Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Published byArron Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein"— Presentation transcript:

1 Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein ndk@internet2.edu and John Krienke a2jcwk@gmail.com Internet2

2 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Music Service ID #4 j.o.123 Joe Oval Psych Prof. DOB: 4/4/1955 Password #4 Grant Admin Service ID #2 Joval Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #2 Grading Service ID #3 Jo456 Dr. Joe Oval Psych Prof. Password #3 Home ???????? No coordination Proprietary code Batch uploads Service Providers The Challenging Way

3 Home Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN 456.78.910 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 ! 1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org controls privacy The Federated Way

4 4 How Federated Identity Works 1. A user tries to access a protected application 2. The user tells the application where it’s from 3. The user logs in at home 4. Home tells the application about the user 5. The user is rejected or accepted

5 IdentityProvider ServiceProvider DatabaseDirectory 1. I’d like access 2. What is your home? 3. Please login at home. 4. I’d like to login for SP. Use r 5. Login 6. Here is data about you for SP. Send it. 7. Here is my data. 8a. See the page! 8b. Access Denied

6 6 Shibboleth IdP Written in Java, runs in any Servlet 2.4 container Supports multiple protocols Does not contain attributes or logins Relies on external LDAP/Kerberos/SQL/etc. Extensive controls for the release of attributes

7 Tomcat Tomcat Directory / Database ShibbolethIdPAuthentication WebBrowser ShibbolethSP Application

8 8 Shibboleth SP Written in C++ for Apache, IIS, or NSAPI Apache often used to front-end other web servers: Java containers, Zope, etc. Extensive clustering support No API: attributes & data available through headers & env. variables Keeps identity management external to app

9 Apache or IIS Apache or IIS Directory / Database ShibbolethSP WebBrowser ShibbolethIdP PersonInformation shibd Tomcat

10 10 Words SAML: Security Assertion Markup Language Attribute: A name/value pair that describes a user: uid/rrsum Scope: The domain within which an attribute is valid: staff@example.com Assertion: User authentication & attribute information wrapped as SAML for transport Name Identifier: Any attribute elevated to identifier (primary key) status

11 11 More words entityID: The name of a provider Identity Provider (IdP): Supplies assertions Attribute Authority (AA): Acquires user attributes and encodes them for transport Service Provider (SP): Receives assertions and protects resources Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along

12 12 Last words Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake Not necessary for federated identity Metadata: A file that describes how to talk to and trust a provider

13 An Example: 13

14 Basic Architecture - IDC

Download ppt "Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago.

Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago.
Eric Raff. Usergroup up

Eric Raff. Usergroup up
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
Www.incommon.org InCommon and Federated Identity Management 1 www.incommon.org.

InCommon and Federated Identity Management 1
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Similar presentations

Ads by Google