Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Slides:



Advertisements
Similar presentations
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Advertisements

Inter-Institutional Registration UNC Cause December 4, 2007.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Beispielbild Community Single Sign-on 15 September 2009 Berlin, ISTC meeting Lutz Suhrbier ‏ Networked Information Systems.
The EC PERMIS Project David Chadwick
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
An XML based Security Assertion Markup Language
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth: An Introduction
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
F5 APM & Security Assertion Markup Language ‘sam-el’
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The FederID project The First Identity Management and Federation Free Software.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Shibboleth Architecture
Federation made simple
Shibboleth Project at GSU
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
e-Infrastructure Workshop 28th March 2006, University of Leeds
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Presentation transcript:

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme ( FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting

2 06/09/2007 EDIT Developers Meeting, BGBM Berlin Why using Shibboleth in EDIT ? Highly distributed organisational (infra-)structure - Cross-national conglomerate of - Universities, Institutes, Botanical Museums, (private) Collections, others - Service Providers, Databases, Hosts, Applications, … - Users, System Administrators - Members have individual security or organisational requirements Identity Management - Current situation reflects organisational structure: - Users have to authenticate multiple times to access different services - Problems to remember the individual authentication ids (e.g. user/pass) for services - System administrators have to manage access control for these services - Individual maintenance of user account and access control for each service or ressource Problem - Current situation is error-prone and ressource consuming - Need for a comfortable Single Sign-On(SSO) solution considering - Security and organisational requirements of providers - Security and privacy aspects of users

3 06/09/2007 EDIT Developers Meeting, BGBM Berlin What is Shibboleth ? Internet2 Middleware Project which - Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner - is developed by a group leading campus middleware architects (since 2000) Inter-organisational single sign-on(SSO) service for web services - Uses several widely-implemented standards such as - Security Assertion Markup Language (SAML), XML, XML Signature - Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL) - SOAP, Lightweight Directory Access Protocol (LDAP) - Relies on or extends existing Identity Management solutions in organisations Open Source (Apache Software License 2.0)

4 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Key Concepts Federations - a framework for multiple, scaleable trust and policy sets - Specifies a group of organisations abided by a common set of policies and practices - enables interaction without defining bilateral agreements between federated parties - IdP sites (user origin) provide attribute assertions to SP sites (target) - IdP sites are responsible to authenticate users (using any reliable means) Attribute Based Access Control - AC decisions are made using attribute assertions received by SPs from IdPs - assertions may include identity, but will not require this - access may be granted based on e.g. group membershib or origin site - A Standard (yet extensible) AttributeValue Vocabulary - eduPerson includes widely-used person attributes in higher education Active Privacy Management - IdP sites and their origin users control what information is released to SPs - individuals can manage attribute release via a web-based user interface - absolves users mercy of the SPs privacy policies

5 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Federations Source:

6 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Login Procedure Source:

7 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Main Components Identity Provider (IdP) - maintains user credentials and attributes - asserts authentication or attribute statements to relying parties (SPs) - single sign-on (SSO) service initiates the authentication process - authentication authority issues authentication statements to others (SPs) Service Provider (SP) - manages secured resources - user access is based on assertions requested from an IdP - assertion consumer service processes authentication assertions returned by the SSO service - initiates an optional attribute requests (via attribute requester) - establishes a security context at the SP - redirects the client to the desired target resource. „Where are you from?“ (WAYF) service (optional) - proxy for authentication requests passed from SPs to IdPs‘ SSO service - used by SPs to determine the user's preferred IdP (user interaction possible)

8 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth benefits IdP benefits - simple integration in existing identity management - no additional efforts establishing new services (user accounts and IP-addresses management) SP benefits - Deliverance of user and account data management - authorisation based on defined properties User benefits - only a single digital identity for SSO, location independent access - data transparency and data privacy management Source:

9 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth SP Integration Web Server - Apache - mod_shib - Assertions assignable to Apache environment variables (e.g. REMOTE_USER) - IIS - also possible Drupal - modified webserver_auth module - Uses REMOTE_USER to logon to Drupal automatically - „pushes“ actual Shibboleth attributes (e.g. roles, mail, name) into Drupal user module at every login Subversion - Currently, usage via web browser possible (work in progress, proxy ?) Trac - Work in progress…

10 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Tools ShARPE - management of user attributes via web-based interface (WebShARPE) - editing of user attributes - edit which attributes are released to defined SPs - define user roles - extends Attribute Release Policy (ARP) with group management facilities - users can assign attributes to other users - role specific „business card“ definition (Autograph) - enables users to edit id card for different uses (e.g. student, work group)

11 06/09/2007 EDIT Developers Meeting, BGBM Berlin EDIT Recent and current activities Demo IdP and SP server installed as XEN domains Provisional EDIT federation established - will join - other sites can join on request Comprehensive setup descriptions available IdP and SP on Debian Etch - Drupal integration ShARPE will be installed on the IdP site within the next days

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.