Download presentation
Presentation is loading. Please wait.
Published byStephany Lane Modified over 9 years ago
1
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative
2
2 Target Web Server Origin Site Target Site Browser Authentication Phase First Access - Unauthenticated Authorization Phase Pass content if user is allowed Shibboleth Architecture Concepts - High Level
3
3 Second Access - Authenticated Target Web Server Origin Site Target Site Browser First Access - Unauthenticated Web Login Server Redirect User to Local Web Login Ask to Obtain Entitlements Pass entitlements for authz decision Pass content if user is allowed Authentication Attribute Server Entitlements Auth OK Req Ent Ent Prompt Authentication Phase Authorization Phase Success! Shibboleth Architecture Concepts (detail)
4
4 Shibboleth Architecture
5
5 Shibboleth Components
6
6 Descriptions of services 1.local authn server - assumed part of the campus environment 2.web sso server - typically works with local authn service to provide web single sign-on 3.resource manager proxy, resource manager - may serve as control points for actual web page access 4.attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables 5.attribute repository - an LDAP directory, or roles database or…. 6.Where are you from service - one possible way to direct external users to their own local authn service 7.attribute mapper - converts user entitlements into local authorization values 8.PDP - policy decision points - decide if user attributes meet authorization requirements 9.SHAR - Shibboleth Attribute Requestor - used by target to request user attributes
7
7 Shibboleth Flows Draft
8
8 Target Web Server Origin Site Target Site Browser Shibboleth Architecture -- Managing Trust TRUST Attribute Server Shib engine
9
9 Personal Privacy Web Login Server provides a pseudononymous identity An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on: Site Defaults –Business Rules User control –myAA Filtered by –Contract provisions My AA Site Defaults Contact Provisions Browser User
10
10 Managing ARPs
11
Middleware Marketing
12
12 Drivers of Vapor Convergence JA-SIG uPortal Authen OKI/Web Authentication Local Web SSO Pressures We all get Web SSO for Local Authentication and an Enterprise Authorization Framework with an Integrated Portal that will all work inter- institutionally! Shibboleth Inter-Realm AuthZ
13
13 Middleware Inputs & Outputs Grids JA-SIG & uPortalOKIInter-realmcalendaring Shibboleth, eduPerson, Affiliated Dirs, etc. EnterpriseDirectoryEnterpriseAuthenticationLegacySystemsCampus Web SSO futures EnterpriseauthZ LicensedResourcesEmbedded App Security
14
Errata--ica
15
15 National Science Foundation NMI program $12 million over 3 years www.nsf-middleware.org Middleware Service Providors, Integrators, Distributors GRID (Globus) Internet2 + EDUCAUSE + SURA May 2002 – first set of deliverables from all parties
16
16 The Liberty Alliance www.project-liberty.org Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony … Initiated in September 2001. Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service Funny, doesn’t this stuff sound familiar?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.