Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.

Slides:



Advertisements
Similar presentations
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Advertisements

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
The InCommon Federation The U.S. Access and Identity Management Federation
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt.
SAML Shibboleth Scott Cantor
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Rethinking Privacy As Bob Blakley says, “It’s not about privacy, it’s about discretion.” Passive privacy - The current approach. A user passes identity.
Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
State of e-Authentication in Higher Education August 20, 2004.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Fundamentals: Security, Privacy, Trust. Scenarios we’d like to see... Use of licensed library materials regardless of student’s location Signed .
The UK Access Management Federation John Chapman Project Adviser – Becta.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
10/08/20041 © 2004 Pete Palmer Federated Identity Management and Regional Health Information Organizations Pete Palmer, Principal Security Analyst, Guidant.
The FederID project The First Identity Management and Federation Free Software.
LIGO Identity and Access Management
Shibboleth Roadmap
Data and Applications Security Developments and Directions
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
Shibboleth Deployment Overview
“Ten Years Ago… on a cold dark night”
Presentation transcript:

Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The Ohio State University Scott Cantor Internet2/MACE and The Ohio State University

2 Internet2/MACE A consortium of over 200 research institutions, with corporate and government partners, developing technologies in support of the next generation of networking and applications. MACE is a steering committee of about 20 technologists for middleware activities within Internet2.

3 MACE Working Groups MACE-Dir (eduPerson, LDAP Recipe) Shibboleth Course-ID HEPKI (PKI-Light, S-MIME, HE Sector CA) VidMid (H.323, commObject) MedMid (meduPerson, HIPPA privacy laws) I2MM (Jabber, real-time communication/presence) End to End Diagnostics

4 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

5 What is Shibboleth? An Internet2/MACE initiative to develop a standards-based architecture and policy framework supporting the sharing of secured web resources and services A software project delivering an open source implementation of the architecture and framework Based on the OASIS SAML standard (

6 What is Shibboleth? Open source attribute-based single sign-on software with an emphasis on user privacy, built on the SAML 1.1 specification A provider and consumer of innovations in federated identity standards An enabling technology for Internet2, international, and regional efforts at federation in education and research

7 Immediate (and less Immediate) Use Cases Traditional web single sign-on Shared electronic learning resources Research resources (grids) Outsourced academic or administrative services Account linking across sites Delegated trust in portal scenarios (e.g. meta-searching)

8 Web Single Sign-On: General Approaches User supplies a single credential accepted by multiple applications across multiple physical servers e.g. X.509 Certificates, Smart Cards User communicates with a “login service” to convert a local credential into a new token that is passed to an application located elsewhere; repeat as necessary e.g. numerous proprietary WebSSO systems, SAML systems, Kerberos Both approaches typically focus on identity; attribute design is more flexible and preserves privacy.

9 When Shibboleth? a secure or personalized service is used by large/discrete sets of users a service provider is unable/unwilling to do all the work authenticated but anonymous access is a requirement a standards-based approach to SSO is a plus

: Federated Administration 2003: Federated Identity Users authenticate to their “home” or “origin” institution (identity provider) Identity becomes one of many attributes potentially sent to target sites (service providers) Authorization enforced by service provider, identity/attribute provider, or both Partitions responsibility, policy, technology, and trust

11 High Level Architecture Knock, Knock… Resource Knock, Knock Resource Who’s There? Assertion Consumer Service abcde12345 Authn Authority Mary Attribute Requester Attribute Authority abcde12345 who? Attribute Requester Attribute Authority Mary, faculty, contract:001 Resource Let me in!

12 Design Goals (relatively) seamless for users secure enough preserve privacy while permitting personalization manageable, scalable, flexible reduce the marginal cost and the barriers of implementing security

13 Shibboleth Project Deliverables An open source SAML implementation ( Java-based “origin” implementation (authentication and attribute authorities) “Target” implementations for Apache, IIS, with additional deployment vehicles in development, including Java and non-web application scenarios Federated PKI-based trust fabric

14 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

15 Federations Shibboleth “federations” are sets of sites that share common trust and operational metadata. Federations generalize bilateral arrangements between sites so policy can be delegated and scaled. Deployments can span federations and one-off agreements, and the PKI accomodates this.

16 Federation Services Vetting of identity providers Acting as naming authority for providers Aggregating, signing, publishing metadata Infrastructure for identity provider discovery Establishing ground rules for members Defining vocabularies of attributes and semantics Mediation and indemnification (in some deployments)

17 The Trust Continuum Collaborative trust at one end… Can I videoconference with you? You can look at my calendar. You can join this computer science workgroup and edit this program. Students in Physics 201 at Brown can access this on-line sensor. Members of the campus community can access this licensed resource. Legal trust at the other end… Sign this document, and guarantee that what was signed was what I saw. Encrypt this file and save it. Identify yourself to this high security area.

18 Dimensions of the Trust Continuum Collaborative trust handshake consequences of breaking trust more political (ostracism, shame, etc.) fluid (additions and deletions frequent) shorter term structures tend to clubs and federations privacy issues more user-based Legal trust contractual consequences of breaking trust more financial (liabilities, fines and penalties, indemnification, etc.) more static (legal process time frames) longer term (justify the overhead) tends to hierarchies and bridges privacy issues more about laws and rules

19 Federation Examples InQueue (Internet2 pilot federation) InCommon (Internet2/US, forthcoming) SWITCH (Swiss federation) Statewide initiatives Intra-university deployments Other international collaborations

20 InCommon A federation for American higher education, initially focused on “.edu” origins. Builds an open identity infrastructure across higher education for academic and research collaboration, outsourced and governmental services, etc. Expected to serve as a trust anchor for a variety of Internet2 efforts. Low barrier to entry, minimal legalities

21 Practices of Interest to Members Initial identification/password assignment process for accounts Authentication mechanisms for account use Policy on the reuse of account names Business logic for key attributes, as the need arises Usage and storage of attributes by targets Current intent is descriptive, not prescriptive.

22 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

23 SAML Shibboleth based on SAML 1.x: SSO profiles initiated by identity provider Query/response protocol for attributes, authorization Lacking in interoperability… Standardized “opaque” identifiers Service provider initiated SSO Metadata Standardized attribute profiles

24 Liberty Alliance ID-FF Builds on SAML 1.1 to specify a suite of protocols around “identity federation”, or account linking between providers. Best features: Metadata format and exchange protocol Rich protocol for requesting authentication, permits control over strength, interactivity, re-authentication Detailed “context” data about identification and authentication during SSO

25 Road to Convergence Work underway on SAML 2.0: SAML 1.x deployment feedback Shibboleth use cases Liberty Alliance ID-FF specifications XACML-based authorization enhancements Standard due Q Migration to new standard will increase commercial interoperability and functionality.

26 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

available since July made available in mid-August, added Windows/IIS target support, simpler configuration Next code drop expected in March (~1.2) Internet2 pilot testing with InQueue federation Production InCommon federation being deliberately established Current Status Pilots Current Status

28 Getting Started Binary and source distributions available Origin components require user authentication and a raw attribute source (LDAP, JDBC, other JNDI, custom) Institutions can join InQueue to test in a federated environment Individuals can use custom configuration data for private testing

29 Future Work Security and metadata improvements (revocation, etc.) Apache 2 support Java support Enhanced virtual hosting of applications Better auditing Management interfaces SAML 2.0 support XACML-based resource manager

30 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

31 Campus Deployment Two principal roles in a typical university library: Authenticating/authorizing off-campus access via proxies to non-partnering vendors Replacing location-based and other forms of weak or unwieldy authentication with partnering vendors

32 Changing Environment Increased demand for a more seamless transition between library and learning resources Increased acceptance of the need for stronger authentication Slow trend toward digitization of valuable materials

33 Some of the Outstanding Issues Identity Provider discovery and issues of multiple federations Recognition of Shibboleth authentication by service providers Direct linking to resources in a multi- authentication environment Institutional vs. library patron data

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.