Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.

Published byHilary Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006."— Presentation transcript:

1 Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006

2 TAGPMA27 Mar 2006 Shibboleth2 What is Shibboleth? Standard Internet2 description: –Architecture –Project –Codebase –http://shibboleth.internet2.edu Offshoots –InCommon – Federation (one of many) –GridShib – Grid & Shibboleth Integration –SAML - transport

3 TAGPMA27 Mar 2006 Shibboleth3 What is Shibboleth? Judges 12:6 (KJV) Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Jueces 12 Entonces, le decían: Di, pues, la palabra Shibolet; pero él decía Sibolet, porque no podía pronunciarla correctamente. Entonces le echaban mano y lo mataban junto a los vados del Jordán. Y cayeron en aquella ocasión cuarenta y dos mil de los de Efraín.

4 TAGPMA27 Mar 2006 Shibboleth4 Why is Shibboleth Important? US: Internet2’s “long bet” on Authentication and Authorization –Note: Internet2 is the largest US NREN, 200+ Universities, multiple layers of projects, optical networking &c –Relationship with ESnet, NASA &c US Higher Education federation Other NREN –There are other AAA projects Other - US Government –Whether all these federations can interoperate

5 TAGPMA27 Mar 2006 Shibboleth5 Shibboleth Architecture Next set of slides from I2 (Michael Gedes et al) – used for illustration Illustration probably from SWTCH

6 TAGPMA27 Mar 2006 Shibboleth6 Shibboleth Architecture Handle Service –Yields a “Handle token” – SAML authentication assertion – bearer credential –Neutral – (eg LDAP) Attribute Authority –The AA is presented with a Handle Token, returns appropriate attributes for this user. Target Resource –(Service Provider) –Find user’s institution, and understand appropriate attributes WAYF –External service used to find home institution

7 TAGPMA27 Mar 2006 Shibboleth7 Shibboleth Architecture Next set of slides from I2 (Michael Gedes et al) – used for illustration Illustration probably from SWTCH

8 TAGPMA27 Mar 2006 Shibboleth8 Shibboleth AA Process Resource WAYF Identity Provider Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

9 TAGPMA27 Mar 2006 Shibboleth9 From Shibboleth Arch doc OriginTarget

10 TAGPMA27 Mar 2006 Shibboleth10 From Shibboleth Arch doc OriginTarget

11 TAGPMA27 Mar 2006 Shibboleth11 Shibboleth Limitations Limited IDP –Identity Provider does all the work –What about distributed authorization??? –Attribute Authority, Authentication, Authorization often linked together – requires strong trust of IdP Limited deployment (web) Grid Incompatibility Focused on enterprises –Marketing limitation Many of these issues are being addressed….

12 TAGPMA27 Mar 2006 Shibboleth12 Shibboleth Strengths Privacy –Chaotic story in Grids, but mostly, none Standardization –Relatively open development process Marketing –US Higher Ed –Non-US: Higher Ed & NRENs –US Government –Well supported and development continues

13 TAGPMA27 Mar 2006 Shibboleth13 GridShib (NCSA) NSF funded, development centered at NCSA –Argonne National Lab (ANL), Globus, University of Chicago Really, Shibboleth->Grid –Enable use of some Shibboleth attributes in a Grid context Replace Shibboleth “Handle token” with PKI credential Using XACML Next 3 slides – from NCSA GridShib overview

14 TAGPMA27 Mar 2006 Shibboleth14 The GridShib picture (1) Grid Authentication (2) Shib Attribute Request Shibboleth (3) Attributes Grid Service (4) Attribute-based authorization Campus User (0) Attribute Release Policy

15 TAGPMA27 Mar 2006 Shibboleth15 GridShib Integration Principles No modification to typical grid client applications Leverage Shibboleth’s attribute administration and end-user maintenance of attribute release policies Leverage high-quality Campus Identity Provider operations Leverage high-quality Shib and Grid software

16 TAGPMA27 Mar 2006 Shibboleth16 GridShib Challenges Use of an identifier in X.509 certificate as a subject handle for use by the Shib Attribute Authority (SAA) –Shibboleth v1.3 should handle this –Name mapping has proved challenging –Focusing on MyProxy to solve? IdP function? Allowing VOs to define attributes meaningful to them Attribute Authority identification –“Where Are You From” problem Plumbing interconnect Translating requirements into meaningful authorization policy Support pseudonymity (Shibboleth requirement)

17 TAGPMA27 Mar 2006 Shibboleth17 Shibboleth and Grid Authentication/Authorization Grid – community driven? Grid – distributed authorization Shibboleth – fundamentally based on site (or VO?) –That is assumes a strong site open to working in this area – not always true Grid->Shibboleth? –Projects exist in this area

18 TAGPMA27 Mar 2006 Shibboleth18 US DOE Lab/ESnet Shibboleth Something new – DOE Lab CIO’s have commissioned a pilot Shibboleth test bed and policy development activity US DOE research labs are heavily influenced by trends and needs in US academic research (NSF, EDUCAUSE, and other US Gov’t funding sources) US DOE labs have limited resources for development in this area –Shibboleth &al is both good news & bad news here: –Standard development platform –Limited resources to make changes

19 TAGPMA27 Mar 2006 Shibboleth19 Shibboleth Federation Shibboleth makes no sense w/o a federation component – why bother. InCommon (http://www.incommonfederation.org)http://www.incommonfederation.org Internet2 – US Higher Ed example of Shibboleth federation –There are some others: SWTCH, UK US Legal System –More complex bylaws, legal membership & status &c Good Example or Bad Example? –Some market inhibition –International legal context –Are our member organizations interested in federating for this purpose? TAGPMA?

20 TAGPMA27 Mar 2006 Shibboleth20 E-Authentication (separate) Summary Overlapping communities Overlapping interests What interest in this?

21 TAGPMA27 Mar 2006 Shibboleth21 Acknowledgements Technical content in most slides drawn from Michael Geddes &al from I2; from Von Welch &al from NCSA; a bit from David Chadwick, and others.

22 TAGPMA27 Mar 2006 Shibboleth22 Summary Overlapping communities Overlapping interests What interest do we have in this?

Download ppt "Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Similar presentations

Ads by Google