Federated Access Management

Mark Cairney

Information Services IT Infrastructure

UNIX Section

University of Edinburgh

What is Federated Access Management?

• Trust framework between institutions and services

• User Authentication devolved to each institution via a local Identity Provider (IdP)

• Authorisation handled by the Service Provider (SP) based on attributes sent to it by the IdP

What is FAM?

• Trust relationship handled by both sides containing metadata describing each other

• Federation is responsible for managing and publishing metadata for all members (IdPs and SPs)

• Also responsible for establishing policies regarding data exchange between members and ensuring they are being adhered to.

What is FAM?

• Federations established at a geographical area (country/continental) level e.g. InCommon(US), UKAMF (UK), eduGAIN (Europe)

• Now starting to see inter-federation agreements e.g. UK Federation <-> eduGAIN

• Establishing standards/good practice becomes an even bigger issue with inter-federation!

FAM Systems

• Number of competing FAM solutions (both FOSS and commercial)

– OpenAthens

– Shibboleth

– OpenAM

– Microsoft AD FS

• We’ll be looking at Shibboleth as it’s what I know best!

Shibboleth

• Free, Open Source

• Popular in education sector

• Gaining traction outwith education

• 3 main components:

– Identity Provider (IdP)

– Service Provider (SP)

– Discovery Service (DS aka Where Are You From?)

Identity Providers (IdP)

• Locally-installed server integrated with organisation’s local infrastructure (SSO, identity management)

• User logs in with their local SSO credentials

• IdP authenticates user and looks them up in local Identity source (LDAP, AD, database)

Identity Providers (IdP)

• User information parsed, processed and only permitted attributes are sent back to the Service Provider (SP)

• By default all members of the UK Federation are sent a minimal set of attributes

• Additional attributes have to be explicitly released by the IdP administrator

Can have multiple metadata sources and rules for attribute disclosure

Service Providers (SP)

• Module performing login to service

• Receives attributes from IdP and uses these to perform authentication and authorisation of user.

• N.B. Service Provider performs authorisationdecision based on attribute data received- it’s NOT the IdP’s job to perform authorisation!!

Discovery Service

• Formerly Known as WAYF (Where Are You From)

• Essentially a list of available IdPs

• UK Federation run one for general use OR

• Roll your own to present a subset of these

• Optional- you can hardwire your SP to speak to a specific IdP (but this isn’t really federation)

SAML

• AKA Security Assertion Markup Language

• Standard dialect for IdPs and SPs to talk to each other

• Standards (SAML1 / SAML2)

• Possible (though not always straightforward!) for IdPs and SPs of different flavours e.g. Shibboleth and OpenAthens to talk to each other.

WOW!

User

IdP

SP

Discovery

Service

The Federation

• Maintains and publishes the metadata consumed by member entities (i.e. IdPs and SPs)

• Metadata used to form trust relationships

• Responsibility for the metadata feed and for ensuring members adhere to good practice (security, privacy etc)

• Monolithic

Inter-federation Trust

• More of a political challenge than a technical one

• Participating federations have to negotiate common standards re: metadata structure, key lengths/types, attributes required.

• Best practice wins!

• End result is an aggregated metadata file is published by participating federations

Other Federated Identity Systems

• OpenAthens- very similar to Shibboleth

• Commercial entity, ran by EduServ

• Can either run your own IdP or have OpenAthens run it for you for a fee.

• Technology very similar to Shibboleth(SAML-based, monolithic Federations)

Other Federated Identity Systems

• Eduroam- used in Higher Education to provide federated roaming wireless access

• Built on FreeRADIUS

• Managed and maintained in the UK by JANET

• External users credentials are relayed back to their home institution for authentication

Future of Federation

• Current models work well for web-based authentication (Shibboleth) and/or specific protocols (eduroam)

• However there is an increasing requirement for support of multiple protocols and for some level of devolved federation management

Shibboleth IdPv3

• Still SAML2-based but with a number of improvements based on experience gained with v2

• Improvements include:

– User consent for releasing attributes

– Session state largely stored client-side in encrypted cookie store.

Moonshot

• Based on FreeRADIUS 3 with additional functionality provided by Shib libraries

• Provides some level of devolved management.

• Multi-protocol support (SSH, Web, Exchange)

Moonshot - Disadvantages

• Requires bleeding-edge versions of FreeRADIUS and Moonshot dependencies

• Work-in-progress- steep learning curve and documentation not comprehensive

• Requires software to be installed on both clients and services to support it- some of these (e.g. OpenSSH) depend on locally patched versions.

Questions?

• E: Mark.Cairney@ed.ac.uk

• T: @mcairney

• http://www.ukfederation.org.uk

• http://shibboleth.net/

• http://www.jisc.ac.uk/assent