Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. - Webster's Revised Unabridged Dictionary (1913):Webster's Revised Unabridged Dictionary (1913)

Shibboleth - What is it? an initiative to analyze and develop mechanisms(architectures, frameworks, protocols and implementations) for inter- institutional web access control facilitated by Mace (a committee of leading higher ed IT architects) and Internet2 “authenticate locally, act globally” the Shibboleth shibboleth oriented towards privacy and complements corporate standards efforts open solution vendor participation - IBM et al

Isn’t This What PKI Does? PKI does this and a whole lot more; as a consequence, PKI does very little right now End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certs) and avoids the parts of PKI that don’t work today (eg client certs). Allows campuses to use other forms of authentication locally May actually have benefits over the end-user to target-site direct interactions...

Related Work Previous DLF work OASIS Security Services Technical Committee (vendor activity, kicked off 1/2001) UK - Athens and Sparta projects Spain - rediris project

Assumptions Leverage vendor and standards activity wherever possible (OASIS) (Initially) disturb as little of the existing campus infrastructure as possible Work with common, minimal authorization systems (eg htaccess) Encourage good campus behaviors Learn through doing Create a marketplace and reference implementations Protect Personal Privacy!

Stage 1 - Addressing Three Scenario’s Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Anonymity required Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

Architectural Model Local Authentication Local Entity Willing to Create and Sign Entitlement Set of assertions about the user (Attribute/value pairs) User has control over disclosure Identity optional “active member of community”, “Associated with Course XYZ” Target responsible for Authorization Rules engine Matches contents of entitlements against ruleset associated with target object Cross Domain Trust Previously created between origin and target Perhaps there is a contract (information providers..)

Target Web Server Origin Site Target Site Browser Authentication Phase First Access - Unauthenticated Authorization Phase Pass content if user is allowed Shibboleth Architecture Concepts - High Level

Second Access - Authenticated Target Web Server Origin Site Target Site Browser First Access - Unauthenticated Web Login Server Redirect User to Local Web Login Ask to Obtain Entitlements Pass entitlements for authz decision Pass content if user is allowed Authentication Attribute Server Entitlements Auth OK Req Ent Ent Prompt Authentication Phase Authorization Phase Success! Shibboleth Architecture Concepts (detail)

Charge -- OASIS Security Services Technical Committee Standardize: an XML format for "assertions” (authentication, authorization, authorization decision, access yes/no) (maybe) a (stateless ?) request/response protocol for obtaining assertions transport bindings for this protocol to HTTP, S/MIME, RMI, etc. This will be accompanied by requirements/scenarios, compliance info, security considerations, etc Out of Scope… How authentication is done Defining specific attributes (eg “member of community” Establishing trust between origin and target Note.. Inter-product, not explicitly inter-domain

Component Relationship Model ORIGIN TARGET

Authorization Attributes Typical Assertions in the Higher Ed Community “active member of the community” “active in course X” member of group “georgetown.giia ? Signed by the institution! (optional in OASIS, required in Shib

Isn’t This What LDAP Does? Since this doesn’t exist yet, it can do a lot more than LDAP! (-: XML is so extensible that this is the last protocol that we’ll ever need! (-: OK, tell me really….. The key here is the CONTROLLED dissemination of attribute information, based on multiple factors.

Target Web Server Origin Site Target Site Browser Shibboleth Architecture -- Managing Trust TRUST Attribute Server Shib engine

Personal Privacy An Attribute Authority releases Personal Information to site X based on: Site Defaults –Contract provisions –Business Rules User control –myAA

Shibboleth vs OASIS Security Effort vs Products OASIS Security Effort Defining Standards to support inter-operation of web access control products Vendor Products Implement Standards Add value in Authentication, Attribute Authority, PDP Shibboleth Open Source Implementation! Create Trust Framework Define Higher Ed specific Attributes (hopefully) “Where are you from?” service

Campus and Resource Requirements To Participate in Shibboleth, a site must have: campus-wide authentication service campus-wide identifier space (EPPN) Implementation of Eduperson objectclass Ability to generate attributes (eg “active member of the community”)

Issues Personal Privacy (reasonable expectation, laws) Relation to local weblogin (Single Signon) Portals Use of Shibboleth framework by services beyond the web Grid resources and users

Relationship - Shibboleth to Portals PDP AuthN Dir Shibboleth Portal Shibboleth Portal Apps Web Res Web Login Dir Web Resource Shibboleth

Project Status/Next Steps Requirements and Scenarios document nearly finished IBM and Mace-Shibboleth are refining architecture and evaluating issues IBM intends to develop an Apache web module Internet2 intends to develop supporting materials (documentation, installation, etc) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery). Technical design complete - April, 2001 Coding... Pilot site start-up - Aug, 2001 Public demo- Internet2 Fall Member Meeting 2001

Middleware Inputs & Outputs Grids JA-SIG & uPortalOKIInter-realmcalendaring Shibboleth, eduPerson, Affiliated Dirs, etc. EnterpriseDirectoryEnterpriseAuthenticationLegacySystemsCampus web sso futures EnterpriseauthZ LicensedResourcesEmbedded App Security Shibboleth, eduPerson, and everything else

Questions?