Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Slides:

Advertisements

Similar presentations

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.

Advertisements

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Lousy Introduction into SWITCHaai

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Single Sign-On 1. What is Single Sign-On? 2 The Florida Department of Education (FLDOE) Single Sign-On (SSO) provides a simpler way for educators to access.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

Shibboleth Update a.k.a. “shibble-ware”

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SWITCHaai Team Federated Identity Management.

SWITCHaai Team Introduction to Shibboleth.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

Integrating with UCSF’s Shibboleth system

Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Online Substantive Process TRUST MANAGERS Self Teach Tutorial April 2008 Version 1.0.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Shibboleth for Real Dave Kennedy

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

Navigating the Standards Landscape Andrew Owen SEARCH.

Shibboleth at Columbia Update David Millman R&D July ’05

Shibboleth: An Introduction

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.

1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

F5 APM & Security Assertion Markup Language ‘sam-el’

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Access Policy - Federation March 23, 2016

Using Your Own Authentication System with ArcGIS Online

Mechanisms of Interfederation

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

Identity Federations - Overview

UK e-Science All Hands Meeting, 2006 Mark Norman 18 Sept 2006

e-Infrastructure Workshop 28th March 2006, University of Leeds

Community AAI with Check-In

Shibboleth 2.0 IdP Training: Introduction

Protecting Privacy with Federated AA

Presentation transcript:

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007

IT Support Staff Converence 21 June This presentation What is Shibboleth? –What it isn’t A quick run through of a common example The UK Federation Privacy and the 4 attributes Shibboleth in Oxford: the architecture Questions

IT Support Staff Converence 21 June What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” Why is it called Shibboleth? –Because it is access control where it matters what you are, rather than who you are –Judges 12:5-6 (the Gileadites seized the passages of the Jordan before the Ephraimites, who couldn’t pronounce “ear of wheat”)

IT Support Staff Converence 21 June It’s easier to say what it isn’t! It ISN’T about authentication management! –( Authentication=The act of verifying that an electronic identity is being employed by the entity, person or process to whom it was issued. ) –Shibboleth thinks that institutions should run their own authentication systems and others should trust those processes It ISN’T about authorisation management! –( Authorisation=Associating rights or capabilities with a subject/person ) –Other information about individuals (groups, status etc.) should be managed by the institution too!

IT Support Staff Converence 21 June OK, in plain English… It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: separate authentication from authorisation –Devolve authentication to the ‘home’ organisation –Devolve the management of authorisation information as well

IT Support Staff Converence 21 June Replacing Athens? In phases: –Mid 2007 Shibboleth enabled at Oxford (possibly without publicity) –Athens continues (free) until July 2008 –Between mid 2007 and July 2008, Oxford users should be able to use Shibboleth or Athens to access on-line resources –After 2008 Athens may still be available but will require a subscription from Oxford

IT Support Staff Converence 21 June Replacing Athens – the user's perspective Now: –Users connect to a resource and type in their Athens username and password to gain access Mid 2007 –Users can do the same thing for many (most?) resources using their Webauth username and password (actually the Webauth screens too) –Users can still use their Athens username and password August 2008 –Athens may be unavailable

IT Support Staff Converence 21 June Some definitions Identity Provider (IdP) Service Provider (SP) WAYF (where are you from? service) [a type of IdP Discovery Service] Your home institution (where you usually have a username/login) Organisation/body providing a service (e.g. e-Journal) Application/service that determines which IdP to send the user to

IT Support Staff Converence 21 June Technically simple (SAML) * Shibboleth involves two types of exchanges: 1.AuthnRequest > AuthnAssertion “Was authentication successful?” 2.AttributeRequest > AttributeAssertion “I need to know......about this user.” “This user has the following attributes...” * Security Assertion Markup Language

IT Support Staff Converence 21 June What the user should see The user goes to a resource They are presented with log in options They select the “UK Federation” or “Institutional sign on” etc. option

IT Support Staff Converence 21 June What the user should see The resource sends them to the “Where are You From” service They say they are from Oxford

IT Support Staff Converence 21 June What the user should see They then see their familiar Webauth screen

IT Support Staff Converence 21 June What the user should see Then the usual Oxford confirmation...

IT Support Staff Converence 21 June What the user should see Possibly a holding screen for 2-3 seconds before the user sees...

IT Support Staff Converence 21 June What the user should see the resource they were trying to reach a few seconds ago The next time they try to get to a resource...

IT Support Staff Converence 21 June What the user should see The next time they try to get to a resource... They're almost straight in (no need to authenticate again) as there's a cookie kept in the browser.

IT Support Staff Converence 21 June Trusting the SP, IdP etc. All of these bodies trust each other (implicitly) as they all belong to the same Federation –A federation has a set of rules that everyone obeys e.g. security policy for IdPs, privacy policies for SPs –A service provider (SP) can provide services for multiple federations –An institution such as Oxford (or its IdP) could belong to multiple federations too.

IT Support Staff Converence 21 June The UK Federation A group of member organisations who sign up to a set of rules (see next slides) Is an independent body funded by Becta and JISC Manages the trust relationships between members

IT Support Staff Converence 21 June The UK Federation Rules for IdPs Provide data that is accurate and up-to-date Comply to technical specifications Observe good practice for –configuration, operation, and security of service, exchange of data, private keys,... Must hold all licences and permissions required Must not damage reputation of Federation Give 'reasonable assistance' to investigate misuse

IT Support Staff Converence 21 June The UK Federation Rules for SPs Must not disclose attributes to 3rd parties Use attributes only for access control or presentation decisions (and only for the service that the user requested)......or for generating aggregated anonymised usage statistics SP is responsible for management of access rights: federation has no liability

IT Support Staff Converence 21 June Chris: Privacy and the 4 attributes Chris to add slides

IT Support Staff Converence 21 June Chris: Shib architecture at Oxford Chris to add slides

IT Support Staff Converence 21 June Chris: DEMO???? Christian – check out this page for other resources – iceshttp://ukfederation.org/content/Documents/AvailableServ ices –(But I got “Shibboleth Identity Provider Failure The inter-institutional access system experienced a technical failure. Please and include the following error message: Identity Provider failure at (/shibboleth-idp/SSO) org.opensaml.SAMLException: Invalid assertion consumer service URL.”)

IT Support Staff Converence 21 June Questions?