Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth.

Slides:



Advertisements
Similar presentations
The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Advertisements

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Shibboleth at Penn State Renee Shuey Academic Services and Emerging Technologies Information Technology Services June 29, 2005.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.
Updates on Shib, a bit of InCommon and International Federations.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation Clair Goldsmith,
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Federations and Security: A Multi-level Marketing Scheme Ken Klingenstein Director, Internet2 Middleware and Security.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Shibboleth Architecture and Requirements Shibboleth A New Approach to Web Based Access Control CNI April 4, 2005.
1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.
Federations: success brings new challenges Ken Klingenstein Director, Internet2 Middleware and Security.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
InCommon, other federations, the attribute ecosystem, and some killer apps needing guns…
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Identity Federations: Here and Now Renée Shuey Penn State and InCommon.
Shibboleth as Attribute Delivery for Authorization Renee Shuey Penn State University June 27, 2006.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.
Internet2 Spring 2004.pptApril 2004 Napster University Program Elements of Success W. Pence Chief Technology Officer Napster LLC.
Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.
Shibboleth Authenticate Locally, Act Globally A Penn State Case Study Renee’ Shuey May 4, 2004 ITS – Emerging Technologies.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth: An Introduction
Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
Project Shibboleth Update, Demonstration and Discussion Michael Gettes May 20, 2003 TERENA Conference, Zagreb, Croatia Michael Gettes.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
State of e-Authentication in Higher Education August 20, 2004.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Federations Penn State Case Study Renée Shuey Senior Systems Engineer ITS – Emerging Technologies October 13, 2003.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
Shibboleth Authenticate Locally, Act Globally A Penn State Case Study.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
David Millman—Columbia January 2005
Federation Systems, ADFS, & Shibboleth 2.0
Shibboleth Project at GSU
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Overview and Development Plans
Shibboleth as Attribute Delivery for Authorization
Updates on Shib, a bit of InCommon and International Federations
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Shibboleth: Molecules, Music, and Middleware

Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth – 3 examples of Shib uses at Penn State ● Description of Federations – A look at InCommon ● What's it take to do all of this?

Some terms ● Authenticate – Determine that someone is who they say they are ● Authorize – Determine that someone has the privileges or attributes necessary to perform some function or gain access to information ● Federate – Take action across institutional realms ● Directory – Middleware service that describes people in your institution

What's the problem? ● We're serving lots of people (120,000) ● Those people want access to web-based information resources ● Rising legal, ethical, and economic development concerns about legal consumption and distribution of digital information ● Continued concerns about privacy, growing concerns about privacy

Communications Learning Materials Student Life Research Materials Stuff

Communications Learning Materials Student Life Research Materials Stuff Communications Learning Materials Student Life Research Materials Stuff Communications Learning Materials Student Life Research Materials Stuff Communications Learning Materials Student Life Research Materials Stuff Communications Learning Materials Stuff Research Materials Student Life

What's a solution? ● Shibboleth – Let's us use our existing infrastructures, processes, identities – Open source & open standards – Preserves anonymity, provides tools for managing privacy – We can provide pathways for appropriate/legal consumption and distribution of digital materials

What's a solution? ● Federations – Provides an infrastructure of trust (“trust fabric”) – Associations of enterprises come together to exchange information about their users and resources in order to enable collaborations and transactions – Built on the premise of “Enroll,authenticate and attribute locally...Act federally.” – InCommon – Federation for Higher education and research in the U. S.

Shibboleth – What is it? An Internet2 middleware initiative designed to provide federated access management between Web-based resources Based on OASIS Security Assertion Markup Language (SAML) Allows you to authenticate locally and access Web resources from other institutions or sites Can be used to make complex, attribute-based authorization decisions Preserves privacy of individual from remote site

Shibboleth High Level Architecture Service Provider site (SP) and (Identity Provider) IdP site collaborate to provide a privacy-preserving “context” for Shibboleth users IdP authenticates user, asserts Attributes Destination site (SP) requests attributes about user directly from Identity Provider site Destination site makes an Access Control Decision Users (and IdP organizations) can control what attributes are released Federations provide common Policy and Trust (more later)

SAML ( Security Assertion Markup Language) ● Developed by the OASIS XML-Based Security Services Technical Committee (SSTC) ● A way to represent authentication and attributes in XML ● Integrity and trust ensured by cryptographically signing the XML assertion ● TechOverviewV20-Draft7874.pdf

Shibboleth – Classical

Shibboleth – Attribute Push

Shibboleth - Artifact

Demo Time!

Shibboleth at Penn State ● Example 1 - WebAssign – Access to course materials at another university – NC State, WebAssign, Penn State Dept. of Physics ● Example 2 - Napster Experiment – Access to digital repositories ● Example 3 - LionShare – Authenticated peer-to-peer file sharing

Example 1 - WebAssign Summer 2002 ● ~ 20 students, 2 weeks, 1 course Fall 2002 ● ~200 students ● 3 courses Spring 2003 ● ~1800 students ● Successful login: 63,026 ● All physics courses at UP location can use Shibboleth Fall Production!

Example 1 - WebAssign ● Before Shib: – 1 st 2 weeks, 30 questions/day – Most questions about login ● After Shib – Down to 1-2 questions/day – Non Shib sections still at 15 questions/day

Example 2 - Napster Experiment ● Technical challenge ● Enable residence hall students access to web based music resource in less than 40 days ● Initial community size ~18,000 ● 24 campus locations throughout PA ● Roll-out to all of Penn State following semester ● Community size ~100,000

Example 2 - Napster Experiment ● Using Shibboleth allowed/allows us to: ● authenticate locally to the near universally-adopted Penn State Access Account ● query attributes of individual and determine eligibility ● present Napster with a role and unique identifier, without exposing the identity of the individual ● hand–off transaction to Napster where individual sets up Napster account ● execute the terms and conditions of the contract AND preserve the individual's ability to maintain the Napster relationship after eligibility changes

Example 3 - LionShare ● A federated peer-to-peer file search application ● Users can identify each other and restrict sharing ● Leverages Internet2's InCommon federation and Shibboleth middleware for trust ● Authorization is attribute-based: ● Ex: “Share syllabus.pdf with any student at Penn State in English 202A section 15.”

Back to Federations......

Why Federations? ● Institutional users acquiring content from popular providers (Napster, etc.) and academic providers (Elsevier, JSTOR, EBSCO, Pro-Quest, etc.) ● Institutions working with outsourced service providers, e.g. grading services, scheduling systems ● Inter-institutional collaborations, including shared courses and students, research computing sharing, etc. ● Shared network security monitoring, interactions between students and federal applications, peering with international activities, etc.

Examples of Federations ● JISC, SDSS ● InCommon ● Fed fed ● SWITCH ● ws-* ● Liberty Alliance ● Others are being developed

Deeper look at InCommon ● A federation to support the R&E community in inter- institutional collaborations ● InCommon operates at a high level of security and trustworthiness ● InCommon requires its participants to post their relevant operational procedures on identity management, privacy, etc ● InCommon will be constructive and help its participants move to higher levels of assurance as applications warrant ● InCommon will work closely with other national and international federations

Federations Update – InCommon Membership ● Case Western ● Cornell ● Dartmouth ● Elsevier Science Direct ● Georgetown University ● Houston Academy of Medicine ● Medical Center Library ● Internet2 ● OCLC ● Ohio University ● OhioLink - The Ohio Library & Information Network ● Napster ● SUNY Buffalo ● Penn State ● University of Chicago ● Ohio State University ● UC Irvine ● UCLA ● University of California-Office of the President ● UC San Diego ● University of Rochester ● University of Southern California ● University of Virginia ● University of Washington ● WebAssign

How'd you do that?

“If you want to make an apple pie from scratch, you must first create the universe.” -Carl Sagan

Baking Shibboleth/Federations ● Processes, procedures and policies for distributing and managing digital identities – Signature Stations, AD-20, enforcement tools, etc. - > identity management ● An eduPerson compliant enterprise directory ● Authentication method(s) ● Acceptance of the identifier ● Strategies for protecting the identifier ● Put in the oven....

Shibboleth speeds/feeds at PSU ● Environment of 8 IBM Blade HS20 proc 2.4GHz (Xeon) mem 2.5GB ● Production Shibboleth IdP environment – Shibboleth 1.3a – InCommon Federation – (blades) servers – Load balance using Cisco SLB – WebAssign – Future - Angel, PHEAA, FastLane (FedFed)

Shibboleth speeds/feeds at PSU (cont.) ● Napster Shibboleth IdP environment – Shibboleth 1.1 – non-federated – 4 (blades) servers – Load balance using Cisco SLB ● Future - migrate to current software, and integrate into production IdP environment ● Test Shibboleth environment – 1 (blade) server, IdP, 1 (blade) server, SP

Shibboleth Futures at Penn State ● WorldWide University Network ● FastLane ● iParadigm TurnItIn ● PHEAA/AES ● Library vendors ● Digitally signed transcripts ● Thomson Publishing ● ANGEL - CMS

Useful URLs/pointers ● ● ● Subscribe to shib mailing lists ● ● ● Emerging issues/technologies/recipes – – SAML 2.0:

Contact Information ● Renee Shuey – psu.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.