Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Published byMaud Johnson Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University."— Presentation transcript:

1 Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University

2 What Shibboleth is NOT Virtual/Meta Directory Identity management system Account provisioning system Authentication system Authorization system

3 What is Shibboleth? Web based single sign-on System … Providing user attributes to services … While protecting a user’s identity … Using a standard, open, protocol; SAML. Identity federation system … Based on multi-lateral trust & policy… With policy enforcement at IdP & SP.

4 Shibboleth Components Identity Provider (IdP) Home organization entity that Authenticates users Releases attributes Service Provider (SP) A restricted access service that speaks SAML WAYF – Where are You From? Web app for redirect user from SP to IdP

5 JSTOR Demo

6 Providing User Attributes Identity Provider (IdP) pulls attributes from ID systems (LDAP, RDMS, etc) Attributes available as HTTP headers Attributes can be anything: Academic: Major, school, classes Groups and Entitlements Provides the means for attribute-based authorization

7 Protecting User Identity Opaque identifier can be used _820d2843-2342-8236-ad28-8ac94fb3e6a1 Different identifiers for each service Different identifiers for each new visit However identifiers… Need not be opaque: netid, email address May be persistent across multiple visits

8 Multi-Lateral Trust & Policy Technical Trust: mutual, endpoint authentication via digital key pairs Business Trust: written and consented to operational agreements Trust is established bi-laterally with the federation and used multi-laterally; similar to PKI

9 Policy Enforcement IdP policy enforcement: What identifiers to release What attributes and values to release Which service providers to trust SP policy enforcement: What attributes and values to accept Which identity providers to trust

10 Shibboleth 2.0 Existing Shibboleth 1.3 functionality SAML 2.0 support Single Sign-On, Logout, Attribute query Persistent name identifiers Java Service Provider Better documentation Platform for developing new features: Non-web based systems Delegation/Proxy Support

11 What is it good for? Single Sign-on Federated identities Customization and personalization attributes, not just Authorization Abstracting the location and access of user information Why should your app speak LDAP or SQL?

12 IdP Barriers to Entry Clean Identity Management Systems It’s no longer just your mess/idiosyncrasies Policies FERPA/HIPAA? Micro-group attribute provisioning Education Chicken and Egg Where are the services?

13 SP Barriers to Entry Trust concerns How do I know you're doing the right thing? Application adaptation Can your app use info outside its store? Security concerns My castle, your gate Education Chicken & Egg

14 Use Case: Project Vivarium Professional organization wants member access to JSTOR journals Members come from a wide range of organizations (Higher ED, High Schools, personal accounts) IP & Proxy based restriction is not possible

15 Use Case: Project Vivarium Solution Establish entitlement attributes for each journal (not a collection of journals) urn:mace:jstor.org:entitlement:issn:00098388 Establish prof. org. membership attribute urn:mace:jstor.org:participant:vivarium Use persistent, but opaque, identifiers

16 The Prosperity Project

17 FEC & the Restricted Class Clearly defined audience for “advocacy” & “good government” messages –Managers, executives, shareholders PAC solicitation, advocacy for candidates –All employees Voter registration, voting records, grassroots involvement Penalties include substantial civil fines

18 States & the Restricted Class Each state regulates their own elections –Ranges from Unlimited corporate contributions and advocacy No corporate involvement whatsoever Penalties also vary –Most severe Large personal fines for corporate officers 10 Years jail time Corporate charter is disolved

19 BIPAC’s Goals for a Turnkey Solution Protect employee privacy Eliminate the need to give employee data to third-party vendors Provide information relevant to the employee without additional sign-on or registration

20 Without Liberty… Employers had these options –Do nothing – no political information shared with employees –Use paper-based communications only –Develop expensive in-house communications tools –Use third-party vendors to authenticate users and provide content

21 Turning Away 9 out of 10 Employees "Would you be MORE LIKELY or LESS LIKELY to visit a website that requires you to register before you are allowed to view political or voter information?" 91% Total Less Likely

22 Before… Copyright 2005, BIPAC

23 After…

24 Benefits

25 The Liberty Alliance Board and sponsor members include:

26 Benefits – Identity Protection Fewer authentication points –Easier to ‘get it right’ in fewer places –Easier to implement stronger authentication and anti-phishing mechanisms in fewer places –Users more likely to recognize imposter sites –Fewer places to update credentials after breaches

27 Benefits – Identity Protection Information in fewer places –With federation, less sensitive data shared –Information frequently identified differently at different sites – harder to correlate –Data from one service provider may not help at another –Ability to retrieve up-to-date information when you need it, then discard or rely on assertions

28 For More Information p2@bipac.orgp2@bipac.org800-497-8351 BIPAC 888 16th St NW, Suite 305 Washington DC 20006

Download ppt "Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.

Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
July 25, 2005 PEP Workshop, UM 2005 1 A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab.

July 25, 2005 PEP Workshop, UM A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Similar presentations

Ads by Google