Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007."— Presentation transcript:

1 Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007

2 IT Support Staff Converence 21 June 2007 2 This presentation What is Shibboleth? –What it isn’t A quick run through of a common example The UK Federation Privacy and the 4 attributes Shibboleth in Oxford: the architecture Questions

3 IT Support Staff Converence 21 June 2007 3 What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” Why is it called Shibboleth? –Because it is access control where it matters what you are, rather than who you are –Judges 12:5-6 (the Gileadites seized the passages of the Jordan before the Ephraimites, who couldn’t pronounce “ear of wheat”)

4 IT Support Staff Converence 21 June 2007 4 It’s easier to say what it isn’t! It ISN’T about authentication management! –( Authentication=The act of verifying that an electronic identity is being employed by the entity, person or process to whom it was issued. ) –Shibboleth thinks that institutions should run their own authentication systems and others should trust those processes It ISN’T about authorisation management! –( Authorisation=Associating rights or capabilities with a subject/person ) –Other information about individuals (groups, status etc.) should be managed by the institution too!

5 IT Support Staff Converence 21 June 2007 5 OK, in plain English… It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: separate authentication from authorisation –Devolve authentication to the ‘home’ organisation –Devolve the management of authorisation information as well

6 IT Support Staff Converence 21 June 2007 6 Replacing Athens? In phases: –Mid 2007 Shibboleth enabled at Oxford (possibly without publicity) –Athens continues (free) until July 2008 –Between mid 2007 and July 2008, Oxford users should be able to use Shibboleth or Athens to access on-line resources –After 2008 Athens may still be available but will require a subscription from Oxford

7 IT Support Staff Converence 21 June 2007 7 Replacing Athens – the user's perspective Now: –Users connect to a resource and type in their Athens username and password to gain access Mid 2007 –Users can do the same thing for many (most?) resources using their Webauth username and password (actually the Webauth screens too) –Users can still use their Athens username and password August 2008 –Athens may be unavailable

8 IT Support Staff Converence 21 June 2007 8 Some definitions Identity Provider (IdP) Service Provider (SP) WAYF (where are you from? service) [a type of IdP Discovery Service] Your home institution (where you usually have a username/login) Organisation/body providing a service (e.g. e-Journal) Application/service that determines which IdP to send the user to

9 IT Support Staff Converence 21 June 2007 9 Technically simple (SAML) * Shibboleth involves two types of exchanges: 1.AuthnRequest > AuthnAssertion “Was authentication successful?” 2.AttributeRequest > AttributeAssertion “I need to know......about this user.” “This user has the following attributes...” * Security Assertion Markup Language

10 IT Support Staff Converence 21 June 2007 10 What the user should see The user goes to a resource They are presented with log in options They select the “UK Federation” or “Institutional sign on” etc. option

11 IT Support Staff Converence 21 June 2007 11 What the user should see The resource sends them to the “Where are You From” service They say they are from Oxford

12 IT Support Staff Converence 21 June 2007 12 What the user should see They then see their familiar Webauth screen

13 IT Support Staff Converence 21 June 2007 13 What the user should see Then the usual Oxford confirmation...

14 IT Support Staff Converence 21 June 2007 14 What the user should see Possibly a holding screen for 2-3 seconds before the user sees...

15 IT Support Staff Converence 21 June 2007 15 What the user should see the resource they were trying to reach a few seconds ago The next time they try to get to a resource...

16 IT Support Staff Converence 21 June 2007 16 What the user should see The next time they try to get to a resource... They're almost straight in (no need to authenticate again) as there's a cookie kept in the browser.

17 IT Support Staff Converence 21 June 2007 17 Trusting the SP, IdP etc. All of these bodies trust each other (implicitly) as they all belong to the same Federation –A federation has a set of rules that everyone obeys e.g. security policy for IdPs, privacy policies for SPs –A service provider (SP) can provide services for multiple federations –An institution such as Oxford (or its IdP) could belong to multiple federations too.

18 IT Support Staff Converence 21 June 2007 18 The UK Federation A group of member organisations who sign up to a set of rules (see next slides) Is an independent body funded by Becta and JISC Manages the trust relationships between members

19 IT Support Staff Converence 21 June 2007 19 The UK Federation Rules for IdPs Provide data that is accurate and up-to-date Comply to technical specifications Observe good practice for –configuration, operation, and security of service, exchange of data, private keys,... Must hold all licences and permissions required Must not damage reputation of Federation Give 'reasonable assistance' to investigate misuse

20 IT Support Staff Converence 21 June 2007 20 The UK Federation Rules for SPs Must not disclose attributes to 3rd parties Use attributes only for access control or presentation decisions (and only for the service that the user requested)......or for generating aggregated anonymised usage statistics SP is responsible for management of access rights: federation has no liability

21 IT Support Staff Converence 21 June 2007 21 Chris: Privacy and the 4 attributes Chris to add slides

22 IT Support Staff Converence 21 June 2007 22 Chris: Shib architecture at Oxford Chris to add slides

23 IT Support Staff Converence 21 June 2007 23 Chris: DEMO???? Christian – check out this page for other resources –http://ukfederation.org/content/Documents/AvailableServ iceshttp://ukfederation.org/content/Documents/AvailableServ ices –(But I got “Shibboleth Identity Provider Failure The inter-institutional access system experienced a technical failure. Please email root@localhost and include the following error message: Identity Provider failure at (/shibboleth-idp/SSO) org.opensaml.SAMLException: Invalid assertion consumer service URL.”)

24 IT Support Staff Converence 21 June 2007 24 Questions?

Download ppt "Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007."

Similar presentations

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
Single Sign-On 1. What is Single Sign-On? 2 The Florida Department of Education (FLDOE) Single Sign-On (SSO) provides a simpler way for educators to access.

Single Sign-On 1. What is Single Sign-On? 2 The Florida Department of Education (FLDOE) Single Sign-On (SSO) provides a simpler way for educators to access.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

Similar presentations

Ads by Google