Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

Slides:

Advertisements

Similar presentations

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Advertisements

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.

Shibboleth Update RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes, Georgetown Keith.

Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,

Shibboleth Authenticate Locally, Act Globally A Penn State Case Study Renee’ Shuey May 4, 2004 ITS – Emerging Technologies.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

Shibboleth: An Introduction

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.

US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.

Shibboleth: Status and Pilots. The Golden Age of Plywood.

Project Shibboleth Update, Demonstration and Discussion Michael Gettes May 20, 2003 TERENA Conference, Zagreb, Croatia Michael Gettes.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Shibboleth: Early Experience at OSU Scott Cantor October 28, 2002 Scott Cantor October 28, 2002.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

January 9, 2002 Internet2 WebISO Project RL "Bob" Morgan, University of Washington.

Shibboleth Penn State Case Study Renée Shuey Senior Systems Engineer ITS – Emerging Technologies October 13, 2003.

State of e-Authentication in Higher Education August 20, 2004.

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Shibboleth: Overview and Status The Shibboleth Architecture Team.

Meeting Scheduling System Capstone Project - Team#5 Fall2007.

Shibboleth Authenticate Locally, Act Globally A Penn State Case Study.

2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.

WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

Copyright © 2006 by the University of Kansas Providing Intra-campus SSO Service Kathryn Huxtable Identity Management/Core Middleware Information Technology,

Blackboard Learning System r6 and Shibboleth Barry Ribbeck U.Texas Health Science Center at Houston Christopher Etesse Blackboard Inc.

David Millman—Columbia January 2005

Sakai ID & Access Management

Shibboleth Project at GSU

Creating Novell Portal Services Gadgets: An Architectural Overview

Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.

Michael R Gettes, Duke University On behalf of the shib project team

Overview and Development Plans

Federated Digital Rights Management

Supporting Institutions Towards a Shibbolized Infrastructure

Shibboleth Deployment Overview

Shibboleth: Status and Pilots

Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.

Shibboleth Architecture and Requirements

Presentation transcript:

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak

2 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

3 What is Shibboleth? An initiative to develop an architecture, policy framework, and practical technologies to support inter-organizational sharing of secured web resources and services An Internet2/MACE project with intellectual and financial support from IBM/Tivoli

4 Division of Labor Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user (federated identity) Destination site requests attributes about user directly from origin site and manages access policies based on them Users (and organizations) can control what attributes are released

5 Establishing a User Context

6 Getting Attributes and Determining Access

7 Planned Deliverables An open-source reference implementation of much (but not all) of SAML and all Shibboleth components Documentation (reference materials, deployment assistance) Policies and procedures for joining an initial community of sites (Club Shib)

8 Licensing The Shibboleth implementation will be open- source under one of the prevailing license models (which one is TBD). Every effort to require only open-source (and non-copylefted) libraries and supporting products is being made (so far, so good). By aligning with SAML, commercial solutions may develop.

9 Status Report Architecture and policy discussions wrapping up, documents being drafted Programming is underway, divided among IBM/Tivoli, Carnegie Mellon, and Ohio State Early implementations of a Handle Service and SHIRE are functioning

10 Schedule SAML headed to last call imminently, allowing “1.0” publication of architecture and APIs Some alpha code due in late February Beta implementation due in late Spring

11 Early Implementation Details Operating Systems: Red Hat Linux, Solaris Java SDK XML libraries from xml.apache.org Apache 1.3.x mod_ssl and OpenSSL Tomcat Web ISO (e.g. pubcookie) Directory Services: OpenLDAP, iPlanet MySQL Perl

12 Interesting URLs Shibboleth SAML API Docs (for those with copious free time)

13 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

14 Shibbolization Cookbook for Origin Sites Apply to the club as an origin site Choose any web server that can host Java Servlet and JSP applications Deploy a HS behind web initial sign-on Deploy an AA in conjunction with the HS Install AA plugins for attributes (Java API) Establish default ARPs for community

15 It’s About the Data: Attributes To share resources securely, authorization attributes are needed. Cooperating sites share a common core of attributes, and may define custom attributes for special needs (such as a contract). eduPerson is the starting point.

16 Some “Club Shib” Attributes eduPersonPrincipalName (identity-based access) eduPersonAffiliation (broad demographic access) eduPersonEnrolledCourse (class membership access) eduPersonEntitlement (access per-agreement) eduPersonExtension (used for groups) ou (organizational unit) (member of department) Demographic information?

17 Attribute Sources Shibboleth defines logical attributes that may (but not must) map directly to their directory or database representation. Initial attributes are designed to easily map to the eduPerson LDAP schema. Attribute Authority obtains attributes from plugins (LDAP, JDBC, ????).

18 Privacy and ARPs The P3P makes privacy the voluntary responsibility of the site collecting the information (you may have no privacy, but now it’s explicit). Shibboleth allows the origin site and the user to share an explicit role in the responsibility with Attribute Release Policies.

19 Attribute Release Policies Default policies let users and admins pick a starting point in the privacy spectrum with minimal effort (e.g. member of community only). Admins work with vendors and partners to define special release policies or attributes needed for a specific destination site. Local privacy concerns can be addressed.

20 Managing ARPs

21 Shibboleth and Web-ISO User authentication is up to the origin site. The Shibboleth Handle Service is like a web application that needs to authenticate its users (though of more importance). Use pubcookie, client certificates, or to populate REMOTE_USER and let Shibboleth take over.

22 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

23 Shibbolization Cookbook for Destination Sites Apply to the club as a destination site Choose any web server (as long as it’s Apache 1.3.x, but others to follow) Equip it with the SHIRE and SHAR modules (note the SHIRE includes a Java servlet for the time being) Install SHAR plugins for attributes (C++ API)

24 Access Control and Attribute Consumption A Resource Manager leveraging.htaccess will be provided to evaluate and test simple policy rules before fulfilling requests. Shibboleth defines a standard interface between web applications and attribute data (a CGI header mechanism). Attributes provide their own serialization and matching rules (via plugins).

25 Sample Attribute Expressions (still a work in progress) To test an attribute, we must know its unique name (URN?), its value, and possibly its scope/domain. urn:mace:eduPerson:EPPN urn:mace:eduPerson:Affiliation urn:mace:eduPerson:Entitlement

26 Existing Applications (from most to least integrated) Shibbolize the application and unify intra-campus and inter-campus users Add a second URL tree for inter- campus users Use a Shibbolized proxy server (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)

27 Outline Overview and Status Life as an Origin Site Life as a Destination Site Pilots and Next Steps

28 Profile of Pilot Sites Member of campus community accessing licensed resource University hosting licensed databases accessed from other universities Talking to several commercial vendors (they need “their customers” asking for this functionality…) Member of a course accessing remotely controlled resource Web based testing Clearinghouse for curriculum packages Web based tools used in courses Member of a workgroup accessing controlled resources Multi-institution project teams Intra-campus scenario Unified access for internal and external users to resources

29 Some Pilots Penn State, Virginia, WebAssign web-based testing for courses University of Delaware Problem Based Learning Clearinghouse (resource for instructors) EDINA (Edinburgh, UK), London School of Economics licensed information resources OSU intra-campus use Internet2 multi-campus workgroups

30 We’re Talking To…. SFX Commercial Information Vendors Project Meteor