Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu,

Similar presentations


Presentation on theme: "Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu,"— Presentation transcript:

1 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia 2 years ago in Bled… ESUP-Portail: open-source Single Sign-On with CAS –Pascal Aubry, Vincent Mathieu & Julien Marchal –EUNIS2004, Bled, Slovenia, July 2004

2 Copyright © 2006 – ESUP-Portail consortium – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth Pascal Aubry University of Rennes 1 ESUP-Portail consortium EUNIS2006, Tartu, Estonia Learn Shibboleth in 20 minutes Shibboleth for the impatient

3 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Copyright © 2006 – ESUP-Portail – University of Rennes 1 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back- Cover Texts.

4 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Summary Why a federation? Technical solutions The Shibboleth system

5 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Need and context Need: give access to web resources to outside users Context –No interoperability –Single Sign-On in establishments –Need of collaboration

6 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia University A Greetings to SWITCHaai Once upon a time… Some resources not protected at all Access control based on IP addresses often used Issues with user management at resource- level So many login processes So many accounts and passwords Almost no resource shared by several establishments Sympa Moodle Research lab C Moodle Thesis Library B Search eng. Publications Access control Resource Identity management Authentication

7 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia University A Greetings SWITCHaai With SSO, it was a little better Sympa Moodle Research lab C Moodle Thesis Library B Search eng. Publications Access control Resource Identity management Authentication

8 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia University A Greetings SWITCHaai With SSO, it was a little better Locally, yes… but still the same everywhere else! Sympa Moodle Research lab C Moodle Thesis Library B Search eng. Publications Access control Resource Identity management Authentication

9 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia University A Greetings SWITCHaai Hopefully, Identity Federation has come! Sympa Moodle Research lab C Moodle Thesis Library B Search eng. Publications Access control Resource Identity management Authentication

10 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia University A Greetings SWITCHaai Hopefully, Identity Federation has come! No user management at resource-level Users authenticates only once in their establishments Users gain access to new resources Resources have a much larger audience Sympa Moodle Research lab C Moodle Thesis Library B Search eng. Publications Access control Resource Identity management Authentication

11 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Shibboleth, the SSO and the LDAP directory Shibboleth does not replace the SSO nor the LDAP directory Shibboleth needs both the SSO and the LDAP directory

12 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Security Assertion Markup Language SAML Standard OASIS en 2002 Répond à un besoin dinteropérabilité Echanges dassertions de sécurité entre services Indépendant des mécanismes dauthentification

13 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Types dassertions SAML Authentification Échange dattributs Décisions dautorisation SAML

14 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Exemple dassertion SAML SAML

15 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Liberty Alliance SAML Liberty Alliance Liberty Alliance nest pas un produit Consortium dindustriels produisant des spécifications sur la gestion didentités Sappuie sur SAML Implémenté dans de nombreux produits Retenu par lADAE pour « Mon Service Public » SourceID Sun LASSO

16 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Les frameworks de Liberty Alliance SAML Liberty Alliance ID-FF (Federation Framefork) –Fédération de comptes –Délégation dauthentification –Single logout ID-WSF (Web Services Framework) –Propagation dattributs utilisateur –Recherche de services didentités –Échange de méta données SourceID Sun LASSO

17 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Shibboleth SAML ShibbolethLiberty Alliance Shibboleth SourceID Sun LASSO Norme et produit développé par Internet2 Open source Première version en 2002 Basé sur SAML (bibliothèque OpenSAML) Utilisé par la communauté enseignement/recherche –en production en Suisse, USA, Angleterre, Finlande, Australie –en cours de déploiement en Belgique, Allemagne

18 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Shibboleth SAML ShibbolethLiberty Alliance Shibboleth SourceID Sun LASSO Conçu pour interconnecter les SSO des établissements Fonctionnalités –Délégation dauthentification –WAYF pour orienter lutilisateur –Propagation des attributs utilisateur –Partage de méta données –Définition de règles de confiance

19 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Dautres normes basées sur SAML SAML ShibbolethLiberty Alliance Shibboleth SourceID Sun LASSO Oblix

20 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia WS-Federation SAML ShibbolethLiberty Alliance Shibboleth SourceID Sun LASSO Oblix WS-* WS-Federation ADFS Draft porté par Microsoft et IBM, 2003 Basée sur les spécifications WS-* –WS-Security, WS-Trust, WS-Policy, WS-MetadataExchange Définit léchange didentités et dattributs entre domaines de sécurité

21 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Formats, protocols and tools SAML ShibbolethLiberty Alliance Shibboleth SourceID Sun LASSO Oblix WS-* WS-Federation ADFS

22 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia The choice of Shibboleth Advanced features –Attribute management –Anonymization –confidence (PKI) management Adapted to our environment –Several Identity Providers Interoperability –Integration with the Information System –Many applications already Shibbolized –Already adopted by others colleagues (USA, Swiss, UK, Finland…) –Non intrusive solution In any case, more and more interoperability with other tools in the future, thanks to SAML 2.0

23 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Assertion Consumer Attribute Requester Access Controller Ressource Web browser Authentication service Authentication Authority Attribute Authority User database SSO Server userId ssoId attributes userId attributes ticket attributes Shibboleth, its easy ;-) Many actors WAYF nameId Many interactions

24 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Service Provider (SP) Without Single Sign On

25 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Identity Provider (IdP) Service Provider (SP) Without Single Sign On (first request to a SP)

26 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Identity Provider (IdP) Service Provider (SP) userId password Without Single Sign On (first request to a SP) nameId attributes

27 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Identity Provider (IdP) Service Provider (SP) Without Single Sign On (first request to a SP) userId password

28 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Identity Provider (IdP) Service Provider (SP) Without Single Sign On (next requests to the same SP)

29 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Service Provider (SP) Assertion Consumer Attribute Requester Access Controller Resource Web browser Identity Provider (IdP) attributes nameId Service Provider architecture userId password nameId attributes

30 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Fournisseur didentités Authentication service Authentication Authority Attribute Authority User database nameId attributes userId Assertion Consumer Attribute Requester Access Controller Resource Web browser attributes nameId Identity Provider architecture userId password userId attributes

31 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Fournisseur didentités Authentication service Authentication Authority Attribute Authority User database nameId attributes userId Assertion Consumer Attribute Requester Access Controller Resource Web browser attributes nameId What is Shibboleth? userId password userId attributes Shibboleth

32 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With Single Sign On (first request to a SP)

33 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server userId attributes userId attributes ticket attributes With Single Sign On (first request to a SP) nameId password nameId

34 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With Single Sign On (the users point of view) userIdpassword

35 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With Single Sign On (next requests to the same SP)

36 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server userId ssoId ticket With Single Sign On (next requests to another SP) nameId attributes userId attributes nameId

37 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With Single Sign On (next requests to another SP) userId ssoId ticket nameId attributes userId attributes nameId

38 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With SSO and WAYF (first request to a SP) WAYF

39 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With SSO and WAYF (first request to a SP) WAYF

40 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With SSO and WAYF (first request to a SP) WAYF userId attributes userId attributes ticket attributes nameId password nameId

41 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Resource Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller User database SSO server With SSO and WAYF (the users point of view) WAYF userIdpassword

42 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With SSO and WAYF (next requests to the same SP) WAYF

43 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server WAYF With SSO and WAYF (next requests to another SP)

44 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server With SSO and WAYF (next requests to another SP) WAYF userId ssoId ticket nameId attributes userId attributes nameId

45 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Web browser Authentication service Authentication Authority Attribute Authority Assertion Consumer Attribute Requester Access Controller Resource User database SSO server WAYF With SSO and WAYF (next requests to another SP)

46 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Service Provider #1 Web browser Identity Provider (IdP) attributes for SP#1 nameId Service Provider #2 (encrypted) attributes for SP#2 nameId Multi-tiers installations (encrypted) attributes for SP#2

47 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Portal Web browser Content provider #1 An application : meta search engines Content provider # 2 Content provider # n...

48 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia university Cuniversity B university A SP WAYF Browser IdP A IdP BIdP C WAYF et topology SP

49 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Integration of an IdP into the IS Web browser Authentication service Authentication Authority Attribute Authority User database SSO server Service Provider userId ticket attributes userId nameId SSO J2EE filter Attributes retrieval –LDAP directories –Databases, –…–…

50 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Authentication Authority Attribute Authority ARP Attribute Release Policy Navigateur Authentication service User database SSO server Service Provider #3 userId ticket attributes userId nameId supannOrganisme eduPersonAffiliation edupersonPrincipalName supannRole mail Service Provider #2 Service Provider #3

51 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Anonymous access to a Service Provider The users profiles can be transmitted without any personal data An opaque but persistent identifier can be provided (targetedId) The users UID and global identifier are managed just like any other attribute

52 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia Online course reserved to students in mathematics Autorisation based on the students profile speciality The need of a common naming space University A University C University B specialityspectopic

53 Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu, Estonia The need of a common semantics University A Online course reserved to students in mathematics University C University B Autorisation based on the students profile speciality = mathematicsspeciality = Mathematicsspeciality = MATH

54 Copyright © 2006 – ESUP-Portail consortium – University of Rennes 1 – Pascal Aubry References: EUNIS2006, Tartu, Estonia


Download ppt "Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu,"

Similar presentations


Ads by Google