Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.

Slides:

Advertisements

Similar presentations

Inter-Institutional Registration UNC Cause December 4, 2007.

Advertisements

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

Shibboleth: EBSCOhost implementation Lech Wojtowicz Director of Software Development EBSCO Publishing Access 2003 October 3, 2003.

Greenstone Digital Library Usage and Implementation By: Paul Raymond A. Afroilan Network Applications Team Preginet, ASTI-DOST.

Creating User Profiles in EBSCOadmin Tutorial support.ebsco.com.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Content Management Systems Equals Distributed Web Site Maintenance Robert Gulick, EdD DBA / Technology Trainer Carmi Gulick.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Session 11: Security with ASP.NET

SWITCHaai Team Introduction to Shibboleth.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

OCLC Online Computer Library Center CONTENTdm ® Digital Collection Management Software Ron Gardner, OCLC Digital Services Consultant ICOLC Meeting April.

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Customer Relationship Management. Content CRM SugarCRM System Requirement Installation Process Configuration.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

The National Science Digital Library & Shibboleth.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Module 11: Securing a Microsoft ASP.NET Web Application.

Shibboleth at Columbia Update David Millman R&D July ’05

Shibboleth: An Introduction

Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Shibboleth: Status and Pilots. The Golden Age of Plywood.

Project Shibboleth Update, Demonstration and Discussion Michael Gettes May 20, 2003 TERENA Conference, Zagreb, Croatia Michael Gettes.

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

IUScholarWorks Technical Overview Randall Floyd Digital Library Program Programmer/Database Administrator.

State of e-Authentication in Higher Education August 20, 2004.

Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.

CRM in Education: Raising Standards. Saving Time. Presented by: Daniel Petersen Director of Business Solutions Applied Tech.

SharePoint in the Education Space Presented by: Daniel Petersen Director of Business Solutions Applied Tech.

Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:

Millman—Nov 04—1 An Update on Digital Libraries David Millman Director of Research & Development Academic Information Systems Columbia University

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Providing web services to mobile users: The architecture design of an m-service portal Minder Chen - Dongsong Zhang - Lina Zhou Presented by: Juan M. Cubillos.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

Shibboleth for Middle Schools James Burger -

The Technology of Privacy Walter Hoehn

The FederID project The First Identity Management and Federation Free Software.

David Millman—Columbia January 2005

Shibboleth Project at GSU

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

ESA Single Sign On (SSO) and Federated Identity Management

Overview and Development Plans

JSTOR as a Shibboleth Target

Shibboleth Deployment Overview

Shibboleth: Status and Pilots

Web Servers (IIS and Apache)

Internet Skills ELEC135 Alan Noble Room 504 Tel:

OU BATTLECARD: Oracle Systems Learning Subscription

Presentation transcript:

Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University

Introduction  Why the web needs identity?  Access Control  Customization  Collaboration  Challenges  Privacy concerns/obligations  Hundreds of passwords vs. Passport  Protocol limitations

Shibboleth Overview  Federated Identity Management  Flexible attribute profiles  Privacy controls  Works with existing browser technology  Standards-based

Shibboleth Overview (cont.)  Origins (Identity Providers)  Manages user identity data  Authenticates users  Administers attribute release policies  Provides user attributes  Targets (Resource Providers)  Administers access control policies  Administers attribute acceptance policies  Requests attributes  Provides digital resources/services

Demo NSDL.org

Who is working on Shibboleth?  Internet2 (UCAID)  Columbia University  Brown University  The Ohio State University  The University of Washington  MIT

Who is using Shibboleth?  17 Identity Providers (15 US Universities, 1UK University, Swiss Education and Research Network)  4 Content vendors (JSTOR, OCLC, EBSCO, ProQuest)  2 course management systems (Blackboard, WebCT)  1 online grading system (WebAssign)  1 inter-library loan vendor (Innovative Interfaces)

Advances since the last All-Projects meeting  Security  PKI-based signature verification  SAML 1.1 support  Performance  Improved caching mechanisms  Target can request specific attributes  Privacy  Attribute Release Policy language and engine

Advances since the last All-Projects meeting (cont.)  Integration  Attribute Resolution Engine (runtime configuration, metadirectory functionality)  Support for international characters in assertions  Stateless handle mechanism, which allows for fault-tolerant configurations  Support for using SSL Client Auth to authN to the origin  Expanded Platform Support  Origin – All JDK 1.4 compatible platforms  Target - Linux, Solaris, Windows / apache, IIS

Use Case: Accessibility  A government agency creates a web site containing video footage of historically important NASA space flights  The web site’s interface must be adaptable for users with disabilities -A user with low vision prefers custom colors, font face, and font size. -A user with hand tremors might prefer bigger links and buttons.

Use Case: Accessibility (cont.)  Appropriate content can be selected or search priorities can be pre-set for accessible resources -A user who is deaf may want only videos with closed captioning -A user who is blind may want images with text descriptions and videos with audio descriptions to be ranked highly in search results

Use Case: Accessibility (cont.)  A Solution  Agency installs a Shibboleth-enabled web service  The user’s identity provider transmits accessibility metadata to the web site (IMS Learner Information Profile) via Shibboleth  Web site assigns style sheets based on accessibility metadata  Web site search service uses accessibility metadata in ranking algorithms Contact:

Use Case: Subscription-based content  An online aggregator of scholarly medical publications sells subscriptions to a university library  Eligible users should be able to access the content regardless of location  The aggregator wants the flexibility to offer license agreements to subsets of a University community  The library wants to maintain the privacy of its patrons and the security of their personal data

Use Case: Subscription-based content (cont.)  A Solution  Aggregator installs a Shibboleth-enabled web service  The University’s IT department deploys a shibboleth origin in conjunction with their central directory service  The University transmits eduPerson entitlement attribute data via Shibboleth

Use Case: Web site contains curriculum aids for middle school science  The site includes curriculum aids; such as photographs, videos, maps, report topics, etc. that are available freely available for students to download  The site also includes lesson plans, discussion questions, and tests that accompany the freely available materials. These materials should only be available to educators.

Use Case: Web site contains curriculum aids for middle school science (cont.)  A Solution  Site installs a Shibboleth-enabled web service  The user’s identity provider transmits information related to teacher credentialing  Requirements are different  Not a user settable preference (as in accessibility use case)  Not provided by existing university infrastructure (as in subscription use case)

Target Installation  Prerequisites  SSL-enabled web server  Supported platform  Relationship with an identity provider or federation  Install pluggable Shibboleth module  Configure site metadata  Configure attribute acceptance policies  Configure access control rules

Target Installation (cont.)  Current required skill set  Service platform competency (OS, web server, application environment)  SSL  XML  X509/PKI  Shibboleth federation model  Closing the gap  Identify appropriate staff  Better software packaging/streamlined installation

Research/Directions for the future  Access Management for N-tier applications  Attribute Release Policies  Interfaces  Resource Description Metadata  Authorization services (XACML)  Integration with other SAML-based identity services (Liberty)