Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de."— Presentation transcript:

1 Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier (suhrbier@inf.fu-berlin.de) AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting

2 2 06/09/2007 EDIT Developers Meeting, BGBM Berlin Why using Shibboleth in EDIT ? Highly distributed organisational (infra-)structure - Cross-national conglomerate of - Universities, Institutes, Botanical Museums, (private) Collections, others - Service Providers, Databases, Hosts, Applications, … - Users, System Administrators - Members have individual security or organisational requirements Identity Management - Current situation reflects organisational structure: - Users have to authenticate multiple times to access different services - Problems to remember the individual authentication ids (e.g. user/pass) for services - System administrators have to manage access control for these services - Individual maintenance of user account and access control for each service or ressource Problem - Current situation is error-prone and ressource consuming - Need for a comfortable Single Sign-On(SSO) solution considering - Security and organisational requirements of providers - Security and privacy aspects of users

3 3 06/09/2007 EDIT Developers Meeting, BGBM Berlin What is Shibboleth ? Internet2 Middleware Project which - Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner - is developed by a group leading campus middleware architects (since 2000) Inter-organisational single sign-on(SSO) service for web services - Uses several widely-implemented standards such as - Security Assertion Markup Language (SAML), XML, XML Signature - Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL) - SOAP, Lightweight Directory Access Protocol (LDAP) - Relies on or extends existing Identity Management solutions in organisations Open Source (Apache Software License 2.0)

4 4 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Key Concepts Federations - a framework for multiple, scaleable trust and policy sets - Specifies a group of organisations abided by a common set of policies and practices - enables interaction without defining bilateral agreements between federated parties - IdP sites (user origin) provide attribute assertions to SP sites (target) - IdP sites are responsible to authenticate users (using any reliable means) Attribute Based Access Control - AC decisions are made using attribute assertions received by SPs from IdPs - assertions may include identity, but will not require this - access may be granted based on e.g. group membershib or origin site - A Standard (yet extensible) AttributeValue Vocabulary - eduPerson includes widely-used person attributes in higher education Active Privacy Management - IdP sites and their origin users control what information is released to SPs - individuals can manage attribute release via a web-based user interface - absolves users mercy of the SPs privacy policies

5 5 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Federations Source: http://switch.ch/aai/about/federation/

6 6 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Login Procedure Source: http://switch.ch/aai/demo/easy.html

7 7 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Main Components Identity Provider (IdP) - maintains user credentials and attributes - asserts authentication or attribute statements to relying parties (SPs) - single sign-on (SSO) service initiates the authentication process - authentication authority issues authentication statements to others (SPs) Service Provider (SP) - manages secured resources - user access is based on assertions requested from an IdP - assertion consumer service processes authentication assertions returned by the SSO service - initiates an optional attribute requests (via attribute requester) - establishes a security context at the SP - redirects the client to the desired target resource. „Where are you from?“ (WAYF) service (optional) - proxy for authentication requests passed from SPs to IdPs‘ SSO service - used by SPs to determine the user's preferred IdP (user interaction possible)

8 8 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth benefits IdP benefits - simple integration in existing identity management - no additional efforts establishing new services (user accounts and IP-addresses management) SP benefits - Deliverance of user and account data management - authorisation based on defined properties User benefits - only a single digital identity for SSO, location independent access - data transparency and data privacy management Source: http://switch.ch/aai/about/

9 9 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth SP Integration Web Server - Apache - mod_shib - Assertions assignable to Apache environment variables (e.g. REMOTE_USER) - IIS - also possible Drupal - modified webserver_auth module - Uses REMOTE_USER to logon to Drupal automatically - „pushes“ actual Shibboleth attributes (e.g. roles, mail, name) into Drupal user module at every login Subversion - Currently, usage via web browser possible (work in progress, proxy ?) Trac - Work in progress…

10 10 06/09/2007 EDIT Developers Meeting, BGBM Berlin Shibboleth Tools ShARPE - management of user attributes via web-based interface (WebShARPE) - editing of user attributes - edit which attributes are released to defined SPs - define user roles - extends Attribute Release Policy (ARP) with group management facilities - users can assign attributes to other users - role specific „business card“ definition (Autograph) - enables users to edit id card for different uses (e.g. student, work group)

11 11 06/09/2007 EDIT Developers Meeting, BGBM Berlin EDIT Recent and current activities Demo IdP and SP server installed as XEN domains - https://idp.e-taxonomy.eu https://idp.e-taxonomy.eu - https://sp.e-taxonomy.eu https://sp.e-taxonomy.eu Provisional EDIT federation established - https://dev.e-taxonomy.eu will join https://dev.e-taxonomy.eu - other sites can join on request Comprehensive setup descriptions available - http://dev.e-taxonomy.eu/trac/wiki/Shibboleth http://dev.e-taxonomy.eu/trac/wiki/Shibboleth - IdP and SP on Debian Etch - Drupal integration ShARPE will be installed on the IdP site within the next days

Download ppt "Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de."

Similar presentations

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.

1 Security Assertion Markup Language (SAML). 2 SAML Goals Create trusted security statements –Example: Bill’s address is and he was authenticated.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
Beispielbild Community Single Sign-on 15 September 2009 Berlin, ISTC meeting Lutz Suhrbier ‏ Networked Information Systems.

Beispielbild Community Single Sign-on 15 September 2009 Berlin, ISTC meeting Lutz Suhrbier ‏ Networked Information Systems.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Similar presentations

Ads by Google