Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Published byReginald Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University."— Presentation transcript:

1 SAML-based Delegation in Shibboleth Scott Cantor cantor.2@osu.edu Internet2/The Ohio State University

2 Quick History Shibboleth announced for browser-based authentication to web sites, first lines of code written Next day, first post to mailing list asking about web services

3 Change in Direction Architectural emphasis in SAML / WS-* is on message-based security and SOAP Developers want session-based security and REST

4 Technical Requirements HTTP-based services (SOAP or REST) Security no weaker than browser-based SSO (i.e., bearer tokens) Evolutionary path to stronger security based on private keys controlled by delegates Attribute-based Federated Privacy-capable (hide user information from delegate) Standards-based where possible Application transparency

5 SAML-based Solution Leverage SAML 2 Enhanced Client / Proxy SSO profile in place of Browser SSO profile between delegate and web service Leverage WS-Security and WS-Addressing profiles between delegate and IdP, influenced by or directly reused from Liberty Alliance work

6 Identity Provider Enhancements Assertions issued for SSO optionally extended such that a delegate can authenticate back to IdP as user SAML 2 ECP SSO profile using extended assertion + SSL client auth Policy controls: Which SPs can be delegates What WSPs an SP can access as delegate Length of delegation chain Attribute release based on use of delegation

7 Service Provider Enhancements Decision made to "break" existing applications if a delegated assertion presented Revamp policy and SSO profile code to make assertion evaluation easily extensible (e.g., accepting delegated assertions) Expose delegation chain to applications via SP-defined header/variable

8 Application Changes Targeting applications using Shibboleth SP for authentication Disallow delegation: no changes Accept but ignore: add policy rule to SP configuration Accept and process: add policy rule and process chain from header/variable

9 Phase II Initial prototype treats portal and portlets as a single security principal/identity in chain Technical proposal allows for portal to acquire new tokens on behalf of portlets to give them presence in final token Requires stand-alone token exchange between portal and IdP

10 Phase III Holder of key adaptation of ECP, binding delegation token to delegate's client certificate If necessary, support for message signing between delegate and IdP as alternative to SSL client authentication

11 A Note on OAuth As in, why not OAuth? Feel free, what's stopping you? OAuth relies on a service to define its own security token; you don't need Shibboleth or SAML if that's your model You do need capability to redirect client to the service

Download ppt "SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.

Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Identity-Enabling Web Applications Scott Cantor Internet2/The Ohio State University.

Identity-Enabling Web Applications Scott Cantor Internet2/The Ohio State University.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Similar presentations

Ads by Google