Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Using Shibboleth to Connect:Applications for the
Clearinghouse and Other gFederated Applications
Brendan BellinaIdentity Services Architect
Manager, Enterprise Middleware Identity ManagementUniversity of Southern California
Copyright Brendan Bellina, 2010. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is bymaterials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
4/24/2010 AACRAO 2010 Annual Meeting 2
Agenda• Overview of Shibboleth• How Shibboleth is used at USC• Definition of “Federation”• Overview of the InCommon Federation• Shibboleth @ USC use cases• Shibboleth @ USC use cases
– Apple iTunes U– Google Apps for Education– National Student Clearinghouse Student
Self-Service
4/24/2010 AACRAO 2010 Annual Meeting 3
What is Shibboleth?• Web Single-Sign-On software
– Developed by Higher-Ed (2001 – ongoing)• Internet2, NSF Middleware Initiative
– Non-proprietary – standards based (SAML:– Non-proprietary – standards based (SAML: Security Assertion Markup Language)
– Privacy preserving attribute delivery– Local authentication– Global authorization– Widely adopted and free
4/24/2010 AACRAO 2010 Annual Meeting 4
- User credentials are not distributed
- No user management at service provider
- Identity is protected
4/24/2010 AACRAO 2010 Annual Meeting 5
- Standards based
- Built for Federation
Webinar with Nate Klingenstein, hosted by Unicon:
http://www.unicon.net/node/1282
4/24/2010 AACRAO 2010 Annual Meeting 6
About USC• Private university est. 1880 in Los Angeles• 19 academic units• 35,000 students• 21,100 employees (faculty, staff student
workers)• 229,000 alumni• 6,600 regularly enrolled international students
Source: http://www.usc.edu/about/ataglance/
4/24/2010 AACRAO 2010 Annual Meeting 7
How Shibboleth is used at USC
• Single-Sign-On for– centrally managed web applications– department hosted web applicationsdepartment hosted web applications– sponsored federated web applications
• Encouraged for use with all web applications
• USC is a member of the InCommon Federation
4/24/2010 AACRAO 2010 Annual Meeting 8
How Shibboleth is Implemented at USC
• Single Shibboleth 2.x Identity Provider (IdP)• Identity Provider uses USC Global Directory
Service as identity and attribute store• Identity Provider uses MIT Kerberos as
credential store (for authentication)• IdP supported by central IT Enterprise
Middleware Identity Management (part of Information Security)4/24/2010 AACRAO 2010 Annual Meeting 9
Notable Successes• University Portal• Blackboard• Online Grading
System• iTunes U
• Online Schedule of Classes
• iVIP Guest/Affiliate System
• Orientation Reser ations
4/24/2010 AACRAO 2010 Annual Meeting 10
• Confluence Wiki• MovableType Blog• Google Apps• Microsoft DreamSpark
Reservations• Dspace Digital
Repository• Online Whitepages• National Student
Clearinghouse
What is a “Federation”• Federations – definition
– Dictionary.com - a federated body formed by a number of nations, states, societies, unions, etc., each retaining control of its own internal affairs.
– InCommon.org - a federation is an association of organizations that come together to exchange information, as appropriate, about their users and resources in order to enable collaborations and transactions.
4/24/2010 AACRAO 2010 Annual Meeting 11
Does Shibboleth require that an institution be in a Federation in order to access federated (ie, externally hosted) services?
Does a service provider have to be a member of a Federation in order for their service to beof a Federation in order for their service to be compatible with a Shibboleth Identity Provider?
4/24/2010 AACRAO 2010 Annual Meeting 12
No and no. But there are advantages for both the Institution and the Service Provider to being in a Federation.
4/24/2010 AACRAO 2010 Annual Meeting 13
Federated Model
User@Institution A
Research ProjectsShared CoursesStudent Loan Service
Governance for operational
standards and practices
Legal Agreement
User@Institution B
= Credentialing / Authentication = Authorization = User Credential
Physics HomeworkService
Library Provider
and Protections
Trusted Metadata
Technical Interoperability
What is InCommon?• A SAML-based Federation that
includes:– 200+ higher education participants– Six government and nonprofit laboratories, research
centers and agencies (including NIH TeraGrid andcenters, and agencies (including NIH, TeraGrid, and NSF)
– 51 sponsored partners– Two county K-12 school districts (as part of a pilot)– More than 4 million higher education users– Members agree to rules and practices that allow for
interoperability– http://www.incommonfederation.org
Value of InCommon• Governance by a representative Steering Committee
– Formulates policy, operational standards and practices, establishes a common set of attributes and definitions.
• Legal Agreement– Basic responsibilities, official signatory and establishment of
trust, conflict and dispute resolution, basic protections
• Trust “Notary”• Trust Notary– InCommon verifies the identity of organizations and their delegated
officers
• Trusted Metadata– InCommon verifies and aggregates security information for each
participant’s servers, systems, and support contacts
• Technical Interoperability (Technical Advisory Committee)– InCommon defines shared attributes (eduPerson), standards
(SAML), software (Shibboleth)
Apple iTunes U
• Background– Started effort in 2006 by USC Technology
Enhanced Learning– Hosting protected content accessible by os g p o ec ed co e access b e by
USC students based on course enrollment– No support by Apple for using Shibboleth
at that time– Did not want enrollment data to leave the
University
4/24/2010 AACRAO 2010 Annual Meeting 18
Key Characteristics• The Shibboleth Service Provider was an
application installed at USC that:– Aggregated data about the user– Created a credential compatible with iTunes U
Transmitted the credential securely to Apple– Transmitted the credential securely to Apple iTunes U
• Using a “shim” application to be the service provider allows Shibboleth SSO to be extended to non-Shibbolized resources
4/24/2010 AACRAO 2010 Annual Meeting 20
Use Case Take Away
A Shibboleth Service Provider “shim” may be used to front-end a non-Shibboleth compatible service. p
4/24/2010 AACRAO 2010 Annual Meeting 21
Google Apps forEducation
• Background– Started investigating in Summer 2007– Implemented January 2008 as an opt-in
service for studentsservice for students– For web apps, Google supports the SAML
2.0 standard– For non-web apps (GoogleTalk, IMAP &
POP access to Gmail) requires a password accessible to Google
4/24/2010 AACRAO 2010 Annual Meeting 22
Accessing Google Web Apps• Shibboleth 2.x supports the SAML 2.0
standard• Shibboleth is interoperable with other
products that support the SAML standard• Shibboleth 2.x IdP can interoperate with
the Google Service Provider because they both support the SAML standard.
• USC IdP interacts with Google directly
4/24/2010 AACRAO 2010 Annual Meeting 23
Use Case Take Aways
A Shibboleth IdP can interoperate with a SAML-compliant service provider.
What is required is that services support the SAML standard.
4/24/2010 AACRAO 2010 Annual Meeting 24
National Student Clearinghouse
- Allows Student access to enrollment verification activities via the Web:- Print enrollment certificates- View enrollment history- Check enrollment verifications that the
Clearinghouse has provided to student service providers on their behalf
- View student loan deferments- Link to real-time information on their student
loans25
National Student Clearinghouse
• Background– NSC phased out their initial SSS service,
terminating it July 31, 2009.g y– NSC engaged in a Shibboleth pilot to
support SSS with Stanford and the University of Washington.
– NSC joined the InCommon Federation
4/24/2010 AACRAO 2010 Annual Meeting 26
Benefits of Using Shibboleth and InCommon with Student Self-Service
• Eliminate necessity of students registering with NSC using SSN
• Make Student Self-Service available to students who do not have an SSN or choose not to provide the SSN
• Ease of use with Integrated Single-Sign On with OASIS (USC Online Student Information System Service), USC Portal, and other services
27
Work, Time, Resources• June 2009, following the Stanford pilot, USC agreed to
become the first school to use Shibboleth for NSC SSS.• Service sponsored by University Registrar. • Added University ID to existing NSC weekly data feed
from Student Information System• Shibboleth Identity Provider configuration to releaseShibboleth Identity Provider configuration to release
student University ID and USC OPEID to NSC at student login
• NSC link updated in OASIS• Under 40 hours of technical work• Implemented July 30. First school to implement in
production using Shibboleth 2.x.
28
NSC SSS Documentation• Internet2 NSC Pilot documentation
– https://spaces.internet2.edu/display/InCCollaborate/National+Student+Clearinghouse+Pilot
• USC Setup documentation– https://spaces.internet2.edu/display/InCCollaborate/U
SC-NSC+SetupSC NSC Setup• National Student Clearinghouse Student Self-Service
documentation:– SSS Developer’s Implementation Guide– SSS Shibboleth Profile Form
• NCES Global Locator (for OPEID lookup)– http://nces.ed.gov/globallocator/
29
Use Case Take Away
Membership in a common Federation by both the home institution and service provider simplifies integration and can p p gshorten time to implement.
4/24/2010 AACRAO 2010 Annual Meeting 30
Summary• Shibboleth can be used to provide SSO
functionality for:– Non Shibbolized web apps using a shim– SAML compliant web applications– Shibbolized applicationsShibbolized applications
• Membership in a Federation, such as InCommon, is not mandatory, but can offer significant benefits and simplify integration.
4/24/2010 AACRAO 2010 Annual Meeting 31
Additional Resources- USC GDS website: http://www.usc.edu/gds- Additional Presentations by the author:
http://its.usc.edu/~bbellina- Shibboleth Project: http://shibboleth.internet2.edu- More on iTunes U at USC from the developer:
http://www.nasiperetz.net/?p=13
4/24/2010 AACRAO 2010 Annual Meeting 32
- Google Apps At USC: http://google.usc.edu/- Google Apps At USC Support:
http://www.usc.edu/its/google/
- Brendan Bellina: [email protected]