Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth A Technical Overview

Published byDiana Campbell Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth A Technical Overview"— Presentation transcript:

1 Shibboleth A Technical Overview
Tom Scavo NCSA shibboleth-tech-overview-dec05

2 Shibboleth Defined Shibboleth provides cross-domain single sign-on and attribute-based authorization while preserving user privacy Shibboleth is simultaneously: A project A specification An implementation shibboleth-tech-overview-dec05

3 Shibboleth Project Shibboleth, a project of Internet2-MACE:
Advocates a federated identity management policy framework focused on user privacy Develops middleware architectures to facilitate inter-institutional attribute sharing Manages an open source reference implementation of the Shibboleth spec Shibboleth has made significant contributions to the SAML-based identity management space shibboleth-tech-overview-dec05

4 Collaborations Internet2 OASIS E-Auth Shibboleth Educause Liberty
Vendors shibboleth-tech-overview-dec05

5 Shibboleth Specification
Shibboleth is an extension of the SAML 1.1 browser profiles: Shibboleth Browser/POST Profile Shibboleth Browser/Artifact Profile Shibboleth Attribute Exchange Profile See the Shibboleth spec for details: S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005. shibboleth-tech-overview-dec05

6 Shibboleth Contributions
Shibboleth contributions are many Privacy and Anonymity Attribute Release Policy Opaque, transient name identifiers SP-first browser profiles Authentication Request Profile Where Are You From? service Attribute Exchange Profile shibboleth-tech-overview-dec05

7 Shibboleth Implementation
The Shibboleth implementation consists of two components: Shibboleth Identity Provider Shibboleth Service Provider The Identity Provider is a J2EE webapp The Service Provider is a C++ Apache module A pure Java Service Provider is in beta shibboleth-tech-overview-dec05

8 Shibboleth Versions The current version of Shibboleth is:
Shibboleth 1.3 (Jul 2005) Previous versions: Shibboleth (Nov 2004) Shibboleth 1.2 (Apr 2004) Shibboleth 1.1 (Aug 2003) Shibboleth 1.0 (Jun 2003) Work has begun on Shibboleth 2.0, which is based on SAML 2.0 shibboleth-tech-overview-dec05

9 Other Implementations
Implementations of Shibboleth (the spec): Shibboleth (of course!) Guanxi AthensIM (Identity Provider only) There are more open source implementations of Shibboleth than there are of SAML itself! shibboleth-tech-overview-dec05

10 Introduction shibboleth-tech-overview-dec05

11 Presentation Overview
Shibboleth Components Identity Provider Service Provider Shibboleth SSO Profiles Browser/POST Profile Browser/Artifact Profile Attributes Attribute Exchange Profile eduPerson Metadata shibboleth-tech-overview-dec05

12 Prerequisites Familiarity with SAML 1.1 is assumed
J. Hughes et al. Technical Overview of the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS, May Document ID sstc-saml-tech-overview-1.1-cd SAML on Wikipedia shibboleth-tech-overview-dec05

13 Background References
Shibboleth Technical Overview Shibboleth Protocol Specification SAML 2.0 Metadata Specification shibboleth-tech-overview-dec05

14 Related Projects SAML Liberty ID-FF eduPerson ADFS (WS-Federation)
Shib contributed significant IP to SAML specs Liberty ID-FF Liberty formed the basis of the SAML 2.0 spec eduPerson Shib was a driving force behind this attribute vocabulary ADFS (WS-Federation) Microsoft's approach to federated IdM LionShare/ECL Federated P2P file sharing GridShib Shib-based authorization in Globus Toolkit shibboleth-tech-overview-dec05

15 Notation XML namespace prefixes: Abbreviations Identity Provider (IdP)
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds=" xmlns:xsd=" xmlns:xsi=" Abbreviations Identity Provider (IdP) Service Provider (SP) Where Are You From? (WAYF) Authentication (AuthN) shibboleth-tech-overview-dec05

16 The Shibboleth Experience
shibboleth-tech-overview-dec05

17 The Shibboleth Wiki For example, the Shibboleth wiki (hosted at ohio-state.edu) is “shibbolized” To edit wiki pages, a user must be known to the wiki Users have wikiNames but do not have wiki passwords Users log into their home institution, which asserts user identity to the wiki shibboleth-tech-overview-dec05

18 shibboleth-tech-overview-dec05

19 Shib Browser Profile The user clicks the link “Login via InQueue IdP”
This initiates a sequence of steps known as Shib Browser Profile 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8 shibboleth-tech-overview-dec05

20 shibboleth-tech-overview-dec05

21 Shib Browser Profile InQueue provides a “Where Are You From?” service
The user chooses their preferred identity provider from a menu 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8 shibboleth-tech-overview-dec05

22 shibboleth-tech-overview-dec05

23 Shib Browser Profile The user is redirected to UIUC login page
After login, the user is issued a SAML assertion and redirected back to the wiki 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8 shibboleth-tech-overview-dec05

24 shibboleth-tech-overview-dec05

25 Shib Browser Profile After validating the assertion, the wiki retrieves user attributes via back-channel Shib attribute exchange 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8 shibboleth-tech-overview-dec05

26 Asserting Identity Initially, the user is unknown to the wiki
After querying the home institution, the wiki knows the user’s identity “trscavo-uiuc.edu” is wiki-speak for The latter is eduPersonPrincipalName, an identity attribute asserted by the user’s home institution shibboleth-tech-overview-dec05

27 OpenIdP.org By design, a user with an account at an institution belonging to InCommon, InQueue, or SDSS can log into the wiki Other users can register at openidp.org, which is a zero-admin Shib IdP The openidp asserts an alternate form of identity ( addresses as opposed to eduPersonPrincipalName) shibboleth-tech-overview-dec05

28 Shibboleth Components
shibboleth-tech-overview-dec05

29 The Actors Identity Provider Service Provider
The Identity Provider (IdP) creates, maintains, and manages user identity A Shibboleth IdP produces SAML assertions Service Provider The Service Provider (SP) controls access to services and resources A Shibboleth SP consumes SAML assertions Authentication Authority Attribute Authority SSO Service Artifact Resolution Service Assertion Consumer Service Attribute Requester Resource Service Provider shibboleth-tech-overview-dec05

30 Identity Provider Authentication Authority Single Sign-On Service
Produces SAML authentication assertions Single Sign-On Service A (SAML2) browser-facing component Orchestrates SP-first browser profiles Artifact Resolution Service Resolves SAML artifacts into assertions Attribute Authority Produces SAML attribute assertions shibboleth-tech-overview-dec05

31 Service Provider Assertion Consumer Service Attribute Requester
A browser-facing component Participates in the browser profiles Consumes SAML authentication assertions Attribute Requester Consumes SAML attribute assertions Resource Manager Protects web resources shibboleth-tech-overview-dec05

32 ProviderIds Every SAML provider has a unique identifier called a providerId A providerId must be a URI of no more than 1024 characters In practice, a providerId is often an URL: Use of an “https” URL facilitates metadata publication shibboleth-tech-overview-dec05

33 Shibboleth SSO Profiles
shibboleth-tech-overview-dec05

34 Shib SSO Profiles Shibboleth SSO profiles are SP-first
Shibboleth specifies an Authentication Request Profile Shibboleth Browser/POST Profile = Shib Authn Request Profile SAML Browser/POST Profile Shibboleth Browser/Artifact Profile = Shib Authn Request Profile SAML Browser/Artifact Profile shibboleth-tech-overview-dec05

35 Shib AuthN Request Profile
A Shibboleth authentication request is an ordinary GET request: providerId= shire= target= time= The client is redirected to this location after requesting a protected resource at the SP without a security context shibboleth-tech-overview-dec05

36 Shib Browser/POST Profile
The Shibboleth Browser/POST Profile consists of eight (8) steps: Request the target resource Redirect to the Single Sign-On (SSO) Service [SP] Request the SSO Service Respond with an HTML form plus assertion [IdP] Request the Assertion Consumer Service Redirect to the target resource [SP] Request the target resource again Respond with the requested resource [SP] shibboleth-tech-overview-dec05

37 Shib Browser/POST Profile
Identity Provider Browser/POST is an SP-first profile The IdP produces an assertion at step 4, which the SP consumes at step 5 C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 Assertion Consumer Service 6 5 8 Resource 7 2 1 Service Provider shibboleth-tech-overview-dec05

38 Shib Browser/Artifact Profile
The Shibboleth Browser/Artifact Profile has ten (10) steps: Request the target resource Redirect to the Single Sign-On (SSO) Service [SP] Request the SSO Service Redirect to the Assertion Consumer Service [IdP] Request the Assertion Consumer Service Request the Artifact Resolution Service [SP] Respond with a SAML AuthN Assertion [IdP] Redirect to the target resource [SP] Request the target resource again Respond with the requested resource [SP] shibboleth-tech-overview-dec05

39 Shib Browser/Artifact Profile
Identity Provider Browser/Artifact is SP-first, too This time the authN assertion is passed by reference The SP resolves the artifact into the assertion C L I E N T Authentication Authority Attribute Authority SSO Service Artifact Resolution Service 4 3 7 6 8 Assertion Consumer Service 5 10 9 Resource 2 1 Service Provider shibboleth-tech-overview-dec05

40 IdP Discovery shibboleth-tech-overview-dec05

41 Identity Provider Discovery
Step 2 of the Shib browser profiles is problematic since the SP does not know the browser user’s preferred IdP! The SP relies on a process called Identity Provider Discovery The Shib approach to IdP Discovery is called a “Where Are You From?” (WAYF) service shibboleth-tech-overview-dec05

42 Shib WAYF Service Shibboleth specifies an optional WAYF (Where Are You From?) service that facilitates IdP discovery A Shibboleth WAYF: supports the Authentication Request Profile accepts authN requests from the SP knows the browser user’s preferred IdP redirects the client to the desired IdP A Shibboleth WAYF is usually interactive shibboleth-tech-overview-dec05

43 Shib WAYF Service C L I E N T WAYF Identity Provider Service Provider
Authentication Authority SSO Service Attribute Authority 8 WAYF 7 6 5 4 3 Assertion Consumer Service 10 9 12 Resource 11 2 1 Service Provider shibboleth-tech-overview-dec05

44 WAYF Implementations A typical request to the InQueue WAYF: providerId= shire= target= time= InCommon also provides a WAYF service: Implementation weaknesses: User selection from a list does not scale No provisions for user maintenance of IdP preferences shibboleth-tech-overview-dec05

45 InCommon Federation shibboleth-tech-overview-dec05

46 Attributes shibboleth-tech-overview-dec05

47 Attribute Push The POSTed response may contain both an authentication assertion and an attribute assertion, called attribute push Depending on the use case, attribute push may raise privacy concerns An alternative is attribute pull, which requires a back-channel exchange shibboleth-tech-overview-dec05

48 Shib Attribute Exchange
A Shibboleth SP often queries an IdP for attributes after validating an authN assertion An opaque, transient identifier called a handle is embedded in the authN assertion The SP sends a SAML AttributeQuery message with handle attached shibboleth-tech-overview-dec05

49 Attribute Pull Attribute pull is a secure, mutually authenticated back-channel exchange No IdP discovery is involved because the SP already knows the IdP by virtue of the authN assertion Attribute pull is subject to PKI, firewalls and other security and network concerns, however shibboleth-tech-overview-dec05

50 Browser/POST Attribute Pull
The Shibboleth Browser/POST Profile with Attribute Pull has ten (10) steps: Request the target resource Redirect to the Single Sign-On (SSO) Service [SP] Request the SSO Service Respond with an HTML form plus assertion [IdP] Request the Assertion Consumer Service Request attributes from the AA [SP] Respond with a SAML Attribute Assertion [IdP] Redirect to the target resource [SP] Request the target resource again Respond with the requested resource [SP] shibboleth-tech-overview-dec05

51 Browser/POST Attribute Pull
Identity Provider The first 5 steps of this profile are identical to ordinary Browser/POST Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 10 Resource 9 2 1 Service Provider shibboleth-tech-overview-dec05

52 Browser/POST Attribute Pull Step 1
The Client requests a target resource at the SP Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority Assertion Consumer Service Resource 1 Service Provider shibboleth-tech-overview-dec05

53 Browser/POST Attribute Pull Step 2
Identity Provider The SP performs a security check on behalf of the target resource If a valid security context at the SP does not exist, the SP redirects the Client to the single sign-on (SSO) service at the IdP C L I E N T Authentication Authority SSO Service Attribute Authority Assertion Consumer Service Resource 2 1 Service Provider shibboleth-tech-overview-dec05

54 Browser/POST Attribute Pull Step 3
The Client requests the SSO service at the IdP Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 3 Assertion Consumer Service Resource 2 1 Service Provider shibboleth-tech-overview-dec05

55 Browser/POST Attribute Pull Step 4
Identity Provider The SSO service processes the authN request and performs a security check If the user does not have a valid security context, the IdP identifies the principal (details omitted) The SSO service produces an authentication assertion and returns it to the Client C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 Assertion Consumer Service Resource 2 1 Service Provider shibboleth-tech-overview-dec05

56 Browser/POST Attribute Pull Step 5
The Client issues a POST request to the assertion consumer service at the SP The authN assertion is included with the request Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 Assertion Consumer Service 5 Resource 2 1 Service Provider shibboleth-tech-overview-dec05

57 Browser/POST Attribute Pull Step 6
Identity Provider The assertion consumer service validates the request, creates a security context at the SP The attribute requester sends a (mutually authenticated) attribute query to the AA C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 6 Assertion Consumer Service Attribute Requester 5 Resource 2 1 Service Provider shibboleth-tech-overview-dec05

58 Browser/POST Attribute Pull Step 7
The IdP returns an attribute assertion subject to attribute release policy The SP filters the attributes according to attribute acceptance policy Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 5 Resource 2 1 Service Provider shibboleth-tech-overview-dec05

59 Browser/POST Attribute Pull Step 8
Identity Provider The assertion consumer service updates the security context and redirects the Client to the target resource C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 Resource 2 1 Service Provider shibboleth-tech-overview-dec05

60 Browser/POST Attribute Pull Step 9
The Client requests the target resource at the SP (again) Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 Resource 9 2 1 Service Provider shibboleth-tech-overview-dec05

61 Browser/POST Attribute Pull Step 10
Since a security context exists, the SP returns the resource to the Client Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 10 Resource 9 2 1 Service Provider shibboleth-tech-overview-dec05

62 Attribute Release Policy
At step 6, the AA releases attributes subject to Attribute Release Policy (arp.site.xml) In the site ARP, policy is specified on a per-SP basis (granularity does not extend to the resource) User ARPs (arp.user.principal.xml) may be applied, although in practice this is seldom done (a GUI does not exist) shibboleth-tech-overview-dec05

63 Attribute Acceptance Policy
At step 7, the SP applies an Attribute Acceptance Policy (AAP.xml) to the received attributes: Policy restricts what attributes can be asserted by whom Maps SAML attributes to HTTP headers At step 9, the resource uses the HTTP headers to make an access control decision shibboleth-tech-overview-dec05

64 Directory Schema Neither Shibboleth nor SAML define any attributes per se It is left to individual deployments to define their own attributes A standard approach to user attributes is crucial Without such standards, interoperability is impossible shibboleth-tech-overview-dec05

65 eduPerson Internet2 and EDUCAUSE have jointly developed a set of attributes and associated bindings called eduPerson The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798] Approximately 40 attributes have been defined by InCommon as common identity attributes shibboleth-tech-overview-dec05

66 InCommon Attributes InCommon’s 6 “highly recommended” attributes:
Attribute Name Attribute Value givenName Mary sn (surname) Smith cn (common name) Mary Smith eduPersonScopedAffiliation eduPersonPrincipalName eduPersonTargetedID ? (eduPersonTargetedID does not have a precise value syntax) shibboleth-tech-overview-dec05

67 Metadata shibboleth-tech-overview-dec05

68 SAML 2.0 Metadata A metadata format was introduced by Liberty, which was adopted by SAML 2.0 SAML 2.0 metadata has been profiled for SAML 1.x entities Likewise, SAML 1.x metadata has been profiled for Shibboleth 1.3 SAML 2.0 metadata has really caught on! shibboleth-tech-overview-dec05

Download ppt "Shibboleth A Technical Overview"

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Similar presentations

Ads by Google