Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu,

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry

Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia

2 years ago in Bled…

• ESUP-Portail: open-source Single Sign-On with CAS– Pascal Aubry, Vincent Mathieu & Julien Marchal– EUNIS’2004, Bled, Slovenia, July 2004

Limits (and perspectives)

• CAS deals with authentication, not authorization– Mixing CAS and Shibboleth?

• No redundancy– No native load-balancing (but low load)

– No fault-tolerance (but very good reliability)

• No Single Sign-Off

• A very poor documentation

Copyright © 2006 – ESUP-Portail consortium – University of Rennes 1 – Pascal Aubry

Open-source Identity Federation with Shibboleth

Pascal AubryUniversity of Rennes 1 ESUP-Portail consortium

EUNIS’2006, Tartu, Estonia

Learn Shibboleth in 20 minutes

Shibboleth for the impatient

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Need and context

• Need: give access to web resources to outside users

• Context– No interoperability– Single Sign-On in establishments– Need of collaboration

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


University A

Greetings to SWITCHaai

Once upon a time…

• Some resources not protected at all

• Access control based on IP addresses often used

• Issues with user management at resource-level

• So many login processes

• So many accounts and passwords

• Almost no resource shared by several establishments

Sympa

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications

Access control ResourceIdentity management

Authentication

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


University A

Greetings SWITCHaai

With SSO, it was a little better

Sympa

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications


Authentication

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


University A

Greetings SWITCHaai

With SSO, it was a little better

• Locally, yes…

• but still the same everywhere else!

Sympa

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications


Authentication

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


University A

Greetings SWITCHaai

Hopefully, Identity Federation has come!

Sympa

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications


Authentication

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


University A

Greetings SWITCHaai

Hopefully, Identity Federation has come!• No user

management at resource-level

• Users authenticates only once in their establishments

• Users gain access to new resources

• Resources have a much larger audience

Sympa

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications


Authentication

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Shibboleth, the SSO and the LDAP directory

• Shibboleth does not replace the SSO nor the LDAP directory

• Shibboleth needs both the SSO and the LDAP directory

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Formats, protocols and tools

SAML

Shibboleth Liberty Alliance

Shibboleth SourceID Sun LASSO

Oblix

WS-*

WS-Federation

ADFS

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


The choice of Shibboleth

• Advanced features– Attribute management– Anonymization– confidence (PKI) management

• Adapted to our environment– Several Identity Providers

• Interoperability– Integration with the Information System– Many applications already Shibbolized– Already adopted by others colleagues (USA, Swiss, UK, Finland…)– Non intrusive solution

• In any case, more and more interoperability with other tools in the future, thanks to SAML 2.0

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


AssertionConsumer

AttributeRequester

Access Controller

Ressource

Webbrowser

Authentication service

Authentication Authority

Attribute Authority

Userdatabase

SSOServer

userId

ssoId

attributes

userId

attributes

ticket

ticket

ticket

attributes

Shibboleth, it’s easy ;-)

• Many actors

WAYF

nameId

nameId

nameIdnameId

• Many interactions

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser

Service Provider(SP)

Without Single Sign On

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser

Identity Provider(IdP) Service Provider

(SP)

Without Single Sign On(first request to a SP)

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser


(SP)

userId

password


nameIdnameId

nameId

attributes

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser


(SP)

1

2

3

4


userId

password

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser


(SP)

Without Single Sign On(next requests to the same SP)

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Service Provider(SP)

AssertionConsumer

AttributeRequester

Access Controller

Resource

Webbrowser

Identity Provider(IdP)

attributes

nameId

Service Provider architecture

userId

password

nameIdnameId

attributes

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Fournisseurd’identités



Attribute Authority

Userdatabase

Userdatabase

nameId

attributes

userId

AssertionConsumer

AttributeRequester

Access Controller

Resource

Webbrowser

attributes

nameId

nameIdnameId

Identity Provider architecture

userId

password

userId

attributes

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Fournisseurd’identités



Attribute Authority

Userdatabase

Userdatabase

nameId

attributes

userId

AssertionConsumer

AttributeRequester

Access Controller

Resource

Webbrowser

attributes

nameId

nameIdnameId

What is Shibboleth?

userId

password

userId

attributesShibbo

leth

Shibbo

leth

Shibbo

leth

Shibbo

leth

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On(first request to a SP)

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

userId

userId

attributes

userId

attributes

ticket

ticket

ticket

attributes

With Single Sign On(first request to a SP)

nameId

password

nameId

nameIdnameId

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On (the user’s point of view)

1

2

3

4

userId password

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On (next requests to the same SP)

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

userId

ssoId

ticket

ticket

With Single Sign On (next requests to another SP)

nameId

nameIdnameId

attributes

userId

attributes

attributes

nameId

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On (next requests to another SP)

userId

ssoId

ticket

ticket

nameId

nameIdnameId

attributes

userId

attributes

attributes

nameId

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With SSO and WAYF (first request to a SP)

WAYF

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver


WAYF

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver


WAYF

userId

userId

attributes

userId

attributes

ticket

ticket

ticket

attributes

nameId

password

nameId

nameIdnameId

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Resource

Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Userdatabase

SSOserver

With SSO and WAYF (the user’s point of view)

WAYF

1

4

5

6

2

3

userId password

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With SSO and WAYF (next requests to the same SP)

WAYF

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

WAYF

With SSO and WAYF (next requests to another SP)

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver


WAYF

userId

ssoId

ticket

ticket

nameId

nameIdnameId

attributes

userId

attributes

attributes

nameId

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Webbrowser



Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

WAYF


1

4

2

3

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Service Provider #1

Webbrowser

Identity Provider(IdP)

attributes for SP#1

nameId

Service Provider #2

(encrypted)attributes for SP#2

nameId

Multi-tiers installations

(encrypted)attributes for SP#2

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Portal

Webbrowser

Content provider#1

An application : meta search engines

Content provider# 2

Content provider# n

. . .

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Anonymous accessto a Service Provider

• The users’ profiles can be transmitted without any personal data

• An opaque but persistent identifier can be provided (targetedId)

• The users’ UID and global identifier are managed just like any other attribute

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


Online course reserved to students in mathematics

Autorisation based on the students’ profile

specialityspeciality

The need of a common naming space

University A

University C

University B

speciality spec topic

Co

pyr

igh

t ©

200

5 –

ES

UP

-Po

rtai

l – U

niv

ersi

ty o

f R

enn

es 1

– P

asca

l Au

bry


The need of a common semantics

University A

Online course reserved to students in mathematics

University C

University B

Autorisation based on the students’ profile

speciality = mathematics speciality = Mathematics speciality = MATH

Copyright © 2006 – ESUP-Portail consortium – University of Rennes 1 – Pascal Aubry

References:

http://shibboleth.internet2.eduhttp://federation.cru.fr

EUNIS’2006, Tartu, Estonia

Documents

Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS2006, Tartu,