Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Published byDylan Small Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth."— Presentation transcript:

1 1 Protection and Security: Shibboleth

2 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth protocol work? What is the high-level Shibboleth architecture? How are attributes managed? Summary and references

3 3 Some philosophies of Shibboleth Federated Administration  A trust fabric exists between campuses, allowing each site to identify the other speaker, and assign a trust level  Provider sites are responsible for authenticating their users, but can use any reliable means to do this Access Control Based On Attributes Active Management of Privacy.  The Identity Provider (origin) site, and the browser user, control what information is released to the Service Provider (target)

4 4 Example problems that Shibboleth is intended to solve Campus A wants to share an on-line service (e.g., an on-line course, computing resource, …) to authorized users on Campus B Campus C wants to provide access to restricted digital content to members of a collaborative research group from many locations User X wants to access restricted digital content on AIDS research at a remote site for research purposes, but does not want to reveal his identity to the remote site for personal reasons.

5 5 More Example Problems Students use licensed library materials regardless of their location Want to allow users to access many types of resources but to maintain fewer accounts and passwords per user and between institutions Access based on roles instead of hard-coding of user names

6 6 Key Concepts Security  A goal is to protect servers, communications, networks, hosts, personal information  Each of these may have distinct authentication and authorization needs networks (denial of service, physical infrastructure) hosts (OS bugs, miss-settings, etc.) personal information and communication (signed and encrypted email, directory protection, etc,)  some technologies (PKI, firewalls, etc.) can serve several areas

7 7 Key Concepts Authentication and Authorization  A user is authenticated when you are sure that the user is who he/she claims to be (e.g., that user logs in to an account with a password).  A user is authorized to use a resource if he/she is allowed to have access to it. Authorization always implies authentication.  Shibboleth separates the step of authentication and the step of authorization to use a resource.

8 8 Key Concepts  Authentication in the real world is hard because you have to trust the authenticator Trust  A goal of Shibboleth is to develop a continuum of trusted entities and community infrastructure trust models

9 9 Key Concepts Privacy  Passive privacy - The current approach A user passes identity to a service, and then worries about the service's privacy policy. To comply with privacy, services have significant regulatory requirements.  Active privacy - A new approach. A user (through their security domain) can pass attributes to the service that are not necessarily personally identifiable. If they are personally identifiable, the user decides whether to release them A goal of Shibboleth is to move to active privacy

10 10 Key Concepts Continuum of Trust  Collaborative trust at one end You can look at my calendar; students in Physics 201 at Brown can access this on-line sensor; members of the UWash community can access this licensed resource Consequences are political or social; shorter term; structures tend to clubs and federations  Legal trust at the other end Sign this document and guarantee that what was signed was what I saw; identity access to a high security area Consequences include financial liabilities, legal process; structures tend to hierarchies and bridges

11 11 Interrealm Trust Structures Federated administrations  Basic bilateral (e.g., origin and target)  Complex bilateral; multilateral  Virtual organizations and Grids Trust hierarchies  Certificate Authorities are trusted by users and service providers  May assert formal or stronger trust than federations  Bridges and policy mappings are required to connect hierarchies  Appear larger scale than federations

12 12 Simple view of Shibboleth components Resource WAYF Identity Provider Service Provider Web Site 1 ACS 3 2 HS 5 6 7 User DB Credentials 4 AR Handle 8 9 AA Attributes 10 Resource Manager Attributes © SWITCH

13 13 Key Concepts Brokering authorization and authentication  The Identity Provider is a broker of authentication and authorization between the user and the service provider, respecting security and privacy, in an appropriate trust fabric  Authenticate a user using a local (campus) authentication mechanism, and send a handle to a service provider

14 14 Key Concepts Trust in transactions  The user trusts the Identity Provider (origin) to faithfully represent its attributes to targets and obey privacy rules  The Identity Provide trusts the user to obey its authentication and authorization rules  The Service Provider (target) trusts the origin to accurately manage and communicate user attributes and respect the user's privacy settings  The Identity Provider trusts the target to take the appropriate transaction actions and to not misuse the user's information.

15 15 The Shibboleth Protocol Resource WAYF Identity Provider Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

16 16 High Level Architecture Federations provide common Policy and Trust Service and Identity Provider site collaborate to provide a privacy-preserving “context” for Shibboleth users Identity Provider site authenticates user, asserts Attributes Service Provider site requests attributes about user directly from Identity Provider site Service Provider site makes an Access Control Decision Users (and Identity Provider organizations) can control what attributes are released

17 17 Trust, and Identifying Speakers Federations distribute files defining the trust fabric Individual sites can create bilateral trust When a Service Provider receives a request to create a session, the Authorization Assertion must be signed by the Identity Provider (using PKI validation), and must be a member of a common Federation. When an Identity Provider receives a request for attributes, it must be transported across SSL. The name of the Requestor (from the certificate) and the name of the user (mapped from the Handle) are used to locate the appropriate ARP.

18 18 Technical Components Identity Provider Site – Required Enterprise Infrastructure  Authentication  Attribute Repository Identity Provider Site – Shibboleth Components  Handle Server  Attribute Authority Service Provider Site - Required Enterprise Infrastructure  Web Server (Apache or IIS) Service Provider Site – Shibboleth Components  Assertion Consumer Service - SHIRE  Attribute Requester - SHAR  Resource Manager Where Are You From Service - WAYF

19 19 Managing Attribute Release Policies The Attribute Authority provides ARP management tools/interfaces.  Different ARPs for different targets  Each ARP Specifies which attributes and which values to release  Institutional ARPs (default) administrative default policies and default attributes Site can force include and exclude  User ARPs managed via “MyAA” web interface  Release set determined by “combining” Default and User ARP for the specified resource

20 20 Typical Attributes in the Higher Ed Community Affiliation“active member of community” member@washington.e du EPPNIdentitygettes@duke.edu EntitlementAn agreed upon opaque URI urn:mace:vendor:contra ct1234 OrgUnitDepartmentEconomics Department EnrolledCourseOpaque course identifier urn:mace:osu.edu:Phys ics201

21 21 The Target Manages Attribute Acceptance Rules that define who can assert what…..  MIT can assert student@mit.edu  Chicago can assert staff@argonne.gov  Brown CANNOT assert student@mit.edu

22 22 Summary Shibboleth is a tool for enabling users at diverse to have secure, protected, and private access to remote services It brokers authentication and authorization through the use of local enterprise services It relies on a trusted fabric of federations and trust hierarchies It provides tools for managing the release and acceptance of attributes

23 23 References Ken Klingenstein (Internet2), Concepts & Scenarios, Shibboleth, Certs, and PKI Workshop Presentations http://www.stonesoup.org/Meetings/0201/shib.pres/kling.htm http://www.stonesoup.org/Meetings/0201/shib.pres/kling.htm Michael Gettes (Georgetown, Duke), Introduction to Shibboleth http://www.educause.edu/asp/doclib/abstract.asp?ID=EAF0429 http://www.educause.edu/asp/doclib/abstract.asp?ID=EAF0429 http://shibboleth.internet2.edu

Download ppt "1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth."

Similar presentations

Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Similar presentations

Ads by Google