Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael R Gettes, Duke University On behalf of the shib project team

Published byἈβιούδ Λαμπρόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Michael R Gettes, Duke University On behalf of the shib project team"— Presentation transcript:

1 Michael R Gettes, Duke University On behalf of the shib project team
Shibboleth Update Michael R Gettes, Duke University On behalf of the shib project team January 28, 2004 TIP2004

2 What is Shibboleth? (Biblical)
A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. Webster's Revised Unabridged Dictionary (1913)

3 What is Shibboleth? (modern era)
An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services A project delivering an open source implementation of the architecture and framework Deliverables: Software for Origins (campuses) Software for targets (vendors) Operational Federations (scalable trust)

4 Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards

5 Attribute-based Authorization
Identity-based approach The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. This approach requires the user to trust the target to protect privacy. Attribute-based approach Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy.

6 Stage 1 - Addressing Four Scenario’s
Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Intra-university information access Controlled by a variety of identifiers Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

7 How Does it Work? Hmmmm…. It’s magic. :-)

8 High Level Architecture
Federations provide common Policy and Trust Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user, asserts Attributes Destination site requests attributes about user directly from origin site Destination site makes an Access Control Decision Users (and origin organizations) can control what attributes are released

9 Technical Components Origin Site – Required Enterprise Infrastructure
Authentication Attribute Repository Origin Site – Shib Components Handle Server Attribute Authority Target Site - Required Enterprise Infrastructure Web Server (Apache or IIS) Target Site – Shib Components SHIRE SHAR WAYF Resource Manager

10 Shibboleth AA Process Users Home Org Resource Owner 4
OK, I redirect your request now to the Handle Service of your home org. 3 2 Please tell me where are you from? 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF WAYF HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN Users Home Org Resource Owner 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Manager Resource OK, based on the attributes, I grant access to the resource SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Resource

11 From Shibboleth Arch doc
Origin Target

12 From Shibboleth Arch doc
Origin Target

13 From Shibboleth Arch doc
Origin Target 1 SHIRE Local Navigation Page 3b 3 4 Handle Service Attribute Authority

14 Demo!

15 From Shibboleth Arch doc
Origin Target University Resource Provider HTTP Server 1 SHIRE Local Navigation Page 3b Authentication System 3 4 Enterprise Directory Handle Service 6 5 3c Attribute Authority

16 Shibboleth Architecture (still photo, no moving parts)

17 Shibboleth Architecture -- Managing Trust
engine Attribute Server Target Web Server Browser

18 Attribute Authority --Management of Attribute Release Policies
The AA provides ARP management tools/interfaces. Different ARPs for different targets Each ARP Specifies which attributes and which values to release Institutional ARPs (default) administrative default policies and default attributes Site can force include and exclude User ARPs managed via “MyAA” web interface Release set determined by “combining” Default and User ARP for the specified resource

19 Typical Attributes in the Higher Ed Community
Affiliation “active member of community” EPPN Identity Entitlement An agreed upon opaque URI urn:mace:vendor:contract1234 OrgUnit Department Economics Department EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201

20 Target – Managing Attribute Acceptance
Rules that define who can assert what….. MIT can assert Chicago can assert Brown CANNOT assert Important for entitlement values

21 Shibboleth -- Next Steps
Full implementation of Trust Fabric Supporting Multi-federation origins and targets Support for Dynamic Content (Library-style Implementation in addition to web server plugins) Sysadmin GUIs for managing origin and target policy Grid, Virtual Organizations ? Saml V2.0, Liberty, WS-Fed NSF grant to Shibboleth-enable open source collaboration tools LionShare - Federated P2P

22 So… What is Shibboleth? A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?

23 Acknowledgements: THE END
Design Team: David Wasley UCOP; RL ‘Bob’ Morgan U of Washington; Keith Hazelton U of Wisconsin-Madison;Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott Cantor Ohio State Important Contributions from: Ken Klingenstein (I2); Michael Gettes (Duke); Scott Fullerton (Madison) Coding: Derek Atkins (MIT); Parviz Dousti (CMU); Scott Cantor (OSU); Walter Hoehn (Columbia)

24 Got SHIB?

Download ppt "Michael R Gettes, Duke University On behalf of the shib project team"

Similar presentations

Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.

Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.
Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.

Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

Similar presentations

Ads by Google