Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd.

Published byAubrey Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd."— Presentation transcript:

1 Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd

2 Accessing a Web Resource Client user accesses a free resource Client user is authenticated via a username and password to access a protected resource Client user is responsible for setting up that account Server W W W Client Request Response

3 Web Resources for Education Educational establishments subscribe to resources on behalf of many users Parts of a given resource may only be accessible by some of the users in a given educational establishment The resources to which a given user has access change periodically

4 Authentication School Students Directory/Database Student data … Directory/Database Student data … Resource Available to all Available to year 3 and above Available to year 6 and above Authentication Authorisation

5 Authentication Common Issues –Exposure of personal information –High administrative burden –Lack of traceability –Password leakage –Many passwords problem –Resource accessibility is restricted –Complicated to use

6 Shibboleth Aims to: –Ensure no personal information is exposed unless necessary –Minimise the number of passwords a user needs to remember –Minimise the administrative burden –Enable user traceability –Be transparent to the user –Enable access from any location

7 Shibboleth User Authentication LEA/RBC (Origin)Resource (Target) SHIRE SHAR Handle Service Attribute Authority Request User Authentication User Attributes (LDAP/SQL) Resource(s) Bash Street St Trinians Hogwarts LGfL Oxford … WAYF

8 9. User Attributes 4. Username + password Shibboleth User Authentication Resource (Target) SHIRE SHAR Handle Service Attribute Authority 1.Request URL User Authentication User Attributes (LDAP/SQL) Resource(s) 2. Request URL + SHIRE URL 3. Request URL + SHIRE URL 5. Request URL + Handle + AA URL 6. Request URL + Handle + AA URL 7. Request URL + Handle 8. Handle returns User ID 10. Request URL + User Attributes 11. User Attributes LEA/RBC (Origin) Bash Street St Trinians Hogwarts LGfL Oxford … WAYF

9 Shibboleth User Authentication Resource (Target) SHIRE SHAR Handle Service Attribute Authority 1.Subsequent Request URL (Same Domain) User Authentication User Attributes (LDAP/SQL) Resource(s) SHIRE has Cached Session & Handle = OK SHAR has Cached Attributes = OK LEA/RBC (Origin) Bash Street St Trinians Hogwarts LGfL Oxford … WAYF

10 Bash Street St Trinians Hogwarts LGfL Oxford … Shibboleth User Authentication Resource (Target) WAYF SHIRE SHAR Handle Service Attribute Authority 1.Subsequent Request URL (Different Domain) User Authentication User Attributes (LDAP/SQL) Resource(s) SHIRE has Cached Session & Handle = OK SHAR has no Cached Attributes for the new Domain so ask AA Handle returns User ID Request New Domain Attributes Return New Domain Attributes LEA/RBC (Origin)

11 User Authentication Shibboleth User Authentication Resource (Target) SHIRE SHAR Handle Service Attribute Authority User Attributes (LDAP/SQL) Resource(s) PortalPortal LEA/RBC (Origin)

12 Shibboleth User Authentication Pros –Low administrative burden –Exposure of personal information under user’s control –Same identity for all resources –User traceability –Resources can be accessed from any location Cons –(Possible) multi-stage authentication

13 Shibboleth Demonstration Browser Shibboleth Origin Windows XP Pro Apache Server 2.0.49 LDAP Directory (Active Directory) Windows 2003 Server WAYF Service Windows 2003 Server IIS 6.0 Shibboleth Target Windows 2003 Server IIS 6.0 1 2 3 4 5 6 7

14 Shibboleth Demonstration Browser Shibboleth Origin Windows 2003 Server Apache Server 2.0.49 LDAP Directory (Active Directory) WAYF Service Shibboleth Target Windows 2003 Server IIS 6.0 1 2 3 4 5 6 7

15 Shibboleth “Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.” Judges 12:6 http://shibboleth.internet2.edu

Download ppt "Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Architecture & Integration: CP v3.1. 3.x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Dr Tony McDonald - FMSC Breaking Boundaries 2005 1 Dr Tony McDonald - FMSC

Dr Tony McDonald - FMSC Breaking Boundaries Dr Tony McDonald - FMSC
Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Senior Technical Writer

Senior Technical Writer
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Napster Shibboleth Target PSU/Napster Technical Integration R. Ramos

Napster Shibboleth Target PSU/Napster Technical Integration R. Ramos
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Similar presentations

Ads by Google