Download presentation
Presentation is loading. Please wait.
Published byLouisa Blair Modified over 8 years ago
1
JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to ask Alan Robiette
2
JISC Shibboleth Briefing, 12-Mar-20042 [contents] What is Shibboleth How it works Why Shibboleth Implications for Institutions (Origins) Implications for Resource-hosts (Targets) [with lots of credit and © to Michael Gettes, and others of the NSF Middleware Initiative, for making most of the slides for me ]
3
JISC Shibboleth Briefing, 12-Mar-20043 What is Shibboleth? (Biblical) A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) [Judges, ch12, v5-6 (New American Standard)] The Gileadites captured the fords of the Jordan opposite Ephraim. And it happened when {any of} the fugitives of Ephraim said, "Let me cross over," the men of Gilead would say to him, "Are you an Ephraimite?" If he said, "No," then they would say to him, "Say now, 'Shibboleth.' " But he said, "Sibboleth," for he could not pronounce it correctly. Then they seized him and slew him at the fords of the Jordan. The greatest needs of the Collectivist movement in England appear to me: Diffusion of economic and political knowledge of a real kind - as opposed to Collectivist shibboleths, and the cant and claptrap of political campaigning. [Sidney Webb: memorandum to LSE Trustees meeting on 8th Feb 1894]
4
JISC Shibboleth Briefing, 12-Mar-20044 What is Shibboleth? (modern era) An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: –Software for Origins (campuses) –Software for targets (vendors) –Operational Federations (scalable trust)
5
JISC Shibboleth Briefing, 12-Mar-20045 So… What is Shibboleth? A Web Single-Signon System (SSO)? An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?
6
JISC Shibboleth Briefing, 12-Mar-20046 Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. –Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards
7
JISC Shibboleth Briefing, 12-Mar-20047 Attribute-based Authorization Identity-based approach –The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. –This approach requires the user to trust the target to protect privacy. Attribute-based approach –Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. –This approach does not degrade privacy.
8
JISC Shibboleth Briefing, 12-Mar-20048 Shibboleth Status V1.1 available August 2003 Relatively straightforward to install, provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc.). Target - works with Apache and IIS targets; Java origins. V2.0 likely to include portal support. Work underway on some of the essential management tools such as attribute release managers, target resource management, etc. Can take between 3 hours and 3 years to install –How much infrastructure (core middleware) do you already have? provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc)
9
JISC Shibboleth Briefing, 12-Mar-20049 Shibboleth Status Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft. Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.)
10
JISC Shibboleth Briefing, 12-Mar-200410 How Does it Work? Hmmmm…. It’s magic.
11
JISC Shibboleth Briefing, 12-Mar-200411 High Level Architecture Federations provide common Policy and Trust Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user, asserts Attributes Destination site requests attributes about user directly from origin site Destination site makes an Access Control Decision Users (and origin organizations) can control what attributes are released
12
JISC Shibboleth Briefing, 12-Mar-200412 Technical Components Origin Site – Required Enterprise Infrastructure –Authentication –Attribute Repository Origin Site – Shib Components –Handle Server –Attribute Authority Target Site - Required Enterprise Infrastructure –Web Server (Apache or IIS) Target Site – Shib Components –SHIRE –SHAR –WAYF –Resource Manager
13
JISC Shibboleth Briefing, 12-Mar-200413 Shibboleth Architecture (still photo, no moving parts)
14
JISC Shibboleth Briefing, 12-Mar-200414 Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource
15
JISC Shibboleth Briefing, 12-Mar-200415 From Shibboleth Arch doc OriginTarget
16
JISC Shibboleth Briefing, 12-Mar-200416 From Shibboleth Arch doc OriginTarget
17
JISC Shibboleth Briefing, 12-Mar-200417 From Shibboleth Arch doc OriginTarget SHIRE 3b Handle Service 3 Attribute Authority 4 Local Navigation Page 1
18
JISC Shibboleth Briefing, 12-Mar-200418 From Shibboleth Arch doc OriginTarget Resource Provider University Authentication System HTTP Server Enterprise Directory SHIRE 3b Handle Service 3 Attribute Authority 4 Local Navigation Page 1 56 3c
19
JISC Shibboleth Briefing, 12-Mar-200419 Why Shibboleth? Security Better security tools will make collaboration more “painless” and more secure Current "solutions" are primitive; we can do better today and without local overhaul Shibboleth Simplifies Management and Use of Distributed Systems
20
JISC Shibboleth Briefing, 12-Mar-200420 Why Shibboleth? Improved Access Control Use of attributes allows fine-grained access control Simplifies management of access to extended functionality –Librarians, based on their role, are given a higher- than-usual level of access to an online database to which a college might subscribe. –Librarians and publishers can enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers
21
JISC Shibboleth Briefing, 12-Mar-200421 Why Shibboleth? Federated Administration Leverages existing middleware infrastructure at origin (authN, dir) –Users registered only at their “home” or “origin” institution –Target does NOT need to create new userids Flexibly partitions responsibility, policy, technology, and trust Authorization information sent, instead of authentication information –when possible, use groups instead of people on ACLs –identity information still available for auditing and for applications that require it
22
JISC Shibboleth Briefing, 12-Mar-200422 Why Shibboleth? Privacy Higher Ed has privacy obligations –In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access –In UK, DPA places similar obligations on inst’s General interest and concern for privacy is growing Shibboleth has active (vs. passive) privacy provisions “built in”
23
JISC Shibboleth Briefing, 12-Mar-200423 Benefits to Campuses Much easier Inter-Domain Integration –With other campuses –With off-campus vendor systems Integration with other campus systems, intradomain –LMS –Med School…… Ability to manage access control at a fine-grained level Allows personalization, without releasing identity Implement Shibboleth once… –And then just manage attributes that are released to new targets
24
JISC Shibboleth Briefing, 12-Mar-200424 Benefits to Targets/Vendors Unified authentication mechanism from the vendor perspective –Much more scalable –Much less integration work required to bring a new customer online. Ability to implement fine-grained access control (e.g. access by role), allowing customer sites to effectively control access by attributes and thus control usage costs, by not granting access unnecessarily Once the initial Shibboleth integration work has been completed on the vendor’s systems –The incremental cost of adding new customers is relatively minimal –In contrast to the current situation -- requiring custom work for each new customer Ability to offer personalization If your customers have Shibboleth implemented, easy implementation for them
25
JISC Shibboleth Briefing, 12-Mar-200425 Implications for Resource- hosts Similar front-end implementation requirement as for Athens target No license fee OSS means customisations are possible (eg for personalisation, pass-thru of vendor portal to item-level links, etc) Need for agreement on role attributes (eduPerson) for access decisions
26
JISC Shibboleth Briefing, 12-Mar-200426 Implications for Institutions Less duplicated end-user admin than with Athens –(similar to AthensDA) Need for agreement on role attributes (eduPerson) for end-user description Many don’t yet have standards-based supporting services (SSO, enterprise directories) –(but new costs would largely replace & improve, rather than add-to, existing ad-hoc AM mechanisms)
27
JISC Shibboleth Briefing, 12-Mar-200427 [LSE/SECURe AM infrastructure] http://www.angel.ac.uk/SECURe/deliverables/documentation/
28
JISC Shibboleth Briefing, 12-Mar-200428 Implications for UK infrastructure No dependency on a VERY LARGE centralised database Need for implementation of a national WAYF service –better than current end-user interface model –(new WAYF options being developed) Lower shared costs? –(but greater costs devolved to inst’s) http://stc.cis.brown.edu/~stc/Projects/Shibb oleth/WAYF/index.html
29
JISC Shibboleth Briefing, 12-Mar-200429 Got SHIB?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.