Presentation is loading. Please wait.

Presentation is loading. Please wait.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Published byDerick Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008."— Presentation transcript:

1 Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008

2 Administrative Information Systems Today’s Goals Demystify Shibboleth Provide a technical overview of Shibboleth Outline Application considerations when migrating to Shibboleth Sketch Migration plan Q/A

3 Administrative Information Systems Shibboleth Overview Shibboleth is a standards-based, open source middleware software designed to provide web Single Sign-On (SSO) solution within or across organization boundaries Authentication/Attribute Query protocol Standards Based. Built on SAML Developed by Internet2

4 Administrative Information Systems Shibboleth Overview Emphasis on protecting user privacy Fine grained Attribute Release control mechanism Browser based authentication only Quickly gaining momentum in higher education community UC is adopting Shibboleth as its standard federated authentication mechanism: UCTrust

5 Administrative Information Systems Shibboleth Benefits Standards Based, SAML etc. Focus on Privacy and Security Adapted by lot of Organizations Manage Identity for local users only Federated Open Source Software, supported by Internet2 –Client Modules –No coding necessary –Works with static web sites

6 Administrative Information Systems What is not SSO but not Authentication No Authorization

7 Administrative Information Systems Shibboleth Vocabulary Federation Identity Provider (IdP) Service Provider (SP) Where Are You From Service (WAYF) Handle Service (HS) Attribute Authority (AA) Attribute Requester (AR) Assertion Consumer Service (ACS) Attribute Release Policy (ARP) Attribute Acceptance Policy (AAP) Bilateral deployment

8 Administrative Information Systems Shibboleth: Federation Provides standard approach to policies, practices, technologies that members adopt Interoperability & trust Which Federation to join? Not a must to operate Shibboleth

9 Administrative Information Systems Shibboleth: Identity Provider (IdP) The “server” side of Shibboleth Performs authentication Issues Authentication Assertion Responds to attribute queries Issues Attribute Assertion Analogous to the ISIS Login Server and Web Service One instance per campus

10 Administrative Information Systems Shibboleth: Service Provider (SP) The “consumer” side of Shibboleth Apache Module or IIS ISAPI filter plus daemon Handles all communications with WAYF and IdP Places returned attributes in HTTP header Provided by Internet2

11 Administrative Information Systems Shibboleth: Where Are Your From (WAYF) Service Part of the Federation services A directory service of Identity Providers Hosted by the federation operator * * In Shibboleth 2.0, WAYF function will be part of the Service Provider module

12 Administrative Information Systems Shibboleth: IdP Components Handle Service (HS) –Directs the incoming user to the authentication authority (i.e., login page) –Issues Shibboleth Handle (similar to a session token, ala ISIS ticket) Attribute Authority (AA) –Responds to attribute requests –Queries data repositories –Constructs and returns Attribute Assertion (XML document containing requested user data)

13 Administrative Information Systems Shibboleth: SP Components Attribute Consumer Service (ACS) –Processes the Shibboleth handled returned by the IdP –Initiates an optional attribute request –Establishes a security context at the SP, and redirects the client to the desired target resource. Attribute Requester (AR) –Establishes a direct connection to the Attribute Authority at the IdP –Exchanges attribute query and attribute response

14 Administrative Information Systems Shibboleth: Attribute Release Policy Rules for releasing attributes, XML format Fine grained control for the release of attributes Individual & Organization have control over release of attributes Site ARP & User ARP

15 Administrative Information Systems ARP Examples eduPersonAffiliation release policy member@ucla.edu https://myhost.ucla.edu

16 Administrative Information Systems Shibboleth: Attribute Acceptance Policy (AAP) Rules for accepting attributes, XML format Regular Expression check Places attributes in http headers for use by applications

17 Administrative Information Systems AAP Examples eduPersonAffiliation acceptance rules FACULTY STUDENT ^[^@]+$ $$$

18 Administrative Information Systems Shibboleth Architecture Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Resource Manager Attributes © SWITCH

19 Administrative Information Systems Resource WAYF Identity Provider at UCLA Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. Redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using ISIS 4 OK, I redirect your request now to the Handle Service of UCLA. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource 7 User DB Credentials OK, I know you now. Redirect your request to the SP, together with a handle

20 Administrative Information Systems Shibboleth @ UCLA Shibboleth IdP already running in production Leverages ISIS authentication engine Running in parallel with ISIS 5 Attributes in ED

21 Administrative Information Systems Shibboleth @ UCLA Will eventually replace the ISIS Web Service API Early adopters include CCLE, MyEvents, Plone site ARP Administration is still a manual process Customized login page Supports Bilateral and Federated deployment

22 Administrative Information Systems ToDo’s ISIS Login Server will continue to serve login form Integrate Shibboleth SP administration with ISIS Administration Incorporate data release approval from data stewards into the SP set up process Need more attribute data! Improve user experience during redirects More support materials (Confluence) Helpdesk coordination Metadata generation Logout?

23 Administrative Information Systems Migrating to Shibboleth Migration Philosophy –Parallel support for ISIS 5 and ISIS/Shib –Gradual Migration: Move when it’s a good time for your application to move –… within reason, of course –Emphasis on user experience

24 Administrative Information Systems Migrating to Shibboleth 2007 –Early adopters and new applications –Applications with unique requirements –Applications could choose between ISIS 5 and Shibboleth 2008 –All MI Team supported apps –All new applications –Voluntary migration 2009 –Mandatory migration –End ISIS support

25 Administrative Information Systems Preparing Your Application for Shibboleth Choose your Web Server –IIS –Apache Separate test and production environments Deployment Scenario –Federated –Bilateral

26 Administrative Information Systems Federated Deployment With federated deployment, your application joins a Shibboleth federation (InCommon, UCTrust) Need to register and obtain federation issued digital certificate Application enjoys common standards, but needs to comply with all federation requirements –Security and audit requirements –Attribute Assertion agreements (more work on IdP side than SP side) –Coordinated helpdesk support Choose federated deployment if: –You plan to accept authentication assertions from multiple IdP’s –You have business requirements to participate in a federation

27 Administrative Information Systems Bilateral Deployment With bilateral deployment, your application exchanges credentials and negotiates attribute exchanges directly with IdP No need to obtain federation digital certificates Likely a simpler deployment model for UCLA-only applications Choose bilateral deployment if: –You plan to accept authentication assertions only from UCLA’s IdP Can always move to a federated deployment mode

28 Administrative Information Systems Preparing Your Application for Shibboleth Rethink your user access provisioning process –Shib’s privacy policy may mean that you won’t get all the attributes you want from all the users. You may need to ask for more information –Especially with federated deployment, you will receive login attempts from unexpected users. –An on-demand access provisioning model is preferred –Need to provide much more descriptive help information on screen

29 Administrative Information Systems Preparing Your Application for Shibboleth Login Failed: Access Denied. The user may be confused if you show him:

30 Administrative Information Systems Preparing Your Application for Shibboleth Thank you for your interest in using the Foobar system. It appears that you authenticated successfully. However, you have not registered to become a user with Foobar. Foobar is a restricted system. If you believe you should have access, please click here to complete an access request. For additional inquires, please contact our helpdesk at helpdesk@foobar.ucla.edu This may make it just a bit clearer to the user why he cannot continue, and what he can do to remedy the situation:

31 Administrative Information Systems Preparing Your Application for Shibboleth Rethink your logging and helpdesk support model –Especially with federated deployment, the user’s IdP may not be UCLA. –Helping a user through the troubleshooting process is critical –Think about your hours of support –Think about the kind of information you need to keep in your application log

32 Administrative Information Systems Preparing Your Application for Shibboleth: Next Steps Install Fest? Usability Workshops? Diagnostic/Testing modules? Common Logging format? Helpdesk Coordination –KB: kb.ucla.edu? Something else? –Shared diagnostics support scripts?

33 Administrative Information Systems Resources Official Shibboleth Website: http://shibboleth.internet2.edu http://shibboleth.internet2.edu Shibboleth Wiki: https://spaces.internet2.edu/display/SHIB https://spaces.internet2.edu/display/SHIB InCommon Federation: http://www.incommonfederation.org/ http://www.incommonfederation.org/ UCTrust Federation: http://www.ucop.edu/irc/itlc/uctrust/ http://www.ucop.edu/irc/itlc/uctrust/ 3 cool demos of how Shib works from the Swiss Shibboleth Federation folks: http://www.switch.ch/aai/demo/ http://www.switch.ch/aai/demo/ Middleware Infrastructure Group’s Website: http://spaces.ais.ucla.edu http://spaces.ais.ucla.edu

34 Administrative Information Systems Q & A

Download ppt "Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Shibboleth Case Studies: Shibboleth as the Campus Web SSO Albert Wu, UCLA Datta Mahabalagiri, UCLA.

Shibboleth Case Studies: Shibboleth as the Campus Web SSO Albert Wu, UCLA Datta Mahabalagiri, UCLA.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Similar presentations

Ads by Google