Presentation is loading. Please wait.

Presentation is loading. Please wait.

UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (

Published byBeverly Gaines Modified over 8 years ago

Similar presentations

Presentation on theme: "UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt ("— Presentation transcript:

1 UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt ( j.watt@nesc.gla.ac.uk )j.watt@nesc.gla.ac.uk Richard Sinnott ( r.sinnott@nesc.gla.ac.uk ), Jipu Jiangr.sinnott@nesc.gla.ac.uk University of Glasgow, Scotland, UK

2 UK e-Science All Hands Meeting, September 2007 “Implementing Single Sign-On and VO Management in e- Health and e-Learning domains at Glasgow using Shibboleth” 1 year JISC project (Dec ’05 – Dec ’06) In partnership with NHS Scotland http://www.nesc.ac.uk/hub/projects/glass GLASgow early adoption of Shibboleth

3 UK e-Science All Hands Meeting, September 2007 Federated Trust Local authentication infrastructures are vital e.g. Campus student directories  Support existing infrastructures (e.g. registration, human resources) –Will normally have enrolled IN PERSON at the institution »With standard identity (birth certificate, exam results) –Will be (reasonably) well known by local staff Also the Regional Operators for a CA  Required decentralisation of credential verification due to travel/time restrictions –National CA would be impossible without this Remote authentication information will always be out of date Don’t want to have to learn lots of usernames/passwords

4 UK e-Science All Hands Meeting, September 2007 Federated Trust The best entity to authenticate a person is their home institution/company Info will be up to date They will always know a person better than a remote site Remote site may not know if user is still valid or not Can we utilise a user’s home credentials to access remote resources?

5 UK e-Science All Hands Meeting, September 2007 Campus Authentication Novell NSure Unified account management system at University of Glasgow Central authentication method for campus System may be queried through LDAP connection Production system!  Custom schema –Standard object classes + Novell definitions  NOTE: –‘uid’ attribute is guaranteed unique for every user on system –So we can use this as a database linking attribute »could come in handy…

6 UK e-Science All Hands Meeting, September 2007 Federated Authentication system using SAML for secure conversation Enables Single-Sign On to Web Pages and Portals Authentication is done by the user’s home institution Identity Provider (Origin) Authorisation (and access) is done by the resource Service Provider (Target)

7 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz

8 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution WAYF Application Federation Authz Point browser to portal

9 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz Shibboleth redirects user to W.A.Y.F service

10 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz User selects their home institution

11 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz AUTHENTICATE Home confirms user ID in local LDAP and pushes attributes to the service provider LDAP

12 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz Portal logs user in and presents attributes to authorisation function

13 UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz AUTHORISE Portal passes attributes to AuthZ function to make final access control decision

14 UK e-Science All Hands Meeting, September 2007 Identity Providers Identity Providers assert: The authenticity of the user  IdPs in a federation TRUST each others authentication assertions –IdP guarantees the user is who they say they are –Enforced by federation policy  Shibboleth requires external apps to actually do the authentication –SAML provides the transport mechanism for this assertion The privileges of the user  SAML Attributes carry extra information about this user which can be used by external resources to make access control decisions –These attributes need to be negotiated between IdPs and SPs –However a standard framework exists which SPs may adopt to enhance interoperability…

15 UK e-Science All Hands Meeting, September 2007 eduPerson An LDAP object class which defines widely-used attributes relevant to higher education Adopted by Shibboleth and the UK Access Management Federation. eduPersonAffiliation  Standard attribute definition (student, staff, affiliate) eduPersonPrincipalName  May be disabled for anonymous access eduPersonTargetedID  Persistent non-identifying… identifier eduPersonEntitlement  Custom attribute for carrying user privileges

16 UK e-Science All Hands Meeting, September 2007 eduPerson Campus opinion of effect of adoption of eduPerson schema…

17 UK e-Science All Hands Meeting, September 2007 Towards a Solution… Basic Shibboleth IdP configuration IdP SP AuthN request AuthN? y/n y/n to SP SP AuthZ request Atts? Atts. Atts to SP eduPerson not supported User Directory

18 UK e-Science All Hands Meeting, September 2007 Multiple Attribute Authorities IdP SP AuthN request AuthN? y/n y/n to SP SP AuthZ request Atts? Atts. Atts to SP User Directory Atts? Atts. Dept. A Dept. B User entries linked through unique ‘uid’ attribute eduPerson can be adopted at departmental level

19 UK e-Science All Hands Meeting, September 2007 The Techie Bit… Multiple attribute authorities implemented through additional JNDI connectors in resolver.ldap.xml Must set ‘noResultIsError’ to ‘false’  Prevents an error being thrown if a user is not found in a database  Needed because a user is not normally a member of EVERY department! Must set ‘propagateErrors’ flag to ‘false’  Stops any errors from halting query of multiple LDAPs Attribute connectors state which directories they will search

20 UK e-Science All Hands Meeting, September 2007 Specific Services University of Glasgow is now offering many online services for its students Some involve manipulation or extraction of sensitive personal data Most involve insecure (often cleartext) user information to be moved about Nearly all require:  Username and password to be entered each visit (even within the same browser session) –Is also possible that DIFFERENT usernames and passwords may be needed  Pre-registration for staff and non-students

21 UK e-Science All Hands Meeting, September 2007 GLASS Project Unifying Uni. Resources under Shibboleth utilising the NSure Directory Service SSO, Secure Attributes… WebMAIL

22 UK e-Science All Hands Meeting, September 2007 Moodle is an online course management system A Virtual Learning Environment (VLE) which allows educators to create online learning communities As of August 2006  15,768 registered sites in 163 countries (1241 in UK alone)  581,984 courses  6,033,505 users Individual site Moodle(s) can be very different  Different sites may require different user information to create a session

23 UK e-Science All Hands Meeting, September 2007 University of Glasgow Moodle Utilises the central campus LDAP server Requires the following entries for a user session  uid, givenName, fullName, mail, sn  (Uni. Of Glasgow Computing Services (CS) requirements) Entries usually retrieved through generic module A Shibboleth Authentication module is available  Extracts the correct attributes from the HTTP_SHIB_ATTRIBUTES header provided by Shibboleth Service Provider  “Pure Shibboleth” login, or multiple login types –CS prefer the latter, more flexible »Cost is user must specifically request a Shibboleth session on first visit.

24 UK e-Science All Hands Meeting, September 2007 WebSURF is an online service for manipulation and retrieval of personal details Student Services  Course registration/options  Access to personal exam results  Updating personal details –Address, Tel. No. Staff Services  View student records  Update course information WebSURF is authored by Glasgow University

25 UK e-Science All Hands Meeting, September 2007 GLASS Moodle Moodle ships with a Shibboleth authentication module Requires configuration… Shibboleth SP provides the 5 attributes in an HTTP header (HTTP_SHIB_ATTRIBUTES)  Each individual attribute is extracted using a CGI type header –HTTP_UID –HTTP_SHIBINETORG_SURNAME –HTTP_GIVENNAME –Etc Moodle forms a local username (if it doesn’t already exist)

26 UK e-Science All Hands Meeting, September 2007 GLASS WebSURF Much more complicated! WebSURF is a J2EE application which runs in a JBoss container Authentication is done with the generic JAAS module Shibboleth may interface with JBoss applications through the SPIE-JAAS module which takes the place of the generic JAAS http://spie.oucs.ox.ac.uk

27 UK e-Science All Hands Meeting, September 2007 GLASS

28 UK e-Science All Hands Meeting, September 2007 GLASS BrainIT Using Shibboleth to provide sensitive clinical data to a Grid portal from an NHS database SP needs to host GridSphere, so a Tomcat/ajp_proxy setup is required  Have SSL enabled this portal as data is particularly sensitive eduPersonEntitlement used as the attribute required for access to portal  Different attributes correspond to different available parameters to query –brainIT_nurse – low privilege (e.g. DOB/Sex) –brainIT_investigator – high privilege (e.g. postcode, illness specifics)

29 UK e-Science All Hands Meeting, September 2007 GLASS

30 UK e-Science All Hands Meeting, September 2007 Summary GLASS infrastructure is basis for all Shibboleth- based projects at Glasgow e.g. EPSRC nanoCMOS project  Centralised authentication from NSure LDAP  Departmental Attribute Authorities at National e-Science Centre and Department of Electronics and Electrical Engineering –Each department controls the attributes required for access to their own service –LDAP directories linked using unique ‘uid’ attribute Experience gained in interfacing with new technologies (MediaWiki) Informs new Shibboleth based projects with other collaborators (e.g. SEE-GEO)

31 UK e-Science All Hands Meeting, September 2007 Demos This afternoon…. All afternoon!

Download ppt "UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt ("

Similar presentations

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Security Approaches and Requirements John Watt NCeSS Conference 2008 - Workshop 3 Data Management through e-Social Science June 18th 2008.

Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.

Similar presentations

Ads by Google