Upload
lenard-moody
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Shibboleth UpdateShibboleth Update
Michael R Gettes, Duke UniversityOn behalf of the shib project team
CAMP Directory Workshop Feb 3-6, 2004
What is Shibboleth? (Biblical)What is Shibboleth? (Biblical)
A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii.
Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.
Webster's Revised Unabridged Dictionary (1913)
CAMP Directory Workshop Feb 3-6, 2004
What is Shibboleth? What is Shibboleth? (modern era)(modern era)
An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services
A project delivering an open source implementation of the architecture and framework
Deliverables:–Software for Origins (campuses)–Software for targets (vendors)–Operational Federations (scalable trust)
CAMP Directory Workshop Feb 3-6, 2004
So… What is Shibboleth?So… What is Shibboleth?
A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes?
A Standard Interface and Vocabulary for Attributes?
A Standard for Adding Authn and Authz to Applications?
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth GoalsShibboleth Goals
Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions
Provide security while not degrading privacy.– Attribute-based Access Control
Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards
CAMP Directory Workshop Feb 3-6, 2004
Attribute-based AuthorizationAttribute-based Authorization
Identity-based approach–The identity of a prospective user is passed to the controlled
resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access.
–This approach requires the user to trust the target to protect privacy.
Attribute-based approach–Attributes are exchanged about a prospective user until the
controlled resource has sufficient information to make a decision. –This approach does not degrade privacy.
CAMP Directory Workshop Feb 3-6, 2004
Stage 1 - Addressing Stage 1 - Addressing Four Scenario’sFour Scenario’s
Member of campus community accessing licensed resource–Anonymity required
Member of a course accessing remotely controlled resource–Anonymity required
Member of a workgroup accessing controlled resources
–Controlled by unique identifiers (e.g. name) Intra-university information access
–Controlled by a variety of identifiersTaken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.
CAMP Directory Workshop Feb 3-6, 2004
How Does it Work?How Does it Work?
Hmmmm…. It’s magic. :-)
CAMP Directory Workshop Feb 3-6, 2004
High Level ArchitectureHigh Level Architecture
Federations provide common Policy and TrustDestination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users
Origin site authenticates user, asserts AttributesDestination site requests attributes about user directly from origin site
Destination site makes an Access Control Decision
Users (and origin organizations) can control what attributes are released
CAMP Directory Workshop Feb 3-6, 2004
Technical ComponentsTechnical ComponentsOrigin Site – Required Enterprise Infrastructure
–Authentication–Attribute Repository
Origin Site – Shib Components–Handle Server –Attribute Authority
Target Site - Required Enterprise Infrastructure–Web Server (Apache or IIS)
Target Site – Shib Components–SHIRE–SHAR–WAYF–Resource Manager
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth AA ProcessShibboleth AA ProcessR
eso
urc
e
WAYF
Users Home Org Resource Owner1
SHIRE
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where are you from?
HS
5
6
I don’t know you.Please authenticateUsing WEBLOGIN
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
SHAR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
CAMP Directory Workshop Feb 3-6, 2004
From Shibboleth Arch docFrom Shibboleth Arch doc
Origin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHIRE
WAYF
22a
3a
3b
HandleService
3
3c
Attribute Authority
4
CAMP Directory Workshop Feb 3-6, 2004
From Shibboleth Arch docFrom Shibboleth Arch doc
Origin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHAR
Handle
3a
3b
HandleService
3
3c
Attribute Authority
4
SHIRE
WAYF
22a
ResourceManager
Attributes
5
6
Attribute Authority
CAMP Directory Workshop Feb 3-6, 2004
From Shibboleth Arch docFrom Shibboleth Arch doc
Origin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
SHIRE3b
HandleService
3
Attribute Authority
4
LocalNavigation
Page
1
CAMP Directory Workshop Feb 3-6, 2004
From Shibboleth Arch docFrom Shibboleth Arch doc
Origin Target
Resource ProviderUniversity
Authentication System
HT
TP
Ser
ver
EnterpriseDirectory
SHIRE3b
HandleService
3
Attribute Authority
4
LocalNavigation
Page
1
SHAR
Handle
ResourceManager
Attributes
5
6
3c
CAMP Directory Workshop Feb 3-6, 2004
Demo!Demo!
http://shibboleth.blackboard.com/
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth Architecture Shibboleth Architecture (still photo, no moving parts)(still photo, no moving parts)
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth Architecture -- Shibboleth Architecture -- Managing TrustManaging Trust
Target Web
ServerBrowser
TRUSTAttributeServer
Shibengine
CAMP Directory Workshop Feb 3-6, 2004
Attribute Authority --Management Attribute Authority --Management of Attribute Release Policiesof Attribute Release Policies
The AA provides ARP management tools/interfaces.
–Different ARPs for different targets–Each ARP Specifies which attributes and which values to release
–Institutional ARPs (default) administrative default policies and default attributes
Site can force include and exclude–User ARPs managed via “MyAA” web interface–Release set determined by “combining” Default and User ARP for the specified resource
CAMP Directory Workshop Feb 3-6, 2004
Typical Attributes in the Higher Typical Attributes in the Higher Ed CommunityEd Community
Affiliation “active member of community”
EPPN Identity [email protected]
Entitlement An agreed upon opaque URI
urn:mace:vendor:contract1234
OrgUnit Department Economics Department
EnrolledCourse Opaque course identifier
urn:mace:osu.edu:Physics201
CAMP Directory Workshop Feb 3-6, 2004
Target – Managing Attribute Target – Managing Attribute AcceptanceAcceptance
Rules that define who can assert what…..MIT can assert [email protected] can assert [email protected] CANNOT assert [email protected]
Important for entitlement values
CAMP Directory Workshop Feb 3-6, 2004
Other Technology PartnersOther Technology Partners
LMS Systems–Blackboard–WebCT–WebAssign
Syquest/ Higher MarketsStudent Charge Card vendorsNapster
CAMP Directory Workshop Feb 3-6, 2004
Other Pilot ProjectsOther Pilot Projects
American Association of Medical CollegesNSDL (National Science Digital Library)SWITCH - The Swiss National Academic CommunityUK/JISC - Controlled Access to Licensed ResourcesBecta (British Educational Communications and Technology Agency)Univ Texas, Medical Center and instructionWashington Research Library Consortium (WRLC)
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth -- Next StepsShibboleth -- Next StepsFull implementation of Trust Fabric
–Supporting Multi-federation origins and targets
Support for Dynamic Content (Library-style Implementation in addition to web server plugins)
Sysadmin GUIs for managing origin and target policyGrid, Virtual Organizations? Saml V2.0, Liberty, WS-FedNSF grant to Shibboleth-enable open source collaboration
tools
LionShare - Federated P2P
CAMP Directory Workshop Feb 3-6, 2004
So… What is Shibboleth?So… What is Shibboleth?
A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes?
A Standard Interface and Vocabulary for Attributes?
A Standard for Adding Authn and Authz to Applications?
CAMP Directory Workshop Feb 3-6, 2004
THE THE END?END?
Acknowledgements:Design Team: David Wasley UCOP; RL ‘Bob’ Morgan U of Washington; Keith Hazelton U of
Wisconsin-Madison;Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott Cantor Ohio State
Important Contributions from: Ken Klingenstein (I2); Michael Gettes (Duke); Scott Fullerton (Madison)
Coding: Derek Atkins (MIT); Parviz Dousti (CMU); Scott Cantor (OSU); Walter Hoehn (Columbia)
CAMP Directory Workshop Feb 3-6, 2004
Global? Trust Diagram (TWD)Global? Trust Diagram (TWD)
CAMP Directory Workshop Feb 3-6, 2004
Sample InterFederationSample InterFederation
CAMP Directory Workshop Feb 3-6, 2004
Shib/PKI Inter-FederationsShib/PKI Inter-Federations
This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.
CAMP Directory Workshop Feb 3-6, 2004
Got SHIB?Got SHIB?
Shibboleth intra- as well as Shibboleth intra- as well as inter-realminter-realm
Keith Hazelton
University of Wisconsin
I2 Middleware Arch. Comm. for Education
CAMP Directory Workshop Feb 3-6, 2004
Shib intra/inter-realmShib intra/inter-realm
Common Shib adoption driver will likely be libraries who want to connect to electronic resource providers
Leveraging Shib as local infrastructure: intra-realm Shibboleth (with AuthN shim) as completion of the IdM loop: giving apps the info they need to make access control decisions (AuthZInfo Access)
CAMP Directory Workshop Feb 3-6, 2004
Shib as WebISOShib as WebISO
Note: Shib as shipped assumes an existing WebISO
But in a Shib environment for web apps– the only web thing that needs an
authentication step is the Handle Server (HS) (!!!)
– all target web apps leverage that single authentication step
CAMP Directory Workshop Feb 3-6, 2004
Shib as WebISOShib as WebISO
WebISO solutions have lots moving parts that are handled by Shib
So what’s the simplest AuthN shim for the HS?
CAMP Directory Workshop Feb 3-6, 2004
Shib as WebISOShib as WebISO
HS runs as an Apache app How do we protect Apache apps? URL/directory based authN schemes Use Apache config file fiddling to specify how Shib 1.1 as shipped has way to do this with
Public Key Infrastructure (PKI) user certs– Apache Asks for client SSL authentication via
apache-ssl or mod_ssl– Right environment variables get populated, presto!
CAMP Directory Workshop Feb 3-6, 2004
Shib as WebISO: PKI integ.Shib as WebISO: PKI integ.
U California System developed PKI support code (David Walker)
Adopted & adapted by UT-HSC Houston (Barry Ribbeck & Mark Jones)
..and by Dartmouth (Bob Brentrup, Omen Wild & Mark Franklin)
CAMP Directory Workshop Feb 3-6, 2004
Shib & PKI MigrationShib & PKI Migration
Calif, Texas & Dartmouth pushing PKI, so happy to “force” its use for selected apps
Most of us not there yet What if HS could try for PKI as above, but
fail over to LDAP-supported un/pw AuthN over SSL?
CAMP Directory Workshop Feb 3-6, 2004
Shib & PKI MigrationShib & PKI Migration
More generally: Protect the HS app the Apache way with PKI, failover to {your favorite AuthN service here}
So, coordinating with above named culprits, Ryan Muldoon at wisc.edu developed an Apache module-based approach
CAMP Directory Workshop Feb 3-6, 2004
Shib HS & AuthN ShimShib HS & AuthN Shim
Apache security directives in config allow you to specify a list of AuthN methods in order of preference, So…
Try PKI via above approach Second on the list is a module that does
your favorite AuthN trick & populates env. vars. Like REMOTE_USER
Ryan’s code supports failover to un/pw with LDAP (uses mod_perl)
CAMP Directory Workshop Feb 3-6, 2004
Shib HS & AuthN ShimShib HS & AuthN Shim
Kerberos shops could write a module for Kerberos AuthN, etc.
Allows transparent…– migration to, or – experimentation with or – selective rollout…
…of PKI behind Shib HS for a general web app AuthN solution
CAMP Directory Workshop Feb 3-6, 2004
The IdM Picture completedThe IdM Picture completed
To extent you Shibbify your target resources, this fills the gap of AuthZInfo delivery to web apps
You’ve authenticated by choice of methods (which can be passed along to targets)
You’ve given targets controlled access to user attributes
With all the knobs for privacy & anonymity you might want
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth inter-realm: Shibboleth inter-realm: FederationsFederations
Shibboleth has support for federations (0, 1 or many)
Doesn’t prescribe how they work Or even require one
– e.g. Penn State <-> WebAssign is simple bilateral agreement
So what are federations, really?
CAMP Directory Workshop Feb 3-6, 2004
A Burton Group slide from Catalyst A Burton Group slide from Catalyst 2003 in San Francisco2003 in San Francisco
Towards a polycentric, federated environment Many islands will emerge
Identity networks will link the islands: • Centralized services• Member owned services (as in the ATM world)• Use of common rating systems (like Moody’s)
As islands and networks inevitably collide, not clear how they’ll converge
Identity Network 1 Identity
Network 2
Identity peeringIdentity domains
Federations Federations
Renee Woodten Frost
6 February 2004
CAMP Directory Workshop Feb 3-6, 2004
Federated all the way downFederated all the way downGiven the strong collaborations within the academic community,
there is an urgent need to create inter-realm tools, so: Build consistent campus middleware infrastructure
deployments, with outward facing objectclasses, service points, etc. and then
Federate (multi-lateral) those enterprise deployments with inter-realm attribute transports, trust services, etc. and then
Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, from p2p to virtual organizations, etc. while we
Be cautious about the limits of federations and look for alternative fabrics where appropriate.
CAMP Directory Workshop Feb 3-6, 2004
FederationsFederations Associations of enterprises that come together to exchange
information about their users and resources in order to enable collaborations and transactions
Built on the premise of:– Initially, “Authenticate locally, act globally”– Now, “Enroll and authenticate and attribute locally, act federally.”
Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) and common attributes (e.g. eduPerson)
Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision.
Several federations now in construction or deployment
CAMP Directory Workshop Feb 3-6, 2004
Requirements for federationsRequirements for federations
Federation operations Federating software
–Exchange assertions–Link and unlink identities
Federation data schema Federation privacy and security
requirements
CAMP Directory Workshop Feb 3-6, 2004
Federated administrationFederated administration
O
TO
T
T T
Apps CMCM Apps
VOVO
T
Campus 1Campus 2
Federation
Otherfeds
CAMP Directory Workshop Feb 3-6, 2004
Shibboleth-based federationsShibboleth-based federations
InQueue InCommon Club Shib Swiss Education and Research Network (SWITCH) National Science, etc. Digital Library (NSDL)------------------------------------ State networks Medical networks Financial aid networks Life-long learning communities
CAMP Directory Workshop Feb 3-6, 2004
The Research and EducationThe Research and EducationFederation SpaceFederation Space
REFCluster
InQueue(a starting point)
InCommon
SWITCH
The ShibResearch Club
Other national nets
Other clusters
Other potential USR+E feds
State of Penn Fin Aid Assoc
NSDL
Slippery slope- Med Centers, etc
Indiana
CAMP Directory Workshop Feb 3-6, 2004
InQueueInQueue
The “holding pond” Is a persistent federation with “passing-through”
membership… Operational today. Can apply for membership via
http://shibboleth.internet2.edu/ InQueue Federation guidelines
Requires eduPerson attributes Operated by Internet2; open to almost anyone using
Shibboleth in an R&E setting or not… Fees and service profile to be established shortly:
cost-recovery basis
CAMP Directory Workshop Feb 3-6, 2004
InQueue originsInQueue originsas of 11-25-03as of 11-25-03
Rutgers UniversityUniversity of WisconsinNew York UniversityGeorgia State UniversityUniversity of WashingtonUniversity of CaliforniaUniversity at BuffaloDartmouth CollegeMichigan State UniversityShibboleth Development OriginThe Ohio State UniversityUCLAInternet2Carnegie Mellon University
National Research Council of CanadaColumbia UniversityUniversity of VirginiaUniversity of California, San DiegoBrown UniversityPenn State UniversityCal Poly PomonaLondon School of EconomicsUniversity of North Carolina at Chapel HillCU-BoulderUT ArlingtonUT Health Science Center-HoustonUniversity of Michigan
CAMP Directory Workshop Feb 3-6, 2004
Major targetsMajor targets
Campuses that are also origins, wanting to share campus-based content
Content providers – EBSCO, OCLC, JSTOR, Elsevier, Napster, etc
Learning Management Systems – WebCT, Blackboard, OKI, etc
Outsourced Service Providers – purchasing systems, dormitory management companies, etc.
CAMP Directory Workshop Feb 3-6, 2004
InCommon basicsInCommon basics
Permanent federation for the R&E US sectorTo be operated by Internet2, open to .edu-qualified sites and business partners
Attributes passed: eduPersonPrivacy requirements to be developedSecurity requirements to be developed
CAMP Directory Workshop Feb 3-6, 2004
InCommon federationInCommon federation Federation operations – Internet2 ProductionTeam Federating software – Shibboleth 1.0 and above Federation data schema - eduPerson200210 or later
and eduOrg200210 or later Federation privacy and security requirements – in
discussion; could be:– Privacy requirements:
Initially, destroy received attributes immediately upon use– Security requirements:
Initially, enterprises post local I/A and basic business rules for assignment of eduPersonAffiliation values
Likely to progress towards standardized levels of authentication Logout issues
CAMP Directory Workshop Feb 3-6, 2004
InCommon planning stepsInCommon planning steps
Planning activities by ad hoc group of CIOs from participating organizations– Decided initial form is that of an Internet2 project– Set criteria for membership– Drafted InCommon Prospectus– Developed an initial management structure
Executive Committee of members, generally CIOs or content provider reps
Staggered 3-year terms, nominated by participants in InCommon with input from NPPAC
Facilitated by Internet2
Internal process being engineered with oversight by technical experts
CAMP Directory Workshop Feb 3-6, 2004
InCommon current statusInCommon current status
InCommon Executive Committee established and meeting bi-weekly via conference calls– Advising on internal processes– Drafting campus policy statements, framework for sharing– Tuning Prospectus – Discussing pricing
Internet2 building infrastructure – InCommon CA– Redundant WAYF– Web Sites and Communications
Open doors - ? Spring 2004?
CAMP Directory Workshop Feb 3-6, 2004
InCommon, some time from InCommon, some time from nownow
Established with several hundred participants Multi-layered strength-of-trust threads among
participants Working with state and/or regional federations “Peering” with national federations in other
countries “Gateways” with commercial federations