• Home

  • Documents

  • Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web...
26
Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University of Cambridge [email protected]

Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Web Authentication with Shibboleth

A view from the Flat East

Jon WarbrickComputing Service

University of [email protected]

mailto:[email protected]
mailto:[email protected]
Page 2: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Once upon a time there was the web...

Page 3: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

...and then sites started to want to identify their visitors

<Location /basic> AuthType Basic AuthName "Who are you?" require valid-user</Location>

Page 4: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

To each site its own users

Page 5: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

To each site its own users

Page 6: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

To each site its own users

Page 7: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Organization-wide SSOs

• University of Cambridge Raven

• Oxford WebAuth

• Classic Athens (R.I.P.)

• Google

• etc, etc, ...

Page 8: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Great for the institution

Inside

Outside

Page 9: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Great for the institution

Not so good for anything outside

Inside

Outside

Page 10: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

• Data protection

• Trust

Two elephants

Page 11: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Enter the Griffin

• AKA Shibboleth

• A Web Auth system designed to support (though not to require)

• multiple IdPs

• inter-organization use

• privacy and anonymity

• multiple attributes

Page 12: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Myth and Legends

• Shib is only for e-Journals

• Only supports anonymity

• Only supplied by Internet2

• Doesn’t do standards

• Is really hard

Page 13: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

So, what can we do with it?

Page 14: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

E-Journals

Page 15: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Standard web server plugins

Page 16: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Authorization decisions

Directory

Page 17: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Other people

Page 18: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Other people, take 2

Page 19: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Existing software

EZproxy

Page 20: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

VHS vs. Betamax

Facebook Connect

Google Friends Connect

Page 21: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

• There may be questions...

• ...including perhaps ‘Why “Shibboleth?”’

Thanks for listening...

keynote:/Users/jw35/Documents/Presentations/Flat%20east%20-%20Oxford%20ICTF%2007%3A10/why-shibboleth%3F.key
keynote:/Users/jw35/Documents/Presentations/Flat%20east%20-%20Oxford%20ICTF%2007%3A10/why-shibboleth%3F.key
Page 22: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University
Page 23: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

“On the Internet, nobody knows you are a dog...

Page 24: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

“On the Internet, nobody knows you are a dog...

...but sites often want to know that you are the same dog as last time”

Page 25: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University
Page 26: Web Authentication with Shibboleth - University of …jw35/talks/2010-07-ictf-shib/...Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University

Credits

• ‘In the Field’, Julian Wearne, http://www.flickr.com/photos/ikaink/4184787380

• Mosaic screen shot courtesy of NCSA/University of Illinois http://www.ncsa.illinois.edu/News/Images/

• two elephants, Timo Heuer, http://www.flickr.com/photos/upim/293676365/

• Fire Breathing Mythical Dragon, Wili Hybird, http://www.flickr.com/photos/walkadog/3484426248/

• “On the Internet”, by Peter Steiner, page 61 of July 5, 1993 issue of The New Yorker, (Vol.69 (LXIX) no. 20). Reproduced only for academic discussion, evaluation, and research.

• “Same dog as before”: “Tofu, online trust, and spiritual wisdom” from the Pushing Strings” blog by Eve Maler.

http://www.flickr.com/photos/ikaink/4184787380
http://www.flickr.com/photos/ikaink/4184787380
http://www.flickr.com/photos/ikaink/4184787380
http://www.flickr.com/photos/ikaink/4184787380
http://www.ncsa.illinois.edu/News/Images/
http://www.ncsa.illinois.edu/News/Images/
http://www.ncsa.illinois.edu/News/Images/
http://www.ncsa.illinois.edu/News/Images/
http://www.flickr.com/photos/upim/
http://www.flickr.com/photos/upim/
http://www.flickr.com/photos/upim/293676365/
http://www.flickr.com/photos/upim/293676365/
http://www.flickr.com/photos/upim/293676365/
http://www.flickr.com/photos/upim/293676365/
http://www.flickr.com/photos/walkadog/3484426248/
http://www.flickr.com/photos/walkadog/3484426248/
http://www.flickr.com/photos/walkadog/3484426248/
http://www.flickr.com/photos/walkadog/3484426248/
http://www.levity.com/seabrook/eustace.html
http://www.levity.com/seabrook/eustace.html
http://www.xmlgrrl.com/blog/2010/07/06/tofu-online-trust-and-spiritual-wisdom/
http://www.xmlgrrl.com/blog/2010/07/06/tofu-online-trust-and-spiritual-wisdom/

Lenya and Shibboleth

Lenya and Shibboleth

Economy & Finance
Delegated Authentication with Shibboleth - Internet2

Delegated Authentication with Shibboleth - Internet2

Documents
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication

Documents
Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

Introduction to Shibboleth - SWITCH...• •SAML 2.0 • SSO ... Introduction to Shibboleth - Shibboleth Training 2015 Author: SWITCHaai Created Date: 20151015071708Z

Documents
Shibboleth & Federations

Shibboleth & Federations

Documents
1 eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ

1 eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ

Documents
Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University of Cambridge jw35@cam.ac.uk

Web Authentication with Shibboleth A view from the Flat East Jon Warbrick Computing Service University of Cambridge [email protected]

Documents
Shibboleth Authentication & Blackboard: Would we recommend it yet? Malcolm Murray, Caleb Racey, Jon Dowland

Shibboleth Authentication & Blackboard: Would we recommend it yet? Malcolm Murray, Caleb Racey, Jon Dowland

Documents
Shibboleth: Open Source Distributed Authentication and Authorization

Shibboleth: Open Source Distributed Authentication and Authorization

Technology
Shibboleth-based hybrid authentication

Shibboleth-based hybrid authentication

Technology
Authentication Identity · 2020. 6. 10. · Shibboleth OAuth / OpenID Connect. Central Authentication Service Developed at Yale Now supported by Apero Foundation Used at many UC Campuses

Authentication Identity · 2020. 6. 10. · Shibboleth OAuth / OpenID Connect. Central Authentication Service Developed at Yale Now supported by Apero Foundation Used at many UC Campuses

Documents
7 October 2015 Shibboleth. Agenda Shibboleth Background and Status Why is Shibboleth Important (to Higher Ed)? Current Pilots Course Management

7 October 2015 Shibboleth. Agenda Shibboleth Background and Status Why is Shibboleth Important (to Higher Ed)? Current Pilots Course Management

Documents
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,

Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,

Documents
David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project

David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project

Documents
Shibboleth - iamsect.ncl.ac.ukiamsect.ncl.ac.uk/dissemination/york/York 4th May 2005.pdf · Shibboleth More commonly associated with secure authentication and authorisation systems

Shibboleth - iamsect.ncl.ac.ukiamsect.ncl.ac.uk/dissemination/york/York 4th May 2005.pdf · Shibboleth More commonly associated with secure authentication and authorisation systems

Documents
Authentication Methods: Shibboleth

Authentication Methods: Shibboleth

Education
MuseKnowledge Proxy and SAML Authentication - … · MuseKnowledge™ Proxy and SAML Authentication MuseGlobal, Inc. One Embarcadero Suite 500 ... • Supports ADFS, Okta, Shibboleth,

MuseKnowledge Proxy and SAML Authentication - … · MuseKnowledge™ Proxy and SAML Authentication MuseGlobal, Inc. One Embarcadero Suite 500 ... • Supports ADFS, Okta, Shibboleth,

Documents
‘Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario’

‘Investigation and implementation of Shibboleth SSO authentication mechanism through a specific scenario’

Documents
Shibboleth Setup

Shibboleth Setup

Documents
ProQuest Pivot now supports Shibboleth S · 2017-10-23 · ProQuest Pivot now supports Shibboleth Single Sign-On. What is Shibboleth? Shibboleth is the world's most widely deployed

ProQuest Pivot now supports Shibboleth S · 2017-10-23 · ProQuest Pivot now supports Shibboleth Single Sign-On. What is Shibboleth? Shibboleth is the world's most widely deployed

Documents
Cookies (for authentication) Single Sign-On Passport, Federated passport, Liberty Alliance, Shibboleth GSS-API What you have, what you are, two-factor auth

Cookies (for authentication) Single Sign-On Passport, Federated passport, Liberty Alliance, Shibboleth GSS-API What you have, what you are, two-factor auth

Documents
Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity

Shibboleth SP Logout Support - Shibboleth Training …...Current state of SLO in Shibboleth Shibboleth Service Provider 2.5.x • Supports local and global logout Shibboleth Identity

Documents
Deploying Two-Factor Authentication to 45k Users › _resources › documents › 2018 › UETN-2018.pdf · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps

Deploying Two-Factor Authentication to 45k Users › _resources › documents › 2018 › UETN-2018.pdf · –150+ SAML (Shibboleth) / Cloud (Canvas) –600+ Campus hosted Web apps

Documents
IDENTITY, PRIVACY AND SECURITYconference.hitb.org/hitbsecconf2012ams/materials/CLOSING...WS-Trust LDAP OIX SAML RADIUS Kerberos Shibboleth X.509/OCSP Identity Issuance Services Authentication

IDENTITY, PRIVACY AND SECURITYconference.hitb.org/hitbsecconf2012ams/materials/CLOSING...WS-Trust LDAP OIX SAML RADIUS Kerberos Shibboleth X.509/OCSP Identity Issuance Services Authentication

Documents
Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas,

Shibboleth Access Management Federations and Secure SDI: ESDIN Experience from the OGC Authentication Interoperability Experiment C.I.Higgins, M.Koutroumpas,

Documents
Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011 chris.higgins@ed.ac.uk

Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011 [email protected]

Documents
Shibboleth SSO & Drupal

Shibboleth SSO & Drupal

Technology
Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure

Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure

Documents
Using Shibboleth as Your WebSSO Authentication System CAMP Shibboleth: Enabling Campus and Federated Single Sign-On June 27, 2006 Brendan Bellina Identity

Using Shibboleth as Your WebSSO Authentication System CAMP Shibboleth: Enabling Campus and Federated Single Sign-On June 27, 2006 Brendan Bellina Identity

Documents
Case study 1: Google Books at the Complutense University ......•Shibboleth authentication system. •Bibliographic metadata are managed in a Library Management System (Aleph). •Access

Case study 1: Google Books at the Complutense University ......•Shibboleth authentication system. •Bibliographic metadata are managed in a Library Management System (Aleph). •Access

Documents