Presentation is loading. Please wait.

Presentation is loading. Please wait.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007.

Published byBrandon Knight Modified over 9 years ago

Similar presentations

Presentation on theme: "Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007."— Presentation transcript:

1 Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007

2 Administrative Information Systems Today’s Goals Explain How Shibboleth relates to ISIS and the future of web single sign-on at UCLA, and beyond Provide a technical overview of Shibboleth Describe ISIS/Shibboleth Integration Plans Outline application considerations in a Shibbolized environment Sketch Migration Plan Attempt to answer questions

3 Administrative Information Systems UCLA’s Web Single Sign-on: A Brief History ISIS began in 1996 with the launch of MyUCLA, making it one of the earliest web single sign-on solutions in higher education Modern ISIS: Major Redesign in 2002 toward a single login page/web service model Now works with over 200 applications throughout the campus

4 Administrative Information Systems ISIS Pros and Cons Pros –Created a de facto single sign-on standard when there was none. –Web Service Model allows applications on different platforms to integrate –Delivers minimum set of user attributes Cons –The “standard” doesn’t scale beyond the campus –Web Service Model requires fairly hefty technical know-how to deploy –Does a fairly poor job at managing and delivering user attributes

5 Administrative Information Systems Evolving ISIS: Moving Toward Open Standards A Web SSO protocol designed with higher education in mind, and based on open standards has emerged: Shibboleth http://shibboleth.internet2.edu

6 Administrative Information Systems Evolving ISIS: Moving Toward Open Standards ISIS Will move to adopt the Shibboleth protocol Work has already begun. ISIS 5 was a major step in that direction –Enterprise Directory –UCLA Logon ID –Logout web page –Stronger separation between test and production

7 Administrative Information Systems Shibboleth Overview A federated authentication/attribute query protocol An Internet2 developed reference implementation of the Shibboleth protocol. Performs Web Single Singe-On –Within a campus –Across multiple organizations Standards Based. Built on SAML

8 Administrative Information Systems Shibboleth Overview Emphasis on protecting user privacy Provides granular attribute release control mechanism: Attribute Release Policy (ARP). –Allows the individual and the institution to control release of user data to applications at per-application, per-attribute, per-value level –ideal in higher education environment where FERPA and other privacy legislations are of major concern. Standards Based.

9 Administrative Information Systems Shibboleth Overview For web browser-based authentication only, although there are non-web based bridging projects underway: GridShib, Wireless authentication, etc. Quickly gaining momentum in higher education community UC is adopting Shibboleth as its standard federated authentication mechanism: UCTrust

10 Administrative Information Systems Shibboleth Benefits Standards Based. Lots and lots of integration activities happening: –Grid Computing –Library Vendors –Music Download Service vendors –Open Source and Commercial Software: Moodle; Plone, WebCT, etc. –https://wiki.internet2.edu/confluence/display/seas/Homehttps://wiki.internet2.edu/confluence/display/seas/Home Designed for privacy and security. Much more flexible than ISIS Much broader user/support community Federated. Users from another Shibbolized university can potentially log into your system using his/her home organization’s credential. Open Source Software supported by Internet2 –Client Modules! No coding necessary –Works with static web sites

11 Administrative Information Systems Shibboleth Vocabulary Federation Where Are You From Service (WAYF) Identity Provider (IdP) Service Provider (SP) Handle Service (HS) Attribute Authority (AA) Attribute Requester (AR) Assertion Consumer Service (ACS) Attribute Release Policy (ARP)

12 Administrative Information Systems Shibboleth: Federation -A natural trust fabric that is useful to simplifying the deployment of Shibboleth by sets of providers involved in common attribute exchange and content protection. A group of universities and organizations who agree to leverage a common protocol (Shibboleth) to cross- authenticate users into each other’s applications and provide necessary user attributes to support authorization decisions By default, the US Higher Ed Federation is InCommon

13 Administrative Information Systems Shibboleth: Where Are Your From (WAYF) Service Part of the Federation services A directory service (web page) that asks the user where to direct him/her to log in, then redirects the user to the appropriate Identity Provider Hosted by the federation operator * * In Shibboleth 2.0, WAYF function will be part of the Service Provider module

14 Administrative Information Systems Shibboleth: Identity Provider (IdP) The “server” side of Shibboleth Performs authentication Issues Authentication Assertion Responds to attribute queries Issues Attribute Assertion Analogous to the ISIS Login Server and Web Service One instance per campus

15 Administrative Information Systems Shibboleth: Service Provider (SP) The “consumer” side of Shibboleth Apache Mod or IIS ISAPI filter Handles all communications with WAYF and IdP Places returned attributes in HTTP header Provided by Internet2

16 Administrative Information Systems Shibboleth: IdP Components Handle Service (HS) –Directs the incoming user to the authentication authority (i.e., login page) –Issues Shibboleth Handle (similar to a session token, ala ISIS ticket) Attribute Authority (AA) –Responds to attribute requests –Queries data repositories –Constructs and returns Attribute Assertion (XML document containing requested user data)

17 Administrative Information Systems Shibboleth: SP Components Attribute Consumer Service (ACS) –Processes the Shibboleth handled returned by the IdP –Initiates an optional attribute request –Establishes a security context at the SP, and redirects the client to the desired target resource. Attribute Requester (AR) –Establishes a direct connection to the Attribute Authority at the IdP –Exchanges attribute query and attribute response

18 Administrative Information Systems Shibboleth: Attribute Release Policy XML Document specifying that given an individual, which values for which attributes are released to which service providers. Allows very fine grained control for the release of attributes Both the university and the individual user can have control over release of individual attributes

19 Administrative Information Systems ARP Examples This rule releases any value of the eduPersonAffiliation attribute to any service provider eduPersonAffiliation release to anyone

20 Administrative Information Systems ARP Examples This rule releases most group values, but not administrative ones, to service providers from Brown University Non-administrative groups released to Brown *$brown.edu ^urn:mace:example.org:group:admin:*

21 Administrative Information Systems Shibboleth Architecture Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Resource Manager Attributes © SWITCH

22 Administrative Information Systems Resource WAYF Identity Provider at UCLA Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. Redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using ISIS 4 OK, I redirect your request now to the Handle Service of UCLA. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource 7 User DB Credentials OK, I know you now. Redirect your request to the SP, together with a handle

23 Administrative Information Systems Questions So Far?

24 Administrative Information Systems Shibboleth @ UCLA Shibboleth IdP already running in production Use ISIS Login Server to authenticate users Handles logout using ISIS 5’s Logout page Running in parallel with ISIS 5 Can interoperate with existing ISIS sessions –Single sign-on –Single logout (if the Shib SP invokes the logout page)

25 Administrative Information Systems Shibboleth @ UCLA Will eventually replace the ISIS Web Service API Seeking qualified early adopters to begin using Shibboleth instead of the legacy ISIS Web Service API Administration is still a manual process No customizable ISIS session length SP cannot customize login page

26 Administrative Information Systems ISIS/Shibboleth Integration To-Do’s ISIS Login Server will continue to serve login form Integrate Shibboleth SP administration with ISIS Administration Incorporate data release approval from data stewards into the SP set up process Need more attribute data! Enable ISIS Login Form customization for Shib SP’s (at least the UCLA ones) Improve user experience during redirects Easier to follow support materials Helpdesk coordination

27 Administrative Information Systems Migrating to Shibboleth Migration Philosophy –Parallel support for ISIS 5 and ISIS/Shib –Gradual Migration: Move when it’s a good time for your application to move –… within reason, of course –Emphasis on user experience

28 Administrative Information Systems Migrating to Shibboleth Phase I – Pilot Production –Now to Fall 2007 –For early adopters and new applications –For applications with unique requirements –New application can choose between implementing ISIS 5 API or use Shibboleth Ideal Phase I candidates –New applications joining the UCLA SSO community with strong developer support Pilot Production –Applications with unique requirements: UC Grid; Static web pages, etc. –Federated applications: AYSO, ERS, CDigix, etc.

29 Administrative Information Systems Migrating to Shibboleth Phase II – Full Migration –When Shibboleth 2.0 rolls out and stabilizes –All new applications will use Shibboleth Phase III – Ending ISIS 5 Support –Timeframe TBD –Migrate any remaining ISIS apps to use Shibboleth

30 Administrative Information Systems Questions So Far? …technical details of Shibboleth-ISIS integration and its level of transparency for users and applications …about the cost related to Shibb certificates. My understanding is that it will be $1000/year/cert, once the original 25 certs are used up. More details on federated access. Namely, does a Service Provider have to establish trust and agree on assertions with every foreign Identity Provider it wants to support? That seems like an administrative hell.

31 Administrative Information Systems Preparing Your Application for Shibboleth Choose your Web Server –IIS –Apache Must have separate test and production environment Choose your Deployment Scenario –Federated –Bilateral

32 Administrative Information Systems Federated Deployment With federated deployment, your application joins a Shibboleth federation (InCommon, UCTrust) Need to register and obtain federation issued digital certificate Application enjoys common standards, but needs to comply with all federation requirements –Security and audit requirements –Attribute Assertion agreements (more work on IdP side than SP side) –Coordinated helpdesk support Choose federated deployment if: –You plan to accept authentication assertions from multiple IdP’s –You have business requirements to participate in a federation

33 Administrative Information Systems Bilateral Deployment With bilateral deployment, your application exchanges credentials and negotiates attribute exchanges directly with IdP No need to obtain federation digital certificates Likely a simpler deployment model for UCLA-only applications Choose bilateral deployment if: –You plan to accept authentication assertions only from UCLA’s IdP Can always move to a federated deployment mode

34 Administrative Information Systems Preparing Your Application for Shibboleth Rethink your user access provisioning process –Shib’s privacy policy may mean that you won’t get all the attributes you want from all the users. You may need to ask for more information –Especially with federated deployment, you will receive login attempts from unexpected users. –An on-demand access provisioning model is preferred –Need to provide much more descriptive help information on screen

35 Administrative Information Systems Preparing Your Application for Shibboleth Login Failed: Access Denied. The user may be confused if you show him:

36 Administrative Information Systems Preparing Your Application for Shibboleth Thank you for your interest in using the Foobar system. It appears that you authenticated successfully. However, you have not registered to become a user with Foobar. Foobar is a restricted system. If you believe you should have access, please click here to complete an access request. For additional inquires, please contact our helpdesk at helpdesk@foobar.ucla.edu This may make it just a bit clearer to the user why he cannot continue, and what he can do to remedy the situation:

37 Administrative Information Systems Preparing Your Application for Shibboleth Rethink your logging and helpdesk support model –Especially with federated deployment, the user’s IdP may not be UCLA. –Helping a user through the troubleshooting process is critical –Think about your hours of support –Think about the kind of information you need to keep in your application log

38 Administrative Information Systems Preparing Your Application for Shibboleth: Next Steps Install Fest? Usability Workshops? Diagnostic/Testing modules? Common Logging format? Helpdesk Coordination –KB: kb.ucla.edu? Something else? –Shared diagnostics support scripts?

39 Administrative Information Systems Resources Official Shibboleth Website: http://shibboleth.internet2.edu http://shibboleth.internet2.edu Shibboleth Wiki: https://spaces.internet2.edu/display/SHIB https://spaces.internet2.edu/display/SHIB InCommon Federation: http://www.incommonfederation.org/ http://www.incommonfederation.org/ UCTrust Federation: http://www.ucop.edu/irc/itlc/uctrust/ http://www.ucop.edu/irc/itlc/uctrust/ 3 cool demos of how Shib works from the Swiss Shibboleth Federation folks: http://www.switch.ch/aai/demo/ http://www.switch.ch/aai/demo/ Middleware Infrastructure Group’s Website: http://mi6.ais.ucla.edu http://mi6.ais.ucla.edu

40 Administrative Information Systems Q & A

Download ppt "Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth Case Studies: Shibboleth as the Campus Web SSO Albert Wu, UCLA Datta Mahabalagiri, UCLA.

Shibboleth Case Studies: Shibboleth as the Campus Web SSO Albert Wu, UCLA Datta Mahabalagiri, UCLA.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Similar presentations

Ads by Google