Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes, Georgetown Keith Hazelton, Wisconsin David Wasley, UCOP The CMU programming team Ken Klingenstein, Director Internet2 Middleware Initiative
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status - Development Current Status - Rollout Demo Next Steps What Does it Take for a Campus to Install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status Demo Next Steps What Does it Take for a Campus to Install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Quick Definition/Architecture Refresh/ Review Background, Motivation High Level Architecture Policy and Trust
What is Shibboleth? An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework
What is Shibboleth? A system... …with an emphasis on privacy users control release of their attributes …based on open standards (SAML) and available in open source form …built on “federated administration”
Example Scenarios 1.A member of the campus community accessing a licensed library resource 2.Students enrolled in a course across multiple universities accessing class materials and Learning Mgmt Systems 3.Research workgroups sharing controlled resources (the original web) 4.Intra-university information access
Why Shibboleth? Growing interest in collaboration and resource sharing among institutions Better security tools will make collaboration more “painless” and more secure Current "solutions" are primitive; we can do better today and without local overhaul
Why Shibboleth? Federated Administration Users registered only at their “home” or “origin” institution Flexibly partitions responsibility, policy, technology, and trust Authorization information sent, instead of authentication information when possible, use groups instead of people on ACLs identity information still available for auditing and for applications that require it
Why Shibboleth? Privacy Higher Ed has privacy obligations In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access General interest and concern for privacy is growing Shibboleth has active (vs. passive) privacy provisions “built in”
What is Shibboleth? Deliverables A partially-complete open-source implementation of SAML (OpenSAML) An open-source implementation of the Shibboleth architecture on top of OpenSAML Policies, trust infrastructure, and supporting material to enable deployment within interested communities, leveraging existing work when possible (e.g. eduPerson)
Quick Definition/Architecture Refresh/ Review Background, Motivation High Level Architecture Policy and Trust
High Level Architecture Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user Destination site requests attributes about user directly from origin site Users (and organizations) can control what attributes are released
Technical Components Origin Site Handle Server Attribute Authority Target Site SHIRE SHAR WAYF Resource Manager Existing assumed components: for origins - Campus directory or attribute store; Web-ISO for targets - web servers and resource managers
High Level Architecture
Attribute Authority -- Management of Attribute Release Policies The AA provides ARP management tools/interfaces. Different ARPs for different targets Each ARP Specifies which attributes and which values to release Institutional ARPs (default) –administrative default policies and default attributes –Site can force include and exclude User ARPs managed via “MyAA” web interface Release set determined by “combining” Default and User ARP for the specified resource
Authorization Attributes Typical Attributes in the Higher Ed Community Affiliation“active member of EntitlementAn agreed upon opaque URIurn:mace:vendor:contract1234 OrgUnitDepartmentEconomics Department EnrolledCourseOpaque course identifierurn:mace:osu.edu:Physics201
Shibboleth and PKI Shibboleth will establish a lightweight PKI between sites and servers to secure itself. Shibboleth fully supports the use of certificates to authenticate users. Shibboleth follow-on work will fully support the use of certificates by target sites directly, provided the necessary profile work is undertaken.
Quick Definition/Architecture Refresh/ Review Background, Motivation High Level Architecture Policy and Trust
SAML and the Shibboleth architecture leave “tough” questions about policy and trust to implementers and deployers. Communities of sites that want to interoperate will establish federations with common policies and trust models
Federations (Circles of Trust) Communities must define (for example): attribute vocabulary, syntax, and usage expectations in areas like user identification and authentication, account policies a trust model for securing the system Internet2/MACE is forming one such federation (informally known as “Club Shib”) by creating policy documents and infrastructure for higher education sites and those with which we do business.
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status Demo Next Steps What Does it Take for a Campus to install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Current Status Architecture about to enter final call Policy documents being drafted Programming divided among Carnegie Mellon, Ohio State, and additional contractors OpenSAML Beta-1 available now Shibboleth Alpha-2 available to selected sites early July, wider distribution soon (10-20 projects)
Current Status Call for participation went out to campuses in late-June for pilot with commercial content providers (EBSCO, Elsevier, sfx) Several European Higher Ed systems evaluating Shib for use country-wide First Shibbolized application has gone production. Production version of Shibboleth expected by October, with the goal of inclusion in the second NMI release
Currently working with NSDL (National Science Digital Library) Commercial Content Providers (EBSCO, Elsevier, sfx, OCLC) Meteor (Student Loan System) WebAssign (Web Based Testing, Physics and Chemistry)
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status Demo Next Steps What Does it Take for a Campus to Install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status - Development Current Status - Rollout Demo Next Steps What Does it Take for a Campus to install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Next Steps Wider alpha Deployment, for verification and testing Complete v1 implementation Identify Other key applications Gain experience with federation What does it mean to “manage attribute release”? Shibbolizing other applications?
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status Demo Next Steps What Does it Take for a Campus to Install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status Demo Next Steps What Does it Take for a Campus to Install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Policy and Trust: “Club Shib” A foundation on which to build: an initial set of attributes based on eduPerson but fully supporting bilateral arrangements a simple PKI suitable for “collaborative trust” a central registry of information about participating sites and their local account practices basic rules governing membership, usage of attributes, and layering of additional policies A low barrier to entry for both schools and information providers
Campus Account Practices of Interest to Club Members Initial identification/password assignment process for accounts Authentication mechanisms for account use Policy on the reuse of account names Business logic for key attributes like affiliation, as the need surfaces Current intent is descriptive, not prescriptive.
Discussion outline Quick Definition/Architecture Refresh/ Review Current Status - Development Current Status - Rollout Demo Next Steps What Does it Take for a Campus to install Shib? Installation and plumbing Joining the Club Here's how you can get involved! Questions/ Discussion.
Here's how you can get involved! Let us know you’re interested Join the lists Identify problems in your environment where Shib could provide value Respond to the CFP Talk to us this week!
THE END Acknowledgements: Design Team: David Wasley U of C; RL ‘Bob’ Morgan U of Washington; Keith Hazelton U of Wisconsin (Madison);Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott Cantor Ohio State Important Contributions from: Ken Klingenstein (I2); Michael Gettes Georgeton, Scott Fullerton (Madison)
Questions, Discussion…..