Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and Federations

Published byひろみ なかじゅく Modified over 5 years ago

Similar presentations

Presentation on theme: "Shibboleth and Federations"— Presentation transcript:

1 Shibboleth and Federations
12 April 2019

2 Agenda Trust fabrics Federations Federating Software
Shibboleth-based Federations 4/12/2019

3 Unified field theory of Trust
Bridged, global hierarchies of identification-oriented, often government based trust – laws, identity tokens, etc. Passports, drivers licenses Future is typically PKI oriented Federated enterprise-based; leverages one’s security domain; often role-based Enterprise does authentication and attributes Federations of enterprises exchange assertions (identity and attributes Peer to peer trust; ad hoc, small locus personal trust A large part of our non-networked lives New technology approaches to bring this into the electronic world. Virtual organizations could leverage any of these fabrics 4/12/2019

4 Federations and Classic PKI
They are very similar Both imply trust models Federations are a enterprise-enterprise PKI Local authentication may well be end-entity certs Name-space control is a critical issue And they are very different End user authentication a local decision Flat set of relationships; little hierarchy Focus as much on privacy as security Web Services only right now: no other apps, no encryption We get to define… 4/12/2019

5 What are federations? Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Built on the premise of Initially “Authenticate locally, act globally” Now, “Enroll and authenticate and attribute locally, act federally.” Federation provides only modest operational support and consistency in how members communicate with each other Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Over time, this will all change… 4/12/2019

6 The good Very flexible – easy to establish and operate; can work for 2 or 2000 members Very customizable – tailored to fit the precise membership Address the whole problem space – security, data schema, privacy, security, transport – of inter-realm collaborations Are relatively simple to install and operate, both for enterprises and for end-users 4/12/2019

7 The bad They aren’t real, yet They don’t do everything
Are web services based right now Will hit scaling walls in several dimensions; we don’t see clear answers yet… 4/12/2019

8 The unknown The scaling walls How reality will unfold
The convergence of the various federating software solutions Users’ willingness to manage their privacy and security 4/12/2019

9 Three Types of federation
Internal federations are occurring among the many subsidiaries of large companies, especially for those companies with more dynamic aggregations. Private federations occur among enterprises, typically within a market sector, that want to facilitate a specific set of transactions and interactions. Many will be bi-lateral, short-term or otherwise constrained. Public federations address more free-standing, long-term, general-purpose requirements, and need to be more open about rules of engagement. Public federations face significant scaling issues and may not be able to leverage contractual relationships that private federations can. 4/12/2019

10 Requirements for federations
Federation operations Federating software Exchange assertions Link and unlink identities Federation data schema Federation privacy and security requirements 4/12/2019

11 Federating Software Liberty Alliance Shibboleth WS-*
V 1.1 of their functional specs released; 2.0 under discussion Federation itself is out of scope (see PingID et al) Semi-open source under development Current work is linked identities Shibboleth V1.1 released; 2.0 under discussion Most standards-based (though Liberty has said that they will turn their enhancements into standards organizations) Pure open source Current work is attribute release focused. WS-* 4/12/2019

12 WS-* Work by Microsoft, with participation from IBM and BEA et al
Complex framework, consisting of 9 areas, which can form a whole cloth solution to the problem space, but which need to closely interact with each other to do so. Standards process and IPR issues uncertain No implementations yet; indeed a lofty set of abstractions that will need considerable convention and detail to resolve into a working instantiation Can Shibboleth/InCommon be a working instantiation within WS-*? 4/12/2019

13 Interoperability among federations
Or, more precisely, interoperability between two members of distinct federations Ability to pass each other assertions Protocols and architectures Ability to understand each other’s assertions Syntax and semantics of objectclasses and schema Ability to trust each other’s assertions Er…… 4/12/2019

14 Shibboleth-based federations
InQueue InCommon Club Shib SWITCH NSDL State networks Medical networks Financial aid networks Life-long learning communities 4/12/2019

15 The Research and Education Federation Space
REF Cluster InQueue (a starting point) InCommon SWITCH The Shib Research Club Other national nets Other clusters Other potential US R+E feds State of Penn Fin Aid Assoc NSDL Indiana Slippery slope - Med Centers, etc 4/12/2019

16 InQueue The “holding pond”
Is a persistent federation with “passing-through” membership… Operational today. Can apply for membership via InQueue Federation guidelines Requires eduPerson attributes Operated by Internet2; open to almost anyone using Shibboleth in an R&E setting or not… Fees and service profile to be established shortly: cost-recovery basis 4/12/2019

17 InCommon basics Permanent federation for the R&E US sector
Operated by Internet2, open to .edu-qualified sites and business partners Attributes passed: eduPerson Privacy requirements: Initially, destroy received attributes immediatley upon use Security requirements: Initially, enterprises post local I/A and basic business rules for assignment of eduPersonAffiliation values Likely to progress towards standardized levels of authn Logout issues 4/12/2019

18 InCommon Management – exec group of CIO’s and CTO’s Operations
Strong institutional I/A High confidence WAYF operation Low exposure if enterprise signing keys compromised Indemnified project Cost-recovery Costs will depend on the level of InCommon work Low risk level operations ~$1K/yr Certifying operations potentially much higher 4/12/2019

19 Multiple federations Aggregation Overlap
Business partners want to simplify their processing Reducing legal and operational costs Overlap User confusion 4/12/2019

20 Trust pivot points in federations
In response to real business drivers and feasible technologies increase the strengths of Campus/enterprise identification, authentication practices Federation operations, auditing thereof Campus middleware infrastructure in support of Shib (including directories, attribute authorities and other Shib components) and auditing thereof Relying party middleware infrastructure in support of Shib Moving in general from self-certification to external certification 4/12/2019

21 Federated Applications
Personal Privacy and Resource Managers Digital rights management Role-based access controls Desktop videoconferencing Interrealm calendaring Authenticated instant messaging P2P Shibbed * 4/12/2019

22 4/12/2019

Download ppt "Shibboleth and Federations"

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Administering the Mesh/s of Trust: Old Whine in New Battles.

Administering the Mesh/s of Trust: Old Whine in New Battles.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.

Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
Helsinki Institute of Physics (HIP) - 2003 Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt.

R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt.
Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)

Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)
HEPKI-PAG Policy Activities Group David L. Wasley University of California.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Similar presentations

Ads by Google