Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.

Published byAmanda Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The."— Presentation transcript:

1 Shibboleth and InCommon: Making Secure Collaboration a Reality http://shibboleth.internet2.edu/ Scott Cantor (cantor.2@osu.edu) Internet2/MACE and The Ohio State University Scott Cantor (cantor.2@osu.edu) Internet2/MACE and The Ohio State University

2 2 Internet2/MACE A consortium of over 200 research institutions, with corporate and government partners, developing technologies in support of the next generation of networking and applications. MACE is a steering committee of about 20 technologists for middleware activities within Internet2.

3 3 MACE Working Groups MACE-Dir (eduPerson, LDAP Recipe) Shibboleth Course-ID HEPKI (PKI-Light, S-MIME, HE Sector CA) VidMid (H.323, commObject) MedMid (meduPerson, HIPPA privacy laws) I2MM (Jabber, real-time communication/presence) End to End Diagnostics

4 4 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

5 5 What is Shibboleth? 1999-2003 An Internet2/MACE initiative to develop a standards-based architecture and policy framework supporting the sharing of secured web resources and services A software project delivering an open source implementation of the architecture and framework Based on the OASIS SAML standard (http://www.oasis-open.org/committees/security)

6 6 What is Shibboleth? 2003- Open source attribute-based single sign-on software with an emphasis on user privacy, built on the SAML 1.1 specification A provider and consumer of innovations in federated identity standards An enabling technology for Internet2, international, and regional efforts at federation in education and research

7 7 Immediate (and less Immediate) Use Cases Traditional web single sign-on Shared electronic learning resources Research resources (grids) Outsourced academic or administrative services Account linking across sites Delegated trust in portal scenarios (e.g. meta-searching)

8 8 Web Single Sign-On: General Approaches User supplies a single credential accepted by multiple applications across multiple physical servers e.g. X.509 Certificates, Smart Cards User communicates with a “login service” to convert a local credential into a new token that is passed to an application located elsewhere; repeat as necessary e.g. numerous proprietary WebSSO systems, SAML systems, Kerberos Both approaches typically focus on identity; attribute design is more flexible and preserves privacy.

9 9 When Shibboleth? a secure or personalized service is used by large/discrete sets of users a service provider is unable/unwilling to do all the work authenticated but anonymous access is a requirement a standards-based approach to SSO is a plus

10 10 2000: Federated Administration 2003: Federated Identity Users authenticate to their “home” or “origin” institution (identity provider) Identity becomes one of many attributes potentially sent to target sites (service providers) Authorization enforced by service provider, identity/attribute provider, or both Partitions responsibility, policy, technology, and trust

11 11 High Level Architecture Knock, Knock… Resource Knock, Knock Resource Who’s There? Assertion Consumer Service abcde12345 Authn Authority Mary Attribute Requester Attribute Authority abcde12345 who? Attribute Requester Attribute Authority Mary, faculty, contract:001 Resource Let me in!

12 12 Design Goals (relatively) seamless for users secure enough preserve privacy while permitting personalization manageable, scalable, flexible reduce the marginal cost and the barriers of implementing security

13 13 Shibboleth Project Deliverables An open source SAML implementation (http://www.opensaml.org/) Java-based “origin” implementation (authentication and attribute authorities) “Target” implementations for Apache, IIS, with additional deployment vehicles in development, including Java and non-web application scenarios Federated PKI-based trust fabric

14 14 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

15 15 Federations Shibboleth “federations” are sets of sites that share common trust and operational metadata. Federations generalize bilateral arrangements between sites so policy can be delegated and scaled. Deployments can span federations and one-off agreements, and the PKI accomodates this.

16 16 Federation Services Vetting of identity providers Acting as naming authority for providers Aggregating, signing, publishing metadata Infrastructure for identity provider discovery Establishing ground rules for members Defining vocabularies of attributes and semantics Mediation and indemnification (in some deployments)

17 17 The Trust Continuum Collaborative trust at one end… Can I videoconference with you? You can look at my calendar. You can join this computer science workgroup and edit this program. Students in Physics 201 at Brown can access this on-line sensor. Members of the campus community can access this licensed resource. Legal trust at the other end… Sign this document, and guarantee that what was signed was what I saw. Encrypt this file and save it. Identify yourself to this high security area.

18 18 Dimensions of the Trust Continuum Collaborative trust handshake consequences of breaking trust more political (ostracism, shame, etc.) fluid (additions and deletions frequent) shorter term structures tend to clubs and federations privacy issues more user-based Legal trust contractual consequences of breaking trust more financial (liabilities, fines and penalties, indemnification, etc.) more static (legal process time frames) longer term (justify the overhead) tends to hierarchies and bridges privacy issues more about laws and rules

19 19 Federation Examples InQueue (Internet2 pilot federation) InCommon (Internet2/US, forthcoming) SWITCH (Swiss federation) http://www.switch.ch/aai/deployment.html Statewide initiatives Intra-university deployments Other international collaborations

20 20 InCommon http://incommon.internet2.edu/ A federation for American higher education, initially focused on “.edu” origins. Builds an open identity infrastructure across higher education for academic and research collaboration, outsourced and governmental services, etc. Expected to serve as a trust anchor for a variety of Internet2 efforts. Low barrier to entry, minimal legalities

21 21 Practices of Interest to Members Initial identification/password assignment process for accounts Authentication mechanisms for account use Policy on the reuse of account names Business logic for key attributes, as the need arises Usage and storage of attributes by targets Current intent is descriptive, not prescriptive.

22 22 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

23 23 SAML 1.1 http://www.oasis-open.org/committees/security Shibboleth based on SAML 1.x: SSO profiles initiated by identity provider Query/response protocol for attributes, authorization Lacking in interoperability… Standardized “opaque” identifiers Service provider initiated SSO Metadata Standardized attribute profiles

24 24 Liberty Alliance ID-FF 1.2 http://www.projectliberty.org/ Builds on SAML 1.1 to specify a suite of protocols around “identity federation”, or account linking between providers. Best features: Metadata format and exchange protocol Rich protocol for requesting authentication, permits control over strength, interactivity, re-authentication Detailed “context” data about identification and authentication during SSO

25 25 Road to Convergence Work underway on SAML 2.0: SAML 1.x deployment feedback Shibboleth use cases Liberty Alliance ID-FF specifications XACML-based authorization enhancements Standard due Q2 2004 Migration to new standard will increase commercial interoperability and functionality.

26 26 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

27 27 1.0 available since July 2003 1.1 made available in mid-August, added Windows/IIS target support, simpler configuration Next code drop expected in March (~1.2) Internet2 pilot testing with InQueue federation Production InCommon federation being deliberately established Current Status Pilots Current Status

28 28 Getting Started http://shibboleth.internet2.edu/ Binary and source distributions available Origin components require user authentication and a raw attribute source (LDAP, JDBC, other JNDI, custom) Institutions can join InQueue to test in a federated environment Individuals can use custom configuration data for private testing

29 29 Future Work Security and metadata improvements (revocation, etc.) Apache 2 support Java support Enhanced virtual hosting of applications Better auditing Management interfaces SAML 2.0 support XACML-based resource manager

30 30 Outline What is Shibboleth? Shibboleth Federations and Trust Standards Convergence Current Status Library Considerations

31 31 Campus Deployment Two principal roles in a typical university library: Authenticating/authorizing off-campus access via proxies to non-partnering vendors Replacing location-based and other forms of weak or unwieldy authentication with partnering vendors

32 32 Changing Environment Increased demand for a more seamless transition between library and learning resources Increased acceptance of the need for stronger authentication Slow trend toward digitization of valuable materials

33 33 Some of the Outstanding Issues Identity Provider discovery and issues of multiple federations Recognition of Shibboleth authentication by service providers Direct linking to resources in a multi- authentication environment Institutional vs. library patron data

Download ppt "Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The."

Similar presentations

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor 2003. This work.

Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Similar presentations

Ads by Google