Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Published byCornelia Allen Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck"— Presentation transcript:

1 Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck Barry.R.Ribbeck@uth.tmc.edu

2 Access to our world is changing What is causing the change? Are the changes for the better? Can we manage the changes?

3 Legacy Authentication / Authorization (AuthX) Current Authentication mechanisms are an extension of legacy designs Stand alone systems do not scale well When AuthN is extended beyond the realm of control, security can not be managed in any real fashion Privacy is never implied nor enforced Identify remotely, authenticate remotely, authorize remotely act remotely

4 Legacy Authentication Systems Issues Scale context makes it hard to support and manage Privacy is not a concern Difficult or impossible to manage the security for Identification and Authorization reliably User experience is diminished by yet another set of electronic credentials and the possibility of identity release

5 Federated Identity The new mindset Federation: an association of resource managers (targets), identity managers (origins) cooperating via a trust broker (the federation) to access and deliver digital content Liberty Alliance, MS WS (.net passport) and Internet2 Shibboleth Middleware Only one is deployed, addresses privacy as well as security and is scaleable Authenticate, attribute and assert locally, act federally

6 What is Shibboleth A middleware software authentication/authorization mechanism that provides security, privacy and scale. Core Enterprise Middleware infrastructure Does not provide trust, but requires and leverages the existence of a trust fabric Allows users to authenticate, attribute and assert locally and act federally

7 Middleware Land Source: http://www.internet2.edu/presentations/20020624-BaseCAMP-Frost.htm

8 Shibboleth UTHSC Houston Identity Manager Authentication System (Digital ID/LDAP) Resource Manager UTHSCH User WAYF FEDERATED Identity Providers UTHSCH Member ORIGIN TARGET LDAP (eduperson) Web Resource Role attributes sufficient, access allowed 2 3. Are you a valid UT Houston Affiliate 4. What is your role ? Trust Fabric 1 Request access

9 Shibboleth and Blackboard by Barry Ribbeck, UTHSC-Houston Home University Attribute Authority Authentication System (ISO/SSO/Cert) Handle Service Bill = X Resource Provider SHIRE Allow HomeU AA SHAR Resource Manager User “Bill” Federation WAYF SERVICE (IN COMMON) 1. I would like access? 3. Where are you from? 4. I am from HU, logged in? ORIGIN TARGET 5. Authenticate me to HU 2. Can you authenticate via my Wayf ? 7. Need eppn & eduPersonEntitlement for X? 6. AuthN ok send handle X to Target 8. Link Handle X to user and Lookup attributes RBAC Authorization System - LDAP (eduperson) 9. Attributes found and Released 10. If ARP allows, attributes are sent to Target. If attributes are sufficient, access is granted by Resource Manager on Target Bb remote user = Bill@hu.edu 11 Logged onto Bb Shib Software =

10 What is it Being Used For? Access to digital content (library resources) Learning management systems Web based online resources Systems access that require –Privacy (user anonymity can be maintained) –Security (AuthN can be anything from uid/pw to 2 factor PKI) –Granularity in access control –High scalability

11 Federations Brokers of the Trust Fabrics Provide and maintain a digital venue for members A leverage point for Relying Party Agreements (solves the N-1 problem) Enforces the rules of engagement for the Relying Parties Provide secure mechanisms for the exchange of member institution digital credentials

12 Federated Identity Liberty: Allows the end user to link and unlink identities that are provided from differing sources Shib: A method of scaling identity management Federations provide a trust Fabric, the Liberty model ties them together

13 Benefits Scale: no need to maintain stand alone credentials, many fewer uid/passwords Building applications on top of Shibboleth can provide a leveraged instead of a stand alone solution. Security: authorization is better managed in a Federated space. Privacy for users can be maintained.

14 Demonstration http://shibpilot.jstor.org:9010 http://bbcommerce.blackboard.com/webapps/ portal/frameset.jsp http://bb.uth.tmc.edu/

15 References http://www.internet2.edu http://www.educause.edu Google searches: NMI-Edit, Shibboleth, Internet2, Middleware Barry.R.Ribbeck@uth.tmc.edu

Download ppt "Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.

Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.

CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.

Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University

The Business of Identity Management Barry R. Ribbeck Director Systems Architecture & Infrastructure Rice University
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Similar presentations

Ads by Google