43
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Embed Size (px)

Citation preview

Page 1: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Shibboleth: How It Relates to SAML

Marlena Erdos

Aug 27, 2001

Page 2: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Outline

• What is Shibboleth?

• Why Shibboleth? (Shortened)

• High Level Architecture

• Artifact Creation & Use

• Connects & Disconnects with SAML

Page 3: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

What is Shibboleth?(meta-information)

• A joint project of Internet2/MACE and IBM– Internet2: a consortium of 200+ higher-ed

institutions (e.g. MIT, Brown, Ohio State)

• A system with an emphasis on higher-ed

• A system very applicable to the B2B space

Page 4: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

What is Shibboleth?(Really!)

• “A system for the secure exchange of interoperable authorization information which can be used in access control decisions ”

• AuthZ info– name– attributes e.g. group, role, course membership

Page 5: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

What is Shibboleth?(Yet More)

A system ...

• with an emphasis on privacy– users control release of their attributes

• partially based on the emerging SAML std– both narrower and broader

• an example of “federated administration”

Page 6: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Outline

• What is Shibboleth?

• Why Shibboleth?

• High Level Architecture

• Artifact Creation & Use

• Connects & Disconnects with SAML

Page 7: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Why Shibboleth?

• [Slides about the benefits of Federated Admin removed.]

• Higher Ed has privacy obligations– “FERPA” demands permission for PII release

• General interest and concern in privacy• Shibboleth has privacy provisions “built in”

Page 8: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Outline

• What is Shibboleth?

• Why Shibboleth?

• High Level Architecture

• Artifact Creation & Use

• Connects & Disconnects with SAML

Page 9: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

High Level Arch Outline

• Simplified Arch -- Getting Attributes

• More Full Arch -- Getting Handles

• Attributes

• Attribute Release Policies

Page 10: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Simplified Arch/FlowGetting Attributes

1. Browser User tries to access web resource

2. “Shibbolized” web server has no user context

3. “SHAR” part of server gets attrs from an AA– SHAR = SHibboleth Attribute Requestor– AA : Attribute Authority

Page 11: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Simplified Flow

Joe surfs the web

Joe: Student; English Major

Mary: Faculty; BioChem;...

Sue: staff; IT dept.;...……

UniversityResource Provider

HTTP serverhttp:www.coolResource.com

SHARAttribute Query

(AQM)

Attribute Res ponse(ARM)

Shared Resource

Attribute Authority

Other Shibboleth Stuff

Page 12: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

More Full Arch/FlowGetting an artifact aka “handle package”

• Privacy aspect of Shibb creates burdens

• No (zero) identifying info on user initially

• No “home site” info either

• Shibbolized server must get a user handle– The “SHIRE” does this work

Note: The following describes “first contact” rather than “local portal”. Both work.

Page 13: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE

• The part of the server that gets artifacts is

“Shibboleth Indexical Reference Establisher”

• “Indexical Reference” -> point at user– No identity– No description

Page 14: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE (cont)

• SHIRE uses http connection to point at user

• SHIRE acquires artifacts securely

• SHIRE passes the some of the artifact contents to SHAR– “handle” to use in a query– AA address info

Page 15: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE Flow

The SHIRE interacts with1. WAYF to get user’s home institution info

2. Home institution’s “Handle Server”

Page 16: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE/WAYF

• WAYF = Where Are You From

• WAYF – asks user for their home institution– retrieves handle server info of the home site– Handle server info:

• IP address

• PKI certificate or equivalent

Page 17: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE/Handle Server

• SHIRE asks handle server for a handle– “Point” to user via http redirect

• Handle server interacts with– authentication system and user if necessary– AA (potentially)

Page 18: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Acquiring a handle

Joe surfs the web

UniversityResource Provider

HTTP server

http:www.coolResource.com

SHAR

Attribute Authority

SHIRE

Handle Service

WAYF

#1

#2#3a

AuthenticationSystem

#3b

#3

Page 19: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

The Whole Flow

Joe surfs the web

UniversityResource Provider

HTTP server

http:www.coolResource.com

SHAR

SHIRE

Handle Service

WAYF

#1

#2Attribute Authority

#3

#4

Handle

Attributes

Page 20: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

High Level Arch Outline

• Simplified Arch -- Getting Attributes

• More Full Arch -- Getting Handles

• Attributes

• Attribute Release Policies

• AQMs, ARPs, & Assertions

Page 21: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Attributes

• EPPN EduPerson Principal Name– From the EduPerson schema– e.g. [email protected]

• Affiliation– Faculty, Staff, Student

• MemberOfCommunity• GroupMembershipExt

– allow for extension of attribute space

Page 22: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Attribute Release Policies (ARPs)

An ARP at an AA consists of• The destination SHAR's name

• The attributes to be released to the SHAR

• And optionally a URL (called a “target”)– Target refers to entire subtree of resources

Page 23: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

ARPs (cont)

• User can have as many ARPs as needed

• AA finds set of ARPs– Initial set based on SHAR making AQM– AA finds “best match”

• AQM contains user’s requested destination URL

• Requested URL compared with targets in ARPs

Page 24: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

ARPs, AQM, & Assertions

• When AQM comes in ...• AA finds best fit ARP ...• ... creates or finds an assertion that fits the

ARP!

• Finds ARP based on user and SHAR• Finds user from handle!!!

-> Handle is in the AQM

Page 25: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Outline

• What is Shibboleth?

• Why Shibboleth?

• High Level Architecture

• Artifact Creation & Use

• Connects & Disconnects with SAML

Page 26: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Artifact Creation and Use

• Handle Server

• SHIRE

Page 27: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Handle Server

• Answers attribute query handle request

• AQHR contains– SHIRE Name (FQDN)– URL that user typed (for the redirect)

Page 28: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Handle Server (cont)

• The AQHR is redirect thru the browser

• HS must– figure out who the user is

• can interact with user and authN system

– create a handle that identifies the user to the AA (but to no one else)

• Could encrypt principal id with AA’s public key

Page 29: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Handle Server

The response to the AQHR• version number of response• opaque user handle• FQDN of the requesting SHIRE• IP address of browser process• issue time of this response• AA contact information• FQDN of Handle Server• Signature (w/o certificate) (XSIG)

Page 30: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE

• Performs inpersonation checks

• Possible threats include– malicious user pretends to be real user– malicious SHIRE pretends to be real user

Page 31: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

SHIRE (cont)

• Malicious user counter-measure– IP address and issue time

• Malicious SHIRE counter-measure– Intended SHIRE name

• SHIRE checks counter-measure info against reality.

Page 32: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Outline

• What is Shibboleth?

• Why Shibboleth?

• High Level Architecture

• Artifact Creation & Use

• Connects & Disconnects with SAML

Page 33: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Connects

• Query & Assertion & Artifact formats– We want to use SAML query & assn format!– We want to be artifact framework compliant!

Summary: Differences from current spec seem workable.

Page 34: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Disconnects with SAML

• Disconnects:– Semantics of the artifact– Where impersonation countermeasure info

belongs• In the assertion or in packaging?

– Requirement for an AuthN assertion– How to represent an anonymous browser user

in the assertion

Page 35: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

DisconnectsSemantics of the artifact:– Shibb: A handle that refers to a user plus

counter-measure packaging.– Bindings doc: “A ‘small’, bounded-size [item],

which unambiguously identifies an assertion”

– Possible resolution: “The thing can be used to retrieve an assertion about the related browser user.”

Page 36: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Connect within the Disconnect• Out of Band trust info for the source:

– Bindings: “<PartnerID> is a four byte value used by the destination site to determine source site identity as well as the URL (or address) for the ‘assertion lookup service’. ”

– Shib: Destination keeps lists of trusted Handle Services. But, “Assertion Lookup Service” addr info is carried in the handle package.

Page 37: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Artifact Structure

Framework for Artifacts:

B64 rep of <TypeCode> <artifact contents>

Page 38: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Artifact vs “Handle Package”

• Bindings Instantiation of an Artifact

<TypeCode> := 0x0001 <PartnerID>

<AssertionHandle>

• Handle Package

[No type code -- yet!!] Name & Signature of Handle Service

Opaque user handle plus Countermeasure Info AA contact information

Page 39: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Disconnects• CounterMeasure Protection Placement

– Shibb: Countermeasures are “in” the artifact and “package” the handle.

– Bindings: Countermeasures are in the assertion

& the assertion must be an AuthN assertion!!

-e.g “Audience Restriction”

• What about “Post-ed” assertions?– Marlena: Package the assertion just like the handle!

Page 40: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Disconnect

• Web Browser profiles currently *requires* an AuthN assn

• Mar claims:– not really necessary for the “framework”– rather tied to the “001” type artifact

• A Shib-like artifact is possible: ‘002’– Different specifics to meet overall goals!

Page 41: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Disconnects

• Representation of anonymous browser user– In the query and in the assertion

• Shibb hope: Query by handle

• Shibb hope: Assertion Subject indicates ‘handle” (in some way)

• Core doc says ...

Page 42: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

Disconnects (?)

• Core Doc: Subject • Name• SubjectConfirmation• Assertion Specifier.

• SubjectConfirmation– Confirmation Method -> Artifact (4.1.1)

• Marlena: Which part of the artifact? What about new “types” of artifacts?

Page 43: Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001

THE END

Shibboleth Acknowledgements:Design Team: David Wasley U of C; RL Bob

Morgan U of Washington; Keith Hazelton U of Wisconsin (Madison);Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott

Cantor Ohio StateImportant Contributions from: Ken

Klingenstein (I2); Michael Gettes Georgeton, Scott Fullerton (Madison)