Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.

Published byEdith Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004."— Presentation transcript:

1 Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004

2 Agenda Shibboleth - Shibboleth Background and Status Technical Review -- how does it work? Shibboleth - Why? Who is Using Shibboleth? Federations

3 What is Shibboleth? An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services Built on a “Federated” Model A project delivering an open source implementation of the architecture and framework Deliverables: –Software for Identity Providers (campuses) –Software for Service Providers (vendors) –Operational Federations (scalable trust)

4 Shibboleth Goals Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions Provide security while not degrading privacy. –Attribute-based Access Control Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards

5 Attribute-based Authorization Identity-based approach –The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. –This approach requires the user to trust the target to protect privacy. Attribute-based approach –Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. –Identity can be an Attribute value –This approach does not degrade privacy.

6 Stage 1 - Addressing Four Scenario’s Member of campus community accessing licensed resource –Anonymity required Member of a course accessing remotely controlled resource –Anonymity required Member of a workgroup accessing controlled resources –Controlled by unique identifiers (e.g. name) Intra-university information access –Controlled by a variety of identifiers Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

7 Shibboleth Status Software Availability –Version 1.1 available August, 2003 –Version 1.2 available June, 2004 –Version 1.3 available Fall, 2003 –Service Provider implementation - works with Apache and IIS targets –Multi-Federation support Campus Adoption accelerating… Growing number, variety of vendors providing support Used by several federations today – NSDL, InQueue, Work underway on some of the essential management tools such as attribute release managers, target resource management, etc.

8 Shibboleth Soon… V2.0 will support SAML 2.0 specification, which incorporates much of the Liberty Alliance work Microsoft - WS-Sec Product Mgr - “ very aware of Shibboleth and that Shibboleth and what they are doing should play together just fine” Exploring non-web use cases (eg SOAP, GRIDs, P2P, etc) Growing development interest in several countries, providing resource manager tools, digital rights SWITCH and several more soon (JISC, Australia, etc.)

9 How Does Shibboleth Work?

10 High Level Architecture Federations provide common Policy and Trust Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users Origin site authenticates user, asserts Attributes Destination site requests attributes about user directly from origin site Destination site makes an Access Control Decision Users (and origin organizations) can control what attributes are released

11 Technical Components Identity Provider Site – Required Enterprise Infrastructure –Authentication –Attribute Repository Identity Provider Site – Shib Components –Handle Server –Attribute Authority Service Provider Site - Required Enterprise Infrastructure –Web Server (Apache or IIS) Service Provider Site – Shib Components –SHIRE –SHAR –WAYF –Resource Manager

12 Managing Authorization Federations will NOT require members to do business with each other Target manages Access Control Policy specifying –what attributes must be supplied –and from which origins –in order to gain access to specific resources Rules are attribute based

13 Shibboleth -- WHY? Higher Ed is a collaborative enterprise Research is a collaborative enterprise Federated Administration Simplifies Management and Use of Distributed Systems Federated Approach Improves Security Use of attributes allows fine-grained access control

14 Who is Using Shibboleth? 50+ campuses currently members of InQueue EduCause-sponsored “Shibboleth CAMP” in June –130+ registered attendees –First day features an Install Fest…. There is momentum…….

15 Federal E-Authentication Initiative Pursuing a Federated Identity Architecture Shibboleth Pilot/Interoperability testing later this summer

16 Shibboleth Outside the US UK - JISC - recent Middleware initiative –http://www.jisc.ac.uk/c01_04.htmlhttp://www.jisc.ac.uk/c01_04.html –Supporting eight Shibboleth-related projects –One project is managing a country-wide deploy –UK- - BECTA (K12) Has adopted Shibboleth as a countrywide standard Switzerland –http://www.switch.ch/aai/shibboleth.htmlhttp://www.switch.ch/aai/shibboleth.html Finland Australia…..

17 Currently participating publishers, aggregators, technology partners Round 1 –OCLC –JSTOR –EBSCO –Elsevier –Ex-Libris (sfx) Round 2 (being approached now) –CSA (Cambridge Scientific Abstracts) –ISI –Ovid –Proquest –Gale Group –Lexis-Nexis

18 Other Technology Partners LMS Systems –Blackboard –WebCT –WebAssign Syquest/ Higher Markets Student Charge Card vendors Napster EZProxy ArtSTOR

19 Other Pilot Projects American Association of Medical Colleges NSDL (National Science Digital Library) SWITCH - The Swiss National Academic Community UK/JISC - Controlled Access to Licensed Resources Becta (British Educational Communications and Technology Agency) Univ Texas, Medical Center and instruction Washington Research Library Consortium (WRLC)

20 Shib Academic SIG Lots of interesting design issues for use of Shib, e.g –Passing attributes during deep-linked text –Handling meta-search engines –Managing persistent identifiers where needed –Dealing with proxies in a semi-Shibbed world The issues so far have all been solvable; the challenge is in picking the right solution. Subscribe and participate via the I2 listserv at http://www.internet2.edu/about/lists.html (sigh, soon to be Shibbed…) http://www.internet2.edu/about/lists.html

21 Federations

22 What are federations? Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions Built on the premise of –Initially “Authenticate locally, act globally” –Now, “Enroll and authenticate and attribute locally, act federally.” Federation provides only modest operational support and consistency in how members communicate with each other Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision. Over time, this will all change…

23 Requirements for federations Federation operations Federating software –Exchange assertions –Link and unlink identities Federation data schema Federation privacy and security requirements

24 Shibboleth-based federations InQueue InCommon Club Shib Swiss Education and Research Network (SWITCH) National Science, etc. Digital Library (NSDL) ------------------------------------ State networks Medical networks Financial aid networks Life-long learning communities

25 InQueue The “holding pond” Is a persistent federation with “passing-through” membership… Operational today. Can apply for membership via http://shibboleth.internet2.edu/ InQueue Federation guidelines http://shibboleth.internet2.edu/ Requires eduPerson attributes Operated by Internet2; open to almost anyone using Shibboleth in an R&E setting or not… Fees and service profile to be established shortly: cost- recovery basis

26 InCommon basics Carrie will describe….

27 Global Federations Oct meeting in the Cotswalds of representatives from TEN national Federations Identify and begin to work through policy mapping, trust mapping, usage and operational issues Some vendors interested in attending

28 So… What is Shibboleth? A Web Single-Signon System (SSO)? An Access Control Mechanism for Attributes? A Standard Interface and Vocabulary for Attributes? A Standard for Adding Authn and Authz to Applications?

29 THE END Acknowledgements: Design Team: David Wasley (U of C); RL ‘Bob’ Morgan (U of Washington); Keith Hazelton (U of Wisconsin (Madison));Marlena Erdos (IBM/Tivoli); Steven Carmody (Brown); Scott Cantor (Ohio State) Important Contributions from: Ken Klingenstein (I2); Michael Gettes (Duke), Scott Fullerton (Madison) Coding: Derek Atkins (MIT), Parviz Dousti (CMU), Scott Cantor (OSU), Walter Hoehn (Columbia)

30

31

Download ppt "Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004."

Similar presentations

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.

Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
Shibboleth Architecture and Requirements Shibboleth A New Approach to Web Based Access Control CNI April 4, 2005.

Shibboleth Architecture and Requirements Shibboleth A New Approach to Web Based Access Control CNI April 4, 2005.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.

7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.

Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.

Similar presentations

Ads by Google