Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Published byJesus James Modified over 10 years ago

Similar presentations

Presentation on theme: "Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University."— Presentation transcript:

1 Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University

2 outline federated access management? shibboleth? JISC UK Access Management Federation for Education and Research

3 some key terms user / user attributes e.g. rhys (scmros) / ou: INSRV resource / service provider web based e-journals, websites, etc. users / identity provider Cardiff University – 30,000 ish identities authentication vs authorisation: who you are / what you are allowed to do SAML

4 a bit of background: athens athens: an Access Management System for controlling secure access to web based services. offers single sign-on access to multiple web-based services usernames and password held at Athens but administered at a local level a big database table with about 4.5 million rows and 300 columns

5 classic athens Service Provider Identity Provider Athens User on Browser 1: Upload account info 2: I want to access your resource 3: I don't know who you are, please login through Athens 4: User sent to Athens login page 5: Credentials 6: This person is X, and they're allowed to see your resource 7: There you go!

6 what's the problem? users work in increasingly global environment, demand increased mobility; desire for increased security, privacy; more resources – more credentials: for user: lots of usernames/passwords! for resource: manage own AMS (account administration overhead, forgotten passwords, etc), or a central AMS (e.g. Athens) for both: security & integrity compromised (e.g. abc123), Proprietary authentication systems

7 the solution? federated (devolved) access management: role based (not identity based) i.e. (staff @ cardiff university) not (rhys @ CU) still allow personalisation 1 way hash of user id (@ resource - further priv') single sign-on to resources organisations responsible for identity management; trust between resource providers and identity providers

8 what is shibboleth? shibboleth: enables FAM an access management system for controlling secure access to web based (and beyond?) services; offers single sign-on access usernames and password at organisation end – standard network username/password

9 what isn't shibboleth? shibboleth is not: an identity management solution it's a component of one an authentication or full SSO system we need to plug into one (e.g. pubcookie) an attribute store we need to plug into one (e.g. LDAP)

10 why use shib for FAM? highly flexible highly extensible open source, open software community driven growing global acceptance (usa, uk, australia, switzerland, netherlands, spain, france and more) It Just Works

11 high level architecture WAYF (Where Are You From?) User on Browser Service Provider Identity Provider

12 components - SP WAYF (Where Are You From?) Resource ACS AR Resource Manager Assertion Consumer Service Attribute Requester User on Browser Service Provider Identity Provider

13 components - IdP WAYF (Where Are You From?) Service Provider Identity Provider AA User DB AA SSO Authentication Authority SSO Service Attribute Authority User on Browser

14 components – WAYF / federations federations group of organisations sharing a set of agreed policies (legal), rules for access, etc. basically, a trust framework has a... WAYF all IdPs in the federation will appear on a list allows the determination of the users home IdP at run-time

15 shibboleth and federations Federation... WAYF

16 how does shibboleth work? WAYF AA User DB AA SSO Resource ACS AR Resource Manager I dont know who you are or where you are from… redirecting you to the home locator 1 2 So, where are you from? 3 4 CFU 5 Ok, redirecting you to your organisation 6 Dont know who you are: please login 7 Credentials 9 Handle I need to know attributes... Ask AA 8 Handle Ok, I know you! Redirecting you to the resource, with a handle Handle Service Provider Identity Provider Attributes 10 These are the attributes youre allowed to see: 11 Ok, youre allowed to see this. Here you go! Athens

17 JISC UK access management previously (well, currently) – centralised e.g. athens – central repository of accounts/cred's funding for athens ends july 2008. 50p per user (or thereabouts) after that... next generation: federated, devolved authentication (DA) UK Access Management Federation for Education and Research for he, fe and Schools (JISC and BECTA) went live November 30 th 2006. (became self aware 2:14am EDT August 29 th 20... (!))

18 UKFed how to connect: HE - likely run their own IdP FE – run their own IdP / outsource Schools – IdP via RBC/LEA/ outsource instructions on http://www.ukfederation.org.uk/http://www.ukfederation.org.uk/

19 Options 1) Become a full member of UKFed, using community tools total control vs effort 2) Become a full member of UKFed, using paid- for support control vs cost 3) Subscribe to outsourced IdP to work through UKFed on your behalf nice and easy vs cost and lack of control

20 Gateways some resources not FAM compliant yet some instutions don't have money/effort to implement FAM so... shibboleth-athens gateway athens-shibboleth gateway (not at all confusing!)

21 shibboleth-athens Athens Resources Shib- Athens Federation... WAYF

22 athens-shibboleth Athens Resources Shib- Athens Federation... WAYF Athens- Shib IdP-less Users

23 FAM beyond athens can be used as an AMS for any web-based application (and beyond?!) no need for proprietary AMS intra-campus – probably not worth it; hook directly into LDAP Inter-untrusted-organisations – need trust Inter-trusted-organisations - Perfect!

24 project progress and future whole of Cardiff University shib enabled now, all new staff/students using it existing athens users migrating easter+

25 conclusions FAM is here today for the UK academic community Joining UKFed enables cross-institutional collaboration and virtual organisations

26 the end for: more info a copy of these slides clarification of any points meaningful discussion about shib meaningless discussion about stanley cup final... email: smith@cardiff.ac.uk

Download ppt "Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University."

Similar presentations

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.

Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Supporting education and research JISC ‘Accessing the Future’ Addressing the needs of Further Education and smaller institutions Nicole Harris, JISC Programme.

Supporting education and research JISC ‘Accessing the Future’ Addressing the needs of Further Education and smaller institutions Nicole Harris, JISC Programme.
Introduction to Shibboleth and the IAMSECT Project.

Introduction to Shibboleth and the IAMSECT Project.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Similar presentations

Ads by Google