Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Akylbek Zhumabayev September 2008. Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Published byLogan Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth Akylbek Zhumabayev September 2008. Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib."— Presentation transcript:

1 Shibboleth Akylbek Zhumabayev September 2008

2 Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib Shibboleth Architecture GridShib Architecture References 2

3 Introduction Cross-domain Single Sign-On (SSO) Standards: SAML, WS-Trust, WS-Federation Started in 2000 by Internet2/MACE Current version: 2.0 (March 19, 2008) http://shibboleth.internet2.edu Open source (Apache2 license) Large projects in 15 countries 3

4 SAML Security Assertion Markup Language XML-based standard for exchanging authentication and authorization data Build over standards: HTTP, XML, XML-Signature, XML-Encryption, SOAP, Assertions: – Authentication – Attribute – Authorization decision 4

5 SAML SAML 2.0 - standards set (OASIS) Assertions and Protocols Bindings (SOAP, HTTP GET, HTTP POST etc) Profiles (SSO, Query, Attribute, Resolution etc) Metadata (related data elements) Authentication Context Conformance Requirements Security and Privacy Considerations 5

6 SAML Web Service (SOAP) Web Browser (HTTP) HTTP/1.1 200 OK … … 6 HTTP SOAP SAML

7 WS-Trust Managing tokens: issuing, renewing and validating Specification defines: – Security Token Service (STS) – Formats of messages – Mechanisms for key exchange Build over standards: WS-Security, WS-Policy, WS-PolicyAttachment 7

8 WS-Trust 1.3 (OASIS) 8 Client Resource STS Token Policy Claims Token Policy Claims Token Policy Claims RST/RSTR

9 WS-Federation Contributors: IBM, Microsoft etc. Purpose: cross-domain identity portability Current version: 1.1 (December, 2006) Carrier: SAML token Domain trust: WS-Trust Trust carrier: X.509 9

10 WS-Federation: Basic 10 Requestor Resource Identity Provider Identity Provider STS Trust 1. Obtain ST2. Obtain AT 3. Access

11 WS-Federation: Attributes 11 Requestor Resource Identity Provider Identity Provider STS Trust 1. Obtain ST 2. Obtain AT 5. Authorize Attribute & Pseudonym Service Attribute & Pseudonym Service 3. Obtain PT 4. Access 6. Obtain additional info

12 WS-Federation: Metadata [Federation Metadata] [Signature] 12

13 Overview: Shibboleth Shibboleth includes two main components: Identity Provider (IdP): – Maintain user credentials and attributes – Assert authentication statements on request Service Provider (SP): – Manages secured resources – Access is based on assertions made by IdP 13

14 Overview: Shibboleth user@X Identity Provider Identity Provider Service Provider Service Provider WAYF LDAP System Domain X Domain Y 1 2 3 Attributes 4 WS-Federation Username/password 14

15 Overview: GSI Globus Toolkit (GT) – grid middleware de-facto: – Based on Open Grid Services Architecture (OGSA) – Implements WS Resource Framework (WSRF) Globus Security Infrastructure (GSI): – Powerful and reliable implementation – Based on WS standards – X.509 authentication mechanism – Uses proxy certificates (MyProxy) 15

16 Overview: GSI GSI: X.509 Certificates Client System CA MyProxy X.509 Entity Certificate Proxy Certificate Certificates 16

17 Overview: GridShib Shibboleth is not originally integrated with grid: Username/password vs. X.509 GridShib integrates Shibboleth and GT Joint project of NCSA, University of Chicago, and Argonne National Laboratory 17

18 Overview: GridShib user@X Identity Provider Identity Provider GridShib WAYF LDAP System Domain X Grid System 1 2 3 Attributes Profile 4 WS-Federation X.509 18

19 Shibboleth Architecture 19 Identity Provider Authentication Authority Attribute Authority Artifact Resolution Service SSO Service

20 Shibboleth Architecture 20 Service Provider Assertion Consumer Service Attribute Requester Resource

21 Shibboleth Architecture 21 WAYF Resource Client 4. GET 2. GET/Form 3. GET/IdP SSO 1. GET Auth Authority Assertion Consumer 5. GET/POST 6. GET Attribute Authority Artifact Resolution Attribute Requestor

22 Shibboleth Architecture 22

23 GridShib Architecture Modules: 1.GridShib for Globus Toolkit (GS4GT) 2.GridShib for Shibboleth (GS4Shib) 3.GridShib Certificate Authority (GS-CA) 4.GridShib SAML Tools (GS-ST) Scenarios: A.SAML Web Browser SSO B.Shib-enabled GridShib CA C.Shib-enabled Science Gateway D.GridShib-enabled Grid Security Infrastructure (GSI) E.GridShib-enabled Attribute Query 23

24 GridShib Architecture 24

25 References Shibboleth official website: http://shibboleth.internet2.edu Globus Toolkit official website: http://globus.org GridShib official website: http://gridshib.globus.org OASIS official website: www.oasis-open.org 25

Download ppt "Shibboleth Akylbek Zhumabayev September 2008. Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.

Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Similar presentations

Ads by Google