple AuthN methods with failover “UW-Madison 2” InQueue IdP runs this configuration End entity certificate with failover to LDAP basic auth. See wasabiHttpd.conf, lines 1017 et seq. Campus WebISO

19 CAMP Integration 19 Shib assumes Identity and Access Management (IAM) Services Student System of Record Meta- Directory Processes LDAP Directory Campus WebISO Registry Human Resources System of Record Other Systems of Record Enterprise Directory

20 CAMP Integration 20 Campus WebISO Identity Provider Middleware wasabi Apache (1.3 or 2.0) / Tomcat Web server / Servlet container “HS” Attribute Authority Enterprise Directory

21 CAMP Integration 21 “HS” Identity Provider / (Origin) Ident. Provider (wasabi) Service Provider (gari) Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container Attribute Authority

22 CAMP Integration 22 “HS” Identity Provider / (Origin) Attribute Assertion Phase Ident. Provider Service Provider Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container Attribute Authority

23 CAMP Integration 23 Campus WebISO Identity Provider Middleware Apache (1.3 or 2.0) / Tomcat Web server / Servlet container “HS” Attribute Authority Enterprise Directory

24 CAMP Integration 24 Attribute Authority (AA) Ent. Directory Shib AA Deployment Issues: Configure AA to connect to Ent. Directory –Data connectors can be JNDI-based, JDBC-based (xml- configurable) or custom user plug-ins Map Directory attributes to SAML attributes

25 CAMP Integration 25 Attribute Authority (AA) Ent. Directory Fragment of..conf/origin.xml

26 CAMP Integration 26 Attribute Authority (AA) Ent. Directory Resolver links named attributes to specific data connectors:

27 CAMP Integration 27 Attribute Authority (AA) Ent. Directory …and specifies connector (here JNDI LDAP):

28 CAMP Integration 28 Attribute Authority (AA) Ent. Directory …and specifies connector (here JDBC SQL):

29 CAMP Integration 29 Attribute Authority (AA) Ent. Directory Shib AA Deployment Issues, cont.: Comply with Attribute Release Policy (ARP) in determining which service providers get which attributes –Federation rules are given –Bilateral or Community of Interest rules need to be worked out & agreed to

30 CAMP Integration 30 Attribute Authority (AA) Ent. Directory Ah, yes, data access policy This may drag stakeholders kicking & screaming into the room to confront policy How you manage this will be key to successful deployment The “DON’T PANIC” in big friendly letters on the InCommon Book may help

31 CAMP Integration 31 Attribute Authority (AA) Ent. Directory Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics –“Simple matter of configuration” Some of the newer attributes –eduPersonTargetedID if you want a persistent identifier, but one that is specific to a given Identity Provider-Service Provider pair –Course-related attributes. URN-based identifier guideline near for course offering. eduCourse (currently in last call).

32 CAMP Integration 32 Service Provider / (Target) Identity Provider (wasabi) Service Provider (gari) Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6

33 CAMP Integration 33 Shib Features for Service Providers WAYF for federations, other options configurable Authentication method can be passed in attribute assertion for fine tuning risk management A site may have a public face with specific links that invoke Shib

34 CAMP Integration 34 Services you might not have thought of Shibbing Roaming Access to WLAN http://www.terena.nl/conferences/tnc2004/ programme/presentations/show.php?pres_id=165 Mikael Linden, CSC, the Finnish IT center for Science RADIUS-based access controller is a Shibboleth service provider Network access control decision based on user’s “home” attributes

35 CAMP Integration 35 Services you might not have thought of Shibbing Portal as Shib Service Apache in front of Portal on Tomcat Other approaches under consideration

36 CAMP Integration 36 Coming Shib Features for Service Providers PKI-based direct-to-target scenario Cert would contains –(possibly opaque) subject id –Identifier for associated Identity Provider –Would eliminate the first several steps in the classic Shib flow diagram –First Service Provider contact to Identity Provider would be the request for attributes Lots of points of agreement to be worked out

37 CAMP Integration 37 Multi-campus system deployment model 1 CampusB Service Provider Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6 CampusB IdProv CampusA IdProv CampusC IdProv CampusD IdProv CampusE IdProv

38 CAMP Integration 38 Multi-campus system deployment model 1 Identity Provider per campus (vs. System IdP model) Create a system federation (some policy & configuration work here) Any campus can put up Shibbed service Or a system library can offer system-licensed resources Each campus retains control of Identity Management--high autonomy model

39 CAMP Integration 39 Multi-campus system deployment model 2 System-level Identity Provider Service Provider Browser User Service Provider Service Provider Service Provider CampusB Dir CampusA Dir CampusC Dir

40 CAMP Integration 40 Multi-campus system deployment model 2 System-level Identity Provider model Significant campus-to-system metadirectory infrastructure Create a system federation (some policy & configuration work here) Any campus can put up Shibbed service Or a system library can offer system-licensed resources More seamless “system citizen” experience

41 CAMP Integration 41 Coming: Shib breaks free of the browser Number of open source projects are exploring this space A pure Java implementation of Service Provider components of Shibboleth (now in beta) will really open the door

42 CAMP Integration 42 Joining and leveraging federations InCommon: See participant agreements on the web site http://www.incommonfederation.org –Talks much more about IAM infrastructure than Shibboleth per se Other documents

43 CAMP Integration 43 Federation givens Key attributes, their syntax and semantics eduPersonAffiliation –faculty, student, staff, employee, member, alum, affiliate eduPersonScopedAffiliation –member@ohio.edu eduPersonEntitlement

44 CAMP Integration 44 eduPersonEntitlement in InQueue “If a Federation member sends or receives an eduPersonEntitlement Attribute Assertion containing the InQueue policy uri and containing the value urn:mace:incommon:entitlement:common:1 The semantics should conform to this definition: The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in".

45 CAMP Integration 45 eduPersonTargetedID Service providers or directory-enabled applications with the need to maintain a persistent but opaque identifier for a given user for purposes of personalization or record-keeping. Identity or service providers or directory-enabled applications with the need to link an external account to an internal account maintained within their own system. This attribute is often used to represent a long-term account linking relationship between an identity provider and service provider(s). Note that such a service provider might itself also be an identity provider.

46 CAMP Integration 46 eduPersonTargetedID It MAY be a pseudorandom value generated and stored by the identity provider, or MAY be derived from some function over the service provider's identity and other principal-specific input(s), such as a serial number or UUID assigned by the identity provider. It MUST NOT exceed 256 characters in length.

47 CAMP Integration 47 Multiple Federation scenarios Simplest example: US IdP and UK IdP accessing an Open University course hosted in UK US Institution is an InCommon member UK institution belongs to a UK federation Open U. Service Provider has to belong to both to serve members of both federations

48 CAMP Integration 48 Multiple Federation scenarios Likely scenario: US Universities with Medical Schools will have to support both –InCommon & –Some Health Science federation(s)

49 CAMP Integration 49 How many federations? How many levels of federations? An umbrella level: e.g., InCommon Hard, foundational topics handled here: –Trust/risk framework –Attributes, syntax, semantics Under that umbrella, any number of Communities of Interest (or Virtual Organizations) who build on the foundation –Profiles, refinements, extensions

50 CAMP Integration 50 Q & A http://shibboleth.internet2.edu Which of these issues seem tough, confusing to you?

Download ppt "CAMP Integration Provisioning and Relaying: The Integration Story provrel-050628-01.ppt Keith Hazelton"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.

EuroCAMP: Porto An Introduction to Identity and Access Management Borrowed from Keith Hazelton Sr. IT Architect, University of.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
AAI with simpleSAMLphp

AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Similar presentations

Ads by Google