Shibboleth Update Michael R Gettes, Duke University On behalf of the shib project team

Shibboleth UpdateShibboleth Update

Michael R Gettes, Duke UniversityOn behalf of the shib project team

CAMP Directory Workshop Feb 3-6, 2004

What is Shibboleth? (Biblical)What is Shibboleth? (Biblical)

A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii.

Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.

Webster's Revised Unabridged Dictionary (1913)

http://www.dict.org/bin/Dict?Form=Dict3&Database=web1913


What is Shibboleth? What is Shibboleth? (modern era)(modern era)

An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services

A project delivering an open source implementation of the architecture and framework

Deliverables:–Software for Origins (campuses)–Software for targets (vendors)–Operational Federations (scalable trust)


So… What is Shibboleth?So… What is Shibboleth?

A Web Single-Signon System (SSO)?

An Access Control Mechanism for Attributes?

A Standard Interface and Vocabulary for Attributes?

A Standard for Adding Authn and Authz to Applications?


Shibboleth GoalsShibboleth Goals

Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions

Provide security while not degrading privacy.– Attribute-based Access Control

Foster interrealm trust fabrics: federations and virtual organizations Leverage campus expertise and build rough consensus Influence the marketplace; develop where necessary Support for heterogenity and open standards


Attribute-based AuthorizationAttribute-based Authorization

Identity-based approach–The identity of a prospective user is passed to the controlled

resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access.

–This approach requires the user to trust the target to protect privacy.

Attribute-based approach–Attributes are exchanged about a prospective user until the

controlled resource has sufficient information to make a decision. –This approach does not degrade privacy.


Stage 1 - Addressing Stage 1 - Addressing Four Scenario’sFour Scenario’s

Member of campus community accessing licensed resource–Anonymity required

Member of a course accessing remotely controlled resource–Anonymity required

Member of a workgroup accessing controlled resources

–Controlled by unique identifiers (e.g. name) Intra-university information access

–Controlled by a variety of identifiersTaken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.


How Does it Work?How Does it Work?

Hmmmm…. It’s magic. :-)


High Level ArchitectureHigh Level Architecture

Federations provide common Policy and TrustDestination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users

Origin site authenticates user, asserts AttributesDestination site requests attributes about user directly from origin site

Destination site makes an Access Control Decision

Users (and origin organizations) can control what attributes are released


Technical ComponentsTechnical ComponentsOrigin Site – Required Enterprise Infrastructure

–Authentication–Attribute Repository

Origin Site – Shib Components–Handle Server –Attribute Authority

Target Site - Required Enterprise Infrastructure–Web Server (Apache or IIS)

Target Site – Shib Components–SHIRE–SHAR–WAYF–Resource Manager


Shibboleth AA ProcessShibboleth AA ProcessR

eso

urc

e

WAYF

Users Home Org Resource Owner1

SHIRE

I don’t know you.Not even which home

org you are from.I redirect your request

to the WAYF32

Please tell me where are you from?

HS

5

6

I don’t know you.Please authenticateUsing WEBLOGIN

7

User DB

Credentials

OK, I know you now.I redirect your requestto the target, together

with a handle

4

OK, I redirect yourrequest now to

the Handle Service of your home org.

SHAR

Handle

Handle8

I don’t know theattributes of this user.Let’s ask the Attribute

Authority

Handle9AA

Let’s pass over the attributes the userhas allowed me to

release

Attributes 10

Res

ou

rce

Man

ag

er

Attributes

OK, based on theattributes, I grant

access to the resource


From Shibboleth Arch docFrom Shibboleth Arch doc

Origin Target

.

Resource ProviderUniversity

Authentication System

HT

TP

Serv

er

EnterpriseDirectory

http://www.CoolResource.com1

SHIRE

WAYF

22a

3a

3b

HandleService

3

3c

Attribute Authority

4



Origin Target

.



HT

TP

Serv

er

EnterpriseDirectory

http://www.CoolResource.com1

SHAR

Handle

3a

3b

HandleService

3

3c

Attribute Authority

4

SHIRE

WAYF

22a

ResourceManager

Attributes

5

6

Attribute Authority



Origin Target

.



HT

TP

Serv

er

EnterpriseDirectory

SHIRE3b

HandleService

3

Attribute Authority

4

LocalNavigation

Page

1



Origin Target



HT

TP

Ser

ver

EnterpriseDirectory

SHIRE3b

HandleService

3

Attribute Authority

4

LocalNavigation

Page

1

SHAR

Handle

ResourceManager

Attributes

5

6

3c


Demo!Demo!

http://shibboleth.blackboard.com/


Shibboleth Architecture Shibboleth Architecture (still photo, no moving parts)(still photo, no moving parts)


Shibboleth Architecture -- Shibboleth Architecture -- Managing TrustManaging Trust

Target Web

ServerBrowser

TRUSTAttributeServer

Shibengine


Attribute Authority --Management Attribute Authority --Management of Attribute Release Policiesof Attribute Release Policies

The AA provides ARP management tools/interfaces.

–Different ARPs for different targets–Each ARP Specifies which attributes and which values to release

–Institutional ARPs (default) administrative default policies and default attributes

Site can force include and exclude–User ARPs managed via “MyAA” web interface–Release set determined by “combining” Default and User ARP for the specified resource


Typical Attributes in the Higher Typical Attributes in the Higher Ed CommunityEd Community

Affiliation “active member of community”

[email protected]

EPPN Identity [email protected]

Entitlement An agreed upon opaque URI

urn:mace:vendor:contract1234

OrgUnit Department Economics Department

EnrolledCourse Opaque course identifier

urn:mace:osu.edu:Physics201


Target – Managing Attribute Target – Managing Attribute AcceptanceAcceptance

Rules that define who can assert what…..MIT can assert [email protected] can assert [email protected] CANNOT assert [email protected]

Important for entitlement values


Other Technology PartnersOther Technology Partners

LMS Systems–Blackboard–WebCT–WebAssign

Syquest/ Higher MarketsStudent Charge Card vendorsNapster


Other Pilot ProjectsOther Pilot Projects

American Association of Medical CollegesNSDL (National Science Digital Library)SWITCH - The Swiss National Academic CommunityUK/JISC - Controlled Access to Licensed ResourcesBecta (British Educational Communications and Technology Agency)Univ Texas, Medical Center and instructionWashington Research Library Consortium (WRLC)


Shibboleth -- Next StepsShibboleth -- Next StepsFull implementation of Trust Fabric

–Supporting Multi-federation origins and targets

Support for Dynamic Content (Library-style Implementation in addition to web server plugins)

Sysadmin GUIs for managing origin and target policyGrid, Virtual Organizations? Saml V2.0, Liberty, WS-FedNSF grant to Shibboleth-enable open source collaboration

tools

LionShare - Federated P2P


So… What is Shibboleth?So… What is Shibboleth?

A Web Single-Signon System (SSO)?

An Access Control Mechanism for Attributes?

A Standard Interface and Vocabulary for Attributes?

A Standard for Adding Authn and Authz to Applications?


THE THE END?END?

Acknowledgements:Design Team: David Wasley UCOP; RL ‘Bob’ Morgan U of Washington; Keith Hazelton U of

Wisconsin-Madison;Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott Cantor Ohio State

Important Contributions from: Ken Klingenstein (I2); Michael Gettes (Duke); Scott Fullerton (Madison)

Coding: Derek Atkins (MIT); Parviz Dousti (CMU); Scott Cantor (OSU); Walter Hoehn (Columbia)


Global? Trust Diagram (TWD)Global? Trust Diagram (TWD)


Sample InterFederationSample InterFederation


Shib/PKI Inter-FederationsShib/PKI Inter-Federations

This model demonstrates the similarities of the PKI communities and Shib Federations. This does not mean that Shib == PKI, just that we can leverage the trust infra of a global PKI to maybe solve some larger inter-federation issues of other techno / policy spaces in a common fashion.


Got SHIB?Got SHIB?

Shibboleth intra- as well as Shibboleth intra- as well as inter-realminter-realm

Keith Hazelton

University of Wisconsin

I2 Middleware Arch. Comm. for Education


Shib intra/inter-realmShib intra/inter-realm

Common Shib adoption driver will likely be libraries who want to connect to electronic resource providers

Leveraging Shib as local infrastructure: intra-realm Shibboleth (with AuthN shim) as completion of the IdM loop: giving apps the info they need to make access control decisions (AuthZInfo Access)


Shib as WebISOShib as WebISO

Note: Shib as shipped assumes an existing WebISO

But in a Shib environment for web apps– the only web thing that needs an

authentication step is the Handle Server (HS) (!!!)

– all target web apps leverage that single authentication step



WebISO solutions have lots moving parts that are handled by Shib

So what’s the simplest AuthN shim for the HS?



HS runs as an Apache app How do we protect Apache apps? URL/directory based authN schemes Use Apache config file fiddling to specify how Shib 1.1 as shipped has way to do this with

Public Key Infrastructure (PKI) user certs– Apache Asks for client SSL authentication via

apache-ssl or mod_ssl– Right environment variables get populated, presto!


Shib as WebISO: PKI integ.Shib as WebISO: PKI integ.

U California System developed PKI support code (David Walker)

Adopted & adapted by UT-HSC Houston (Barry Ribbeck & Mark Jones)

..and by Dartmouth (Bob Brentrup, Omen Wild & Mark Franklin)


Shib & PKI MigrationShib & PKI Migration

Calif, Texas & Dartmouth pushing PKI, so happy to “force” its use for selected apps

Most of us not there yet What if HS could try for PKI as above, but

fail over to LDAP-supported un/pw AuthN over SSL?


Shib & PKI MigrationShib & PKI Migration

More generally: Protect the HS app the Apache way with PKI, failover to {your favorite AuthN service here}

So, coordinating with above named culprits, Ryan Muldoon at wisc.edu developed an Apache module-based approach


Shib HS & AuthN ShimShib HS & AuthN Shim

Apache security directives in config allow you to specify a list of AuthN methods in order of preference, So…

Try PKI via above approach Second on the list is a module that does

your favorite AuthN trick & populates env. vars. Like REMOTE_USER

Ryan’s code supports failover to un/pw with LDAP (uses mod_perl)


Shib HS & AuthN ShimShib HS & AuthN Shim

Kerberos shops could write a module for Kerberos AuthN, etc.

Allows transparent…– migration to, or – experimentation with or – selective rollout…

…of PKI behind Shib HS for a general web app AuthN solution


The IdM Picture completedThe IdM Picture completed

To extent you Shibbify your target resources, this fills the gap of AuthZInfo delivery to web apps

You’ve authenticated by choice of methods (which can be passed along to targets)

You’ve given targets controlled access to user attributes

With all the knobs for privacy & anonymity you might want


Shibboleth inter-realm: Shibboleth inter-realm: FederationsFederations

Shibboleth has support for federations (0, 1 or many)

Doesn’t prescribe how they work Or even require one

– e.g. Penn State <-> WebAssign is simple bilateral agreement

So what are federations, really?


A Burton Group slide from Catalyst A Burton Group slide from Catalyst 2003 in San Francisco2003 in San Francisco

Towards a polycentric, federated environment Many islands will emerge

Identity networks will link the islands: • Centralized services• Member owned services (as in the ATM world)• Use of common rating systems (like Moody’s)

As islands and networks inevitably collide, not clear how they’ll converge

Identity Network 1 Identity

Network 2

Identity peeringIdentity domains

Federations Federations

Renee Woodten Frost

6 February 2004


Federated all the way downFederated all the way downGiven the strong collaborations within the academic community,

there is an urgent need to create inter-realm tools, so: Build consistent campus middleware infrastructure

deployments, with outward facing objectclasses, service points, etc. and then

Federate (multi-lateral) those enterprise deployments with inter-realm attribute transports, trust services, etc. and then

Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, from p2p to virtual organizations, etc. while we

Be cautious about the limits of federations and look for alternative fabrics where appropriate.


FederationsFederations Associations of enterprises that come together to exchange

information about their users and resources in order to enable collaborations and transactions

Built on the premise of:– Initially, “Authenticate locally, act globally”– Now, “Enroll and authenticate and attribute locally, act federally.”

Uses federating software (e.g. Liberty Alliance, Shibboleth, WS-*) and common attributes (e.g. eduPerson)

Enterprises (and users) retain control over what attributes are released to a resource; the resources retain control (though they may delegate) over the authorization decision.

Several federations now in construction or deployment


Requirements for federationsRequirements for federations

Federation operations Federating software

–Exchange assertions–Link and unlink identities

Federation data schema Federation privacy and security

requirements


Federated administrationFederated administration

O

TO

T

T T

Apps CMCM Apps

VOVO

T

Campus 1Campus 2

Federation

Otherfeds


Shibboleth-based federationsShibboleth-based federations

InQueue InCommon Club Shib Swiss Education and Research Network (SWITCH) National Science, etc. Digital Library (NSDL)------------------------------------ State networks Medical networks Financial aid networks Life-long learning communities


The Research and EducationThe Research and EducationFederation SpaceFederation Space

REFCluster

InQueue(a starting point)

InCommon

SWITCH

The ShibResearch Club

Other national nets

Other clusters

Other potential USR+E feds

State of Penn Fin Aid Assoc

NSDL

Slippery slope- Med Centers, etc

Indiana


InQueueInQueue

The “holding pond” Is a persistent federation with “passing-through”

membership… Operational today. Can apply for membership via

http://shibboleth.internet2.edu/ InQueue Federation guidelines

Requires eduPerson attributes Operated by Internet2; open to almost anyone using

Shibboleth in an R&E setting or not… Fees and service profile to be established shortly:

cost-recovery basis

http://shibboleth.internet2.edu/


InQueue originsInQueue originsas of 11-25-03as of 11-25-03

Rutgers UniversityUniversity of WisconsinNew York UniversityGeorgia State UniversityUniversity of WashingtonUniversity of CaliforniaUniversity at BuffaloDartmouth CollegeMichigan State UniversityShibboleth Development OriginThe Ohio State UniversityUCLAInternet2Carnegie Mellon University

National Research Council of CanadaColumbia UniversityUniversity of VirginiaUniversity of California, San DiegoBrown UniversityPenn State UniversityCal Poly PomonaLondon School of EconomicsUniversity of North Carolina at Chapel HillCU-BoulderUT ArlingtonUT Health Science Center-HoustonUniversity of Michigan


Major targetsMajor targets

Campuses that are also origins, wanting to share campus-based content

Content providers – EBSCO, OCLC, JSTOR, Elsevier, Napster, etc

Learning Management Systems – WebCT, Blackboard, OKI, etc

Outsourced Service Providers – purchasing systems, dormitory management companies, etc.


InCommon basicsInCommon basics

Permanent federation for the R&E US sectorTo be operated by Internet2, open to .edu-qualified sites and business partners

Attributes passed: eduPersonPrivacy requirements to be developedSecurity requirements to be developed


InCommon federationInCommon federation Federation operations – Internet2 ProductionTeam Federating software – Shibboleth 1.0 and above Federation data schema - eduPerson200210 or later

and eduOrg200210 or later Federation privacy and security requirements – in

discussion; could be:– Privacy requirements:

Initially, destroy received attributes immediately upon use– Security requirements:

Initially, enterprises post local I/A and basic business rules for assignment of eduPersonAffiliation values

Likely to progress towards standardized levels of authentication Logout issues


InCommon planning stepsInCommon planning steps

Planning activities by ad hoc group of CIOs from participating organizations– Decided initial form is that of an Internet2 project– Set criteria for membership– Drafted InCommon Prospectus– Developed an initial management structure

Executive Committee of members, generally CIOs or content provider reps

Staggered 3-year terms, nominated by participants in InCommon with input from NPPAC

Facilitated by Internet2

Internal process being engineered with oversight by technical experts


InCommon current statusInCommon current status

InCommon Executive Committee established and meeting bi-weekly via conference calls– Advising on internal processes– Drafting campus policy statements, framework for sharing– Tuning Prospectus – Discussing pricing

Internet2 building infrastructure – InCommon CA– Redundant WAYF– Web Sites and Communications

Open doors - ? Spring 2004?


InCommon, some time from InCommon, some time from nownow

Established with several hundred participants Multi-layered strength-of-trust threads among

participants Working with state and/or regional federations “Peering” with national federations in other

countries “Gateways” with commercial federations

Documents

Shibboleth Update Michael R Gettes, Duke University On behalf of the shib project team