Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.

Published byHerbert Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce."— Presentation transcript:

1 Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. - Webster's Revised Unabridged Dictionary (1913):Webster's Revised Unabridged Dictionary (1913)

2 Shibboleth - What is it? an initiative to analyze and develop mechanisms(architectures, frameworks, protocols and implementations) for inter- institutional web access control facilitated by Mace (a committee of leading higher ed IT architects) and Internet2 “authenticate locally, act globally” the Shibboleth shibboleth oriented towards privacy and complements corporate standards efforts open solution http://middleware.internet2.edu/shibboleth vendor participation - IBM/Tivoli and OASIS

3 Isn’t This What PKI Does? PKI could do some of this and a whole lot more; as a consequence, PKI does very little right now End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certs) and avoids the parts of PKI that don’t work today (eg client certs). Allows campuses to use other forms of authentication locally May actually have benefits over the end-user to target-site direct interactions...

4 Related Work Previous DLF work http://www.clir.org/diglib/presentations/cnis99/sld001.htm OASIS Security Services Technical Committee (vendor activity, kicked off 1/2001) http://www.oasis-open.org/committees/security/index.shtml http://lists.oasis-open.org/archives/security-services/ UK - Athens and Sparta projects http://www.jisc.ac.uk/pub00/sparta_disc.html Spain - rediris project http://www.rediris.es/app/papi/index.en.html

5 Assumptions Leverage vendor and standards activity wherever possible (OASIS) (Initially) disturb as little of the existing campus infrastructure as possible Work with common, minimal authorization systems (eg htaccess) Encourage good campus behaviors Learn through doing Create a marketplace and reference implementations Protect Personal Privacy!

6 Stage 1 - Addressing Three Scenario’s Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Anonymity required Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

7 Architectural Model Local Authentication Local Entity Willing to Create and Sign Entitlement Set of assertions about the user (Attribute/value pairs) User has control over disclosure Identity optional “active member of community”, “Associated with Course XYZ” Target responsible for Authorization Rules engine Matches contents of entitlements against ruleset associated with target object Cross Domain Trust Previously created between origin and target Perhaps there is a contract (information providers..)

8 Target Web Server Origin Site Target Site Browser Authentication Phase First Access - Unauthenticated Authorization Phase Pass content if user is allowed Shibboleth Architecture Concepts - High Level

9 Second Access - Authenticated Target Web Server Origin Site Target Site Browser First Access - Unauthenticated Web Login Server Redirect User to Local Web Login Ask to Obtain Entitlements Pass entitlements for authz decision Pass content if user is allowed Authentication Attribute Server Entitlements Auth OK Req Ent Ent Prompt Authentication Phase Authorization Phase Success! Shibboleth Architecture Concepts (detail)

10 Shibboleth Components

11 Descriptions of services local authentication server - assumed part of the campus environment web sso server - typically works with local authn service to provide web single sign-on resource manager proxy, resource manager - may serve as control points for actual web page access attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables attribute repository - an LDAP directory, or roles database or…. Where are you from service - one possible way to direct external users to their own local authn service attribute mapper - converts user entitlements into local authorization values PDP - policy decision points - decide if user attributes meet authorization requirements SHAR - Shibboleth Attribute Requestor - used by target to request user attributes

12 Shibboleth Flows Draft

13 Component Relationship Model ORIGIN TARGET

14 Authorization Attributes Typical Assertions in the Higher Ed Community EPPN=gettes@georgetown.edu “active member of the community” “active in course X” member of group “georgetown.giia ? Signed by the institution! (optional in OASIS, required in Shib)

15 Isn’t This What LDAP Does? Since this doesn’t exist yet, it can do a lot more than LDAP! (-: XML is so extensible that this is the last protocol that we’ll ever need! (-: OK, tell me really….. The key here is the CONTROLLED dissemination of attribute information, based on multiple factors.

16 Target Web Server Origin Site Target Site Browser Shibboleth Architecture -- Managing Trust TRUST Attribute Server Shib engine

17 Personal Privacy Web Login Server provides a pseudonymous identity An Attribute Authority releases Personal Information associated with that pseudonymous identity to site X based on: Site Defaults –Business Rules User control –myAA Filtered by –Contract provisions My AA Site Default s Contact Provisions Browser User

18 Charge -- OASIS Security Services Technical Committee Standardize: an XML format for "assertions” (authentication, authorization, authorization decision, access yes/no) (maybe) a (stateless ?) request/response protocol for obtaining assertions transport bindings for this protocol to HTTP, S/MIME, RMI, etc. This will be accompanied by requirements/scenarios, compliance info, security considerations, etc Out of Scope… How authentication is done Defining specific attributes (eg “member of community”) Establishing trust between origin and target Note.. Inter-product, not explicitly inter-domain

19 Shibboleth vs OASIS Security Effort vs Products OASIS Security Effort Defining Standards to support inter-operation of web access control products Vendor Products Implement Standards Add value in Authentication, Attribute Authority, PDP Shibboleth Open Source Implementation! Create Trust Framework Define Higher Ed specific Attributes (hopefully) “Where are you from?” service

20 It’s Policies All the Way Down to trust the security domain to provide attributes correctly, handle attributes responsibly, protect its signing key, etc… to set controls on the type of information that an institution will release for a remote request for attributes to translate global attributes into local syntax and semantics to handle requests to the user for a release decision in a reasonable fashion

21 It’s Policy Languages All the Way Down Club Shibboleth to reach out-of-band agreements among institutions and digital resource providers Controls for the type of information to be released to a target is a complex set of tools: a matching engine to determine the applicable policy for the target an XML oriented expression of the policy to map to local attributes a LISP (???) oriented tool to integrate policy constraints from other sources, such as the user’s preferences, etc. First pass of mapping of attributes will be from XML into eduPerson attributes User interface?????????

22 Campus and Resource Requirements To participate in Shibboleth, a site must have: Campus-wide authentication service Campus-wide identifier space (EPPN) Implementation of EduPerson objectclass Ability to generate attributes (eg “active member of the community”)

23 Issues Personal Privacy (reasonable expectation, laws) Relation to local weblogin (Single Signon) Portals Use of Shibboleth framework by services beyond the web Grid resources and users

24 Web Login SSO Local Web Login Server Portal Service 1 Service 2 Attribute Authority Shib Target Browser user

25 Relationship - Shibboleth to Portals PDP AuthN Dir Shibboleth Portal Shibboleth Portal Apps Web Res Web Login Dir Web Resource Shibboleth

26 Project Status/Next Steps Requirements and Scenarios document nearly finished IBM and Mace-Shibboleth are refining architecture and evaluating issues IBM intends to develop an Apache web module Internet2 intends to develop supporting materials (documentation, installation, etc) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery). Technical design complete - May, 2001 Coding of a prototype begins June 1 Pilot sites start-up - Aug, 2001 Public demo of the prototype by the pilots - Internet2 Fall Member Meeting 2001

27 Middleware Inputs & Outputs Grids JA-SIG & uPortalOKIInter-realmcalendaring Shibboleth, eduPerson, Affiliated Dirs, etc. EnterpriseDirectoryEnterpriseAuthenticationLegacySystemsCampus web sso futures EnterpriseauthZ LicensedResourcesEmbedded App Security Shibboleth, eduPerson, and everything else

28 Questions?

Download ppt "Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce."

Similar presentations

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.

Project Shibboleth Update, Demonstration and Discussion Michael R Gettes Duke University (on behalf of the entire shib team!!!) June.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Middleware Activities Update Internet2 Membership, with coordination provided by Internet2 et al presentation by Renee Woodten Frost Internet2 and the.

Middleware Activities Update Internet2 Membership, with coordination provided by Internet2 et al presentation by Renee Woodten Frost Internet2 and the.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Similar presentations

Ads by Google