Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Published byBarbara Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my."— Presentation transcript:

1 Internet2 CAMP Shibboleth Scott Cantor cantor.2@osu.edu (Hey, that’s my EPPN too.) Tom Dopirak tgd@cmu.edu Scott Cantor cantor.2@osu.edu (Hey, that’s my EPPN too.) Tom Dopirak tgd@cmu.edu

2 2 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

3 3 What is Shibboleth? An initiative to develop an architecture, policy framework, and practical technologies to support inter-organizational sharing of secured web resources and services An Internet2/MACE project with intellectual and financial support from IBM/Tivoli

4 4 Division of Labor Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user (federated identity) Destination site requests attributes about user directly from origin site and manages access policies based on them Users (and organizations) can control what attributes are released

5 5 Establishing a User Context

6 6 Getting Attributes and Determining Access

7 7 Planned Deliverables An open-source reference implementation of much (but not all) of SAML and all Shibboleth components Documentation (reference materials, deployment assistance) Policies and procedures for joining an initial community of sites (Club Shib)

8 8 Licensing The Shibboleth implementation will be open- source under one of the prevailing license models (which one is TBD). Every effort to require only open-source (and non-copylefted) libraries and supporting products is being made (so far, so good). By aligning with SAML, commercial solutions may develop.

9 9 Status Report Architecture and policy discussions wrapping up, documents being drafted Programming is underway, divided among IBM/Tivoli, Carnegie Mellon, and Ohio State Early implementations of a Handle Service and SHIRE are functioning

10 10 Schedule SAML headed to last call imminently, allowing “1.0” publication of architecture and APIs Some alpha code due in late February Beta implementation due in late Spring

11 11 Early Implementation Details Operating Systems: Red Hat Linux, Solaris Java SDK 1.3.1 XML libraries from xml.apache.org Apache 1.3.x mod_ssl and OpenSSL Tomcat Web ISO (e.g. pubcookie) Directory Services: OpenLDAP, iPlanet MySQL Perl

12 12 Interesting URLs Shibboleth http://middleware.internet2.edu/shibboleth/ SAML http://www.oasis-open.org/committees/security/ API Docs (for those with copious free time) http://usfs2.us.ohio-state.edu/webdev/shibboleth/

13 13 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

14 14 Shibbolization Cookbook for Origin Sites Apply to the club as an origin site Choose any web server that can host Java Servlet and JSP applications Deploy a HS behind web initial sign-on Deploy an AA in conjunction with the HS Install AA plugins for attributes (Java API) Establish default ARPs for community

15 15 It’s About the Data: Attributes To share resources securely, authorization attributes are needed. Cooperating sites share a common core of attributes, and may define custom attributes for special needs (such as a contract). eduPerson is the starting point.

16 16 Some “Club Shib” Attributes eduPersonPrincipalName (identity-based access) eduPersonAffiliation (broad demographic access) eduPersonEnrolledCourse (class membership access) eduPersonEntitlement (access per-agreement) eduPersonExtension (used for groups) ou (organizational unit) (member of department) Demographic information?

17 17 Attribute Sources Shibboleth defines logical attributes that may (but not must) map directly to their directory or database representation. Initial attributes are designed to easily map to the eduPerson LDAP schema. Attribute Authority obtains attributes from plugins (LDAP, JDBC, ????).

18 18 Privacy and ARPs The P3P makes privacy the voluntary responsibility of the site collecting the information (you may have no privacy, but now it’s explicit). Shibboleth allows the origin site and the user to share an explicit role in the responsibility with Attribute Release Policies.

19 19 Attribute Release Policies Default policies let users and admins pick a starting point in the privacy spectrum with minimal effort (e.g. member of community only). Admins work with vendors and partners to define special release policies or attributes needed for a specific destination site. Local privacy concerns can be addressed.

20 20 Managing ARPs

21 21 Shibboleth and Web-ISO User authentication is up to the origin site. The Shibboleth Handle Service is like a web application that needs to authenticate its users (though of more importance). Use pubcookie, client certificates, or to populate REMOTE_USER and let Shibboleth take over.

22 22 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

23 23 Shibbolization Cookbook for Destination Sites Apply to the club as a destination site Choose any web server (as long as it’s Apache 1.3.x, but others to follow) Equip it with the SHIRE and SHAR modules (note the SHIRE includes a Java servlet for the time being) Install SHAR plugins for attributes (C++ API)

24 24 Access Control and Attribute Consumption A Resource Manager leveraging.htaccess will be provided to evaluate and test simple policy rules before fulfilling requests. Shibboleth defines a standard interface between web applications and attribute data (a CGI header mechanism). Attributes provide their own serialization and matching rules (via plugins).

25 25 Sample Attribute Expressions (still a work in progress) To test an attribute, we must know its unique name (URN?), its value, and possibly its scope/domain. urn:mace:eduPerson:EPPN cantor.2@osu.edu urn:mace:eduPerson:Affiliation staff@osu.edu urn:mace:eduPerson:Entitlement http://jstor.org/shib/contracts/osu.edu/1234

26 26 Existing Applications (from most to least integrated) Shibbolize the application and unify intra-campus and inter-campus users Add a second URL tree for inter- campus users Use a Shibbolized proxy server (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)

27 27 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

28 28 Profile of Pilot Sites Member of campus community accessing licensed resource University hosting licensed databases accessed from other universities Talking to several commercial vendors (they need “their customers” asking for this functionality…) Member of a course accessing remotely controlled resource Web based testing Clearinghouse for curriculum packages Web based tools used in courses Member of a workgroup accessing controlled resources Multi-institution project teams Intra-campus scenario Unified access for internal and external users to resources

29 29 Some Pilots Penn State, Virginia, WebAssign web-based testing for courses University of Delaware Problem Based Learning Clearinghouse (resource for instructors) EDINA (Edinburgh, UK), London School of Economics licensed information resources OSU intra-campus use Internet2 multi-campus workgroups

30 30 We’re Talking To…. SFX Commercial Information Vendors Project Meteor

Download ppt "Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my."

Similar presentations

ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.

INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

Similar presentations

Ads by Google