Presentation is loading. Please wait.

Presentation is loading. Please wait.

JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.

Published byLouisa Blair Modified over 8 years ago

Similar presentations

Presentation on theme: "JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to."— Presentation transcript:

1 JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to ask Alan Robiette

2 JISC Shibboleth Briefing, 12-Mar-20042 [contents] What is Shibboleth How it works Why Shibboleth Implications for Institutions (Origins) Implications for Resource-hosts (Targets) [with lots of credit and © to Michael Gettes, and others of the NSF Middleware Initiative, for making most of the slides for me ]

3 JISC Shibboleth Briefing, 12-Mar-20043 What is Shibboleth? (Biblical) A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913) [Judges, ch12, v5-6 (New American Standard)] The Gileadites captured the fords of the Jordan opposite Ephraim. And it happened when {any of} the fugitives of Ephraim said, "Let me cross over," the men of Gilead would say to him, "Are you an Ephraimite?" If he said, "No," then they would say to him, "Say now, 'Shibboleth.' " But he said, "Sibboleth," for he could not pronounce it correctly. Then they seized him and slew him at the fords of the Jordan. The greatest needs of the Collectivist movement in England appear to me: Diffusion of economic and political knowledge of a real kind - as opposed to Collectivist shibboleths, and the cant and claptrap of political campaigning. [Sidney Webb: memorandum to LSE Trustees meeting on 8th Feb 1894]

4 JISC Shibboleth Briefing, 12-Mar-20044 What is Shibboleth? (modern era) An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: –Software for Origins (campuses) –Software for targets (vendors) –Operational Federations (scalable trust)

5 JISC Shibboleth Briefing, 12-Mar-20045 So… What is Shibboleth? A Web Single-Signon System (SSO)? An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?

6 JISC Shibboleth Briefing, 12-Mar-20046 Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. –Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards

7 JISC Shibboleth Briefing, 12-Mar-20047 Attribute-based Authorization Identity-based approach –The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. –This approach requires the user to trust the target to protect privacy. Attribute-based approach –Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. –This approach does not degrade privacy.

8 JISC Shibboleth Briefing, 12-Mar-20048 Shibboleth Status V1.1 available August 2003 Relatively straightforward to install, provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc.). Target - works with Apache and IIS targets; Java origins. V2.0 likely to include portal support. Work underway on some of the essential management tools such as attribute release managers, target resource management, etc. Can take between 3 hours and 3 years to install –How much infrastructure (core middleware) do you already have? provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc)

9 JISC Shibboleth Briefing, 12-Mar-20049 Shibboleth Status Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft. Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc. Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.)

10 JISC Shibboleth Briefing, 12-Mar-200410 How Does it Work? Hmmmm…. It’s magic.

11 JISC Shibboleth Briefing, 12-Mar-200411 High Level Architecture Federations provide common Policy and Trust Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user, asserts Attributes Destination site requests attributes about user directly from origin site Destination site makes an Access Control Decision Users (and origin organizations) can control what attributes are released

12 JISC Shibboleth Briefing, 12-Mar-200412 Technical Components Origin Site – Required Enterprise Infrastructure –Authentication –Attribute Repository Origin Site – Shib Components –Handle Server –Attribute Authority Target Site - Required Enterprise Infrastructure –Web Server (Apache or IIS) Target Site – Shib Components –SHIRE –SHAR –WAYF –Resource Manager

13 JISC Shibboleth Briefing, 12-Mar-200413 Shibboleth Architecture (still photo, no moving parts)

14 JISC Shibboleth Briefing, 12-Mar-200414 Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

15 JISC Shibboleth Briefing, 12-Mar-200415 From Shibboleth Arch doc OriginTarget

16 JISC Shibboleth Briefing, 12-Mar-200416 From Shibboleth Arch doc OriginTarget

17 JISC Shibboleth Briefing, 12-Mar-200417 From Shibboleth Arch doc OriginTarget SHIRE 3b Handle Service 3 Attribute Authority 4 Local Navigation Page 1

18 JISC Shibboleth Briefing, 12-Mar-200418 From Shibboleth Arch doc OriginTarget Resource Provider University Authentication System HTTP Server Enterprise Directory SHIRE 3b Handle Service 3 Attribute Authority 4 Local Navigation Page 1 56 3c

19 JISC Shibboleth Briefing, 12-Mar-200419 Why Shibboleth? Security Better security tools will make collaboration more “painless” and more secure Current "solutions" are primitive; we can do better today and without local overhaul Shibboleth Simplifies Management and Use of Distributed Systems

20 JISC Shibboleth Briefing, 12-Mar-200420 Why Shibboleth? Improved Access Control Use of attributes allows fine-grained access control Simplifies management of access to extended functionality –Librarians, based on their role, are given a higher- than-usual level of access to an online database to which a college might subscribe. –Librarians and publishers can enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers

21 JISC Shibboleth Briefing, 12-Mar-200421 Why Shibboleth? Federated Administration Leverages existing middleware infrastructure at origin (authN, dir) –Users registered only at their “home” or “origin” institution –Target does NOT need to create new userids Flexibly partitions responsibility, policy, technology, and trust Authorization information sent, instead of authentication information –when possible, use groups instead of people on ACLs –identity information still available for auditing and for applications that require it

22 JISC Shibboleth Briefing, 12-Mar-200422 Why Shibboleth? Privacy Higher Ed has privacy obligations –In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access –In UK, DPA places similar obligations on inst’s General interest and concern for privacy is growing Shibboleth has active (vs. passive) privacy provisions “built in”

23 JISC Shibboleth Briefing, 12-Mar-200423 Benefits to Campuses Much easier Inter-Domain Integration –With other campuses –With off-campus vendor systems Integration with other campus systems, intradomain –LMS –Med School…… Ability to manage access control at a fine-grained level Allows personalization, without releasing identity Implement Shibboleth once… –And then just manage attributes that are released to new targets

24 JISC Shibboleth Briefing, 12-Mar-200424 Benefits to Targets/Vendors Unified authentication mechanism from the vendor perspective –Much more scalable –Much less integration work required to bring a new customer online. Ability to implement fine-grained access control (e.g. access by role), allowing customer sites to effectively control access by attributes and thus control usage costs, by not granting access unnecessarily Once the initial Shibboleth integration work has been completed on the vendor’s systems –The incremental cost of adding new customers is relatively minimal –In contrast to the current situation -- requiring custom work for each new customer Ability to offer personalization If your customers have Shibboleth implemented, easy implementation for them

25 JISC Shibboleth Briefing, 12-Mar-200425 Implications for Resource- hosts Similar front-end implementation requirement as for Athens target No license fee OSS means customisations are possible (eg for personalisation, pass-thru of vendor portal to item-level links, etc) Need for agreement on role attributes (eduPerson) for access decisions

26 JISC Shibboleth Briefing, 12-Mar-200426 Implications for Institutions Less duplicated end-user admin than with Athens –(similar to AthensDA) Need for agreement on role attributes (eduPerson) for end-user description Many don’t yet have standards-based supporting services (SSO, enterprise directories) –(but new costs would largely replace & improve, rather than add-to, existing ad-hoc AM mechanisms)

27 JISC Shibboleth Briefing, 12-Mar-200427 [LSE/SECURe AM infrastructure] http://www.angel.ac.uk/SECURe/deliverables/documentation/

28 JISC Shibboleth Briefing, 12-Mar-200428 Implications for UK infrastructure No dependency on a VERY LARGE centralised database Need for implementation of a national WAYF service –better than current end-user interface model –(new WAYF options being developed) Lower shared costs? –(but greater costs devolved to inst’s) http://stc.cis.brown.edu/~stc/Projects/Shibb oleth/WAYF/index.html

29 JISC Shibboleth Briefing, 12-Mar-200429 Got SHIB?

Download ppt "JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.

Implications for UK infrastructure No more dependency on the VERY LARGE centralised database of Athens Need for implementation of a national WAYF service.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session B, 11:00 - 12:00 John Paschoud and Peter Spring London.

Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session B, 11: :00 John Paschoud and Peter Spring London.

Similar presentations

Ads by Google