JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to

JISC Shibboleth Briefing, 12-Mar-2004 1

Everything I always wanted to know about Shibboleth

John PaschoudSECURe Project, LSE Library

…but was afraid to ask Alan Robiette


[contents]

• What is Shibboleth• How it works• Why Shibboleth• Implications for Institutions (Origins)• Implications for Resource-hosts (Targets)

[with lots of credit and © to Michael Gettes, and others of the NSF Middleware Initiative, for

making most of the slides for me ]


What is Shibboleth? (Biblical)•A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii.

•Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.

Webster's Revised Unabridged Dictionary (1913)

[Judges, ch12, v5-6 (New American Standard)]The Gileadites captured the fords of the Jordan opposite Ephraim. And it happened when {any of} the fugitives of Ephraim said, "Let me cross over," the men of Gilead would say to him, "Are you an Ephraimite?" If he said, "No," then they would say to him, "Say now, 'Shibboleth.' " But he said, "Sibboleth," for he could not pronounce it correctly. Then they seized him and slew him at the fords of the Jordan.

The greatest needs of the Collectivist movement in England appear to me:Diffusion of economic and political knowledge of a real kind - as opposed to Collectivist shibboleths, and the cant and claptrap of political campaigning.[Sidney Webb: memorandum to LSE Trustees meeting on 8th Feb 1894]

http://www.dict.org/bin/Dict?Form=Dict3&Database=web1913


What is Shibboleth? (modern era)

• An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services

• A project delivering an open source implementation of the architecture and framework

• Deliverables:–Software for Origins (campuses)–Software for targets (vendors)–Operational Federations (scalable trust)


So… What is Shibboleth?•A Web Single-Signon System (SSO)?

•An Access Control Mechanism for Attributes?

•A Standard Interface and Vocabulary for Attributes?

•A Standard for Adding Authn and Authz to Applications?


Shibboleth Goals

• Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions

• Provide security while not degrading privacy.– Attribute-based Access Control

• Foster interrealm trust fabrics: federations and virtual organizations • Leverage campus expertise and build rough consensus• Influence the marketplace; develop where necessary• Support for heterogenity and open standards


Attribute-based Authorization• Identity-based approach

–The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access.

–This approach requires the user to trust the target to protect privacy.

• Attribute-based approach–Attributes are exchanged about a prospective user until the

controlled resource has sufficient information to make a decision. –This approach does not degrade privacy.


Shibboleth Status• V1.1 available August 2003• Relatively straightforward to install, provided there is

good web services understanding and middleware infrastructure (authentication, directories, webISO, etc.).

• Target - works with Apache and IIS targets; Java origins.

• V2.0 likely to include portal support.• Work underway on some of the essential management

tools such as attribute release managers, target resource management, etc.

• Can take between 3 hours and 3 years to install– How much infrastructure (core middleware) do you already have?

provided there is good web services understanding and middleware infrastructure (authentication, directories, webISO, etc)


Shibboleth Status•Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft.

•Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc.

•Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.)


How Does it Work?

Hmmmm…. It’s magic.


High Level Architecture•Federations provide common Policy and Trust•Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users

•Origin site authenticates user, asserts Attributes•Destination site requests attributes about user directly from origin site

•Destination site makes an Access Control Decision

•Users (and origin organizations) can control what attributes are released


Technical Components• Origin Site – Required Enterprise Infrastructure

–Authentication–Attribute Repository

• Origin Site – Shib Components–Handle Server –Attribute Authority

• Target Site - Required Enterprise Infrastructure–Web Server (Apache or IIS)

• Target Site – Shib Components–SHIRE–SHAR–WAYF–Resource Manager


Shibboleth Architecture (still photo, no moving parts)


Shibboleth AA ProcessR

esource

WAYF

Users Home Org Resource Owner1

SHIRE

I don’t know you.Not even which home

org you are from.I redirect your request

to the WAYF32

Please tell me where are you from?

HS

5

6

I don’t know you.Please authenticateUsing WEBLOGIN

7

User DB

Credentials

OK, I know you now.I redirect your requestto the target, together

with a handle

4

OK, I redirect yourrequest now to

the Handle Service of your home org.

SHAR

Handle

Handle8

I don’t know theattributes of this user.Let’s ask the Attribute

Authority

Handle9AA

Let’s pass over the attributes the userhas allowed me to

release

Attributes 10

Resource

Manager

Attributes

OK, based on theattributes, I grant

access to the resource


Why Shibboleth? Security

•Better security tools will make collaboration more “painless” and more secure

•Current "solutions" are primitive; we can do better today and without local overhaul

•Shibboleth Simplifies Management and Use of Distributed Systems


Why Shibboleth?Improved Access Control•Use of attributes allows fine-grained access control

•Simplifies management of access to extended functionality

–Librarians, based on their role, are given a higher-than-usual level of access to an online database to which a college might subscribe.

–Librarians and publishers can enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers


Why Shibboleth?Federated Administration

•Leverages existing middleware infrastructure at origin (authN, dir)

–Users registered only at their “home” or “origin” institution–Target does NOT need to create new userids

•Flexibly partitions responsibility, policy, technology, and trust•Authorization information sent, instead of authentication information

–when possible, use groups instead of people on ACLs

–identity information still available for auditing and for applications that require it


Why Shibboleth?Privacy

•Higher Ed has privacy obligations–In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access

–In UK, DPA places similar obligations on inst’s

•General interest and concern for privacy is growing•Shibboleth has active (vs. passive) privacy provisions “built in”


Benefits to Campuses• Much easier Inter-Domain Integration

–With other campuses–With off-campus vendor systems

• Integration with other campus systems, intradomain–LMS–Med School……

• Ability to manage access control at a fine-grained level• Allows personalization, without releasing identity• Implement Shibboleth once…

–And then just manage attributes that are released to new targets


Benefits to Targets/Vendors• Unified authentication mechanism from the vendor perspective

– Much more scalable– Much less integration work required to bring a new customer online.

• Ability to implement fine-grained access control (e.g. access by role), allowing customer sites to effectively control access by attributes and thus control usage costs, by not granting access unnecessarily

• Once the initial Shibboleth integration work has been completed on the vendor’s systems

– The incremental cost of adding new customers is relatively minimal– In contrast to the current situation -- requiring custom work for each new

customer• Ability to offer personalization• If your customers have Shibboleth implemented, easy implementation

for them


Implications for Resource-hosts• Similar front-end implementation

requirement as for Athens target• No license fee• OSS means customisations are possible

(eg for personalisation, pass-thru of vendor portal to item-level links, etc)

• Need for agreement on role attributes (eduPerson) for access decisions


Implications for Institutions

• Less duplicated end-user admin than with Athens– (similar to AthensDA)

• Need for agreement on role attributes (eduPerson) for end-user description

• Many don’t yet have standards-based supporting services (SSO, enterprise directories)– (but new costs would largely replace & improve,

rather than add-to, existing ad-hoc AM mechanisms)


[LSE/SECURe AM infrastructure]

http://www.angel.ac.uk/SECURe/deliverables/documentation/


Implications for UK infrastructure• No dependency on a VERY LARGE

centralised database• Need for implementation of a national

WAYF service– better than current end-user interface model– (new WAYF options being developed)

• Lower shared costs?– (but greater costs devolved to inst’s)

http://stc.cis.brown.edu/~stc/Projects/Shibboleth/WAYF/index.html




Got SHIB?

Documents

JISC Shibboleth Briefing, 12-Mar-20041 Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to