Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Similar presentations


Presentation on theme: "Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein"— Presentation transcript:

1 Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein ndk@internet2.edu and John Krienke a2jcwk@gmail.com Internet2

2 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Music Service ID #4 j.o.123 Joe Oval Psych Prof. DOB: 4/4/1955 Password #4 Grant Admin Service ID #2 Joval Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #2 Grading Service ID #3 Jo456 Dr. Joe Oval Psych Prof. Password #3 Home ???????? No coordination Proprietary code Batch uploads Service Providers The Challenging Way

3 Home Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN 456.78.910 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 ! 1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org controls privacy The Federated Way

4 4 How Federated Identity Works 1. A user tries to access a protected application 2. The user tells the application where it’s from 3. The user logs in at home 4. Home tells the application about the user 5. The user is rejected or accepted

5 IdentityProvider ServiceProvider DatabaseDirectory 1. I’d like access 2. What is your home? 3. Please login at home. 4. I’d like to login for SP. Use r 5. Login 6. Here is data about you for SP. Send it. 7. Here is my data. 8a. See the page! 8b. Access Denied

6 6 Shibboleth IdP Written in Java, runs in any Servlet 2.4 container Supports multiple protocols Does not contain attributes or logins Relies on external LDAP/Kerberos/SQL/etc. Extensive controls for the release of attributes

7 Tomcat Tomcat Directory / Database ShibbolethIdPAuthentication WebBrowser ShibbolethSP Application

8 8 Shibboleth SP Written in C++ for Apache, IIS, or NSAPI Apache often used to front-end other web servers: Java containers, Zope, etc. Extensive clustering support No API: attributes & data available through headers & env. variables Keeps identity management external to app

9 Apache or IIS Apache or IIS Directory / Database ShibbolethSP WebBrowser ShibbolethIdP PersonInformation shibd Tomcat

10 10 Words SAML: Security Assertion Markup Language Attribute: A name/value pair that describes a user: uid/rrsum Scope: The domain within which an attribute is valid: staff@example.com Assertion: User authentication & attribute information wrapped as SAML for transport Name Identifier: Any attribute elevated to identifier (primary key) status

11 11 More words entityID: The name of a provider Identity Provider (IdP): Supplies assertions Attribute Authority (AA): Acquires user attributes and encodes them for transport Service Provider (SP): Receives assertions and protects resources Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along

12 12 Last words Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake Not necessary for federated identity Metadata: A file that describes how to talk to and trust a provider

13 An Example: 13

14 Basic Architecture - IDC


Download ppt "Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein"

Similar presentations


Ads by Google