Shibboleth for Local Attribute Delivery 21 June 2007.

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick
FOCUS: FOrmat CUration Service Advisor: Dr. Joseph JaJa Students: Sang Chul Song Muluwork Geremew.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
SWITCHaai Team Introduction to Shibboleth.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
TEIN Shibboleth Training Course Introduction to SAML/Shibboleth at ComLabs USDI ITB, (updated version)
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Shibboleth for Real Dave Kennedy
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007.
Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch
Internet 2 Weaving a Trust Fabric Shibboleth & PKI Spring 2003 Barry R Ribbeck University of Texas Health Science Center at.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Shibboleth 2.0 Update Ken Klingenstein. 2 Topics Shib v1.3 Status SAML new features Shibboleth 2.0 Features Shibboleth 2.x Features We Need Feedback.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Shibboleth A Technical Overview
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Campuses New to Shibboleth: WebSSO Barry Johnson
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.
Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Oracle Virtual Directory
Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.
Shibboleth Architecture
CAS and Web Single Sign-on at UConn
e-Infrastructure Workshop 28th March 2006, University of Leeds
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
Overview and Development Plans
Federated Digital Rights Management
Shibboleth Deployment Overview
Building Security into Your System
Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.
Shibboleth Architecture and Requirements
Presentation transcript:

Shibboleth for Local Attribute Delivery 21 June 2007

IdP Shibboleth with Backchannel HS AA SP WAYF User

Shib Attribute Delivery AA (SOAP server on port 8443) SP (SOAP client) SAML Attribute Query SAML Attribute Response Attribute exchange using SOAP over HTTPS encrypted channel

SAML Attribute Query <Request … IssueInstant=“ T12:12:12Z” … RequestId=“_50e5776dca6345c77987a4c22”> <NameIdentifier Format=“…shibboleth:1.0:nameIdentifier” NameQualifier= mrosz

SAML Attribute Response <Response … ResponseID=“_e4a2475bc5437b89ac866c66d59efdc6”> … Roszkowski

For “local” Attribute Delivery Set up a Shib IdP/AA that uses PrincipalNameIdentifier as the NameIdentifierMapping Develop scripts/programs that can take as input a NetID and package it into a SAML attribute query and deliver the query to the AA using SOAP over SSL Certs provide the “authentication” for this service.

Local Attribute Delivery AA (SOAP server on port 8443) WebISO Web server App SAML library User

Local Attribute Delivery User requests a protected resource from campus web server User authenticates via WebISO Application takes NetID from the HTTP response and submits attribute query Response from AA contains attributes for that NetID; attributes returned to application Application uses attributes to make authorization decision and either delivers content or denies access

Local Attribute Delivery AA (SOAP server on port 8443) App SAML library 1 2

What does it get us? Works for both web-based and non-web-based applications MST spends considerable time working on web services to provide attributes Clients are set up with the proper certs (we could probably use webservices certs and CA) to look like an SP and must handle the SAML conversation No configuration of attributes on the client (except in the app which will consume them)

What does it get us? (cont.) MST controls which attributes are released to which SPs via standard Shib ARPs To release a new attribute to a client, we just edit the ARP on the IdP We already have the infrastructure to issue certificates Shibboleth supports multiple data sources for attributes: some could come from LDAP, some from UDS

On the other hand… Requires sample code for each target platform/language (likely need Perl w/ SOAPLite for Unix/Linux, Java, and.NET for Windows) Requires that we manage another namespace (shib ProviderIDs)

Why not just use Shib? Allows non-web apps to get attribute information from UDS Incremental approach: allows existing Pubcookie app servers to use attributes for authZ decisions Platform support is about the same for Pubcookie and Shib SPs Preserves investment in Pubcookie

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.