Shibboleth Guided Tour

John A. LewisChief Software Architect

Unicon, Inc.

20 November 2008

Audio Bridge:1-866-625-9936

Pin 2861832

© Copyright Unicon, Inc., 2008. Some rights reserved.This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit:http://creativecommons.org/licenses/by-nc-sa/3.0/us/

2

● Software Consulting Services ● Founded in 1993● Privately-Held Company● Located in Chandler, Arizona

Our Vision

IT Services for Education Specializing in Open Source

Unicon Profile

3

IT Services● Software

Engineering● Systems

Integration● Technology

Delivery and Support

IT Services For Education

Domain Expertise● Higher Education● Curriculum & Assessment ● Learning Management● Enterprise Portals● Online Campus Services● Publishing● Secure Authentication

4

Specializing in Open Source

● TechnologySolutions– Enterprise

Portal

– Learning Management

– SecureAuthentication

– eMail and Collaboration

● Open Standards

5

Higher Education Customers

A partial list...

6

Unicon Services for Shibboleth

● Implementation Planning● Branding and User Experience● Installation and Configuration● Custom Development● Shibbolize uPortal, Sakai, and other

applications

7

Identity Management& SAML

8

Why Makes Identity Important?

● Connects– Users

– Applications

● Lots of other things– security, privacy, spam,

– secrecy, trust, authority,

– collaboration, convenience,

– ...

9

Evolution of User Identity

● Application Silos– Each with their own logins and passwords

● Common Directories / Databases– Central store for person information

● Single Sign-On– Central login system for multiple applications

● Federated Identity– Trusted identity information from others

10

Why Federated Identity?

● Authoritative information– Users, privileges, attributes

● Improved security– Fewer user accounts in the world

● Privacy when needed– Fine control over attribute sharing

● Saves time & money– Less work administrating users

11

What Is Identity Management?

● More than account creation, directories, authentication, access controls, ...

● Includes policy, process, governance, trust● Need new ways of thinking about controlling

access to IT services

“A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group

12

13

What Is SAML?

● Security Assertion Markup Language (SAML)● XML-based Open Standard● Exchange authentication and authorization

data between security domains– Identity Provider (a producer of assertions)

– Service Provider (a consumer of assertions)

● Approved by OASIS Security Services– SAML 1.0 November 2002

– SAML 2.0 March 2005

14

Major SAML Applications

● Proquest

● Project MUSE

● Thomson Gale

● Google Apps

● ExLibris MetaLib

● Sakai

● DSpace, Fedora

● Ovid

● Microsoft DreamSpark

● Moodle, Joomla, Drupal

● JSTOR, ArtSTOR, OCLC

● Blackboard & WebCT

● Webassign

● Media Wiki / Confluence

● National Institutes of Health

15

Commercial Support for SAML

● Sun● IBM● Oracle● Ericsson● SAP● HP

● Google● Ping Identity● CA/Netegrity● RSA● Novell● NTT

16

How Federated Identity Works

● A user tries to access a protected application● The user tells the application where it’s from● The user logs in at home● Home tells the application about the user● The user is rejected or accepted

17

IdentityIdentityProviderProvider

ServiceServiceProviderProviderUserUser

User User DirectoryDirectory

4. I'd like to login for SP

2. What is your home?

3. Please login at home

5. Login

1. I'd like access

6. Here is data about youfor the SP – send it

7. Here is the datafrom my IdP

8. Access Granted /Access Denied

Application / Application / DatabaseDatabase

18

Shibboleth

19

Shibboleth

● Enterprise federated identity software– Based on standards (principally SAML)

– Extensive architectural work to integrate with existing systems

– Designed for deployment by communities

● Most widely used in education, government● Broadly adopted in Europe● New 2.0 release implements SAML 2

– Backward compatible with 1.3

20

Shibboleth Project

● Free & Open Source– Apache 2.0 license

● Enterprise and Federation oriented● Started 2000 with first released code in 2003● Excellent community support

– http://shibboleth.internet2.edu

– shibboleth-announce@internet2.edu

21

Quick Demo

Demo Links:● https://spaces.internet2.edu/● https://www.internet2.edu/secure/env.php● https://www.protectnetwork.org/

22

The Shibboleth IdP

● Written as a Java web applications– Runs in any Servlet 2.4 container

● Supports multiple protocols● Does not contain attributes or logins

– Relies on external LDAP / Kerberos / SQL / etc.

● Extensive controls for the release of attributes

23

TomcatTomcat

Shibboleth IdPShibboleth IdP

Directory / DatabaseDirectory / Database

Web BrowserWeb Browser

Shibboleth SPShibboleth SP

ApplicationApplication

AuthenticationAuthentication

24

The Shibboleth SP

● Written in C++ for Apache, IIS, or NSAPI– Apache often used to front-end other app servers

● Java containers, Zope, etc.

● Extensive clustering support● No API – attributes & data available through

headers & environment variables– Keeps identity management external to app

25

Application ServerApplication Server

ApacheApacheor IISor IIS

Shibboleth Shibboleth SPSP

Web BrowserWeb Browser

Shibboleth IdPShibboleth IdP

User DirectoryUser Directoryshibdshibd

26

Discovery Service

● Gives users an interface to select an IdP● Loads metadata files

– From multiple federations

– Or non-federations

● Positioned alongside SP, gives customized lists

● Positioned by federation, enables SSO across entire federation

27

Role of a Federation

● Agreed upon Attribute Definitions– Group, Role, Unique Identifier, Courses, …

● Criteria for IdM & IdP practices– user accounts, credentialing, personal information

stewardship, interoperability standards, technologies, ...

● Digital Certificates● Trusted “notary” for all members● Not needed for Federated IdM,

but does make things even easier

28

InCommon Federation

● U.S. Higher Education & Research(and its Partners)

● 1.7 Million Users● Self-organizing & Heterogeneous● Policy Entrance bar intentionally set low● Doesn’t impose lots of rules and standards● http://www.incommonfederation.org/

29

SAML Metadata

● Data that describes partners for federated identity– Trust, protocols, etc.

● Primarily a trusted list of providers– May be signed

– Many distribution methods

● EntityID is the name of a provider

30

SAML Attributes

● A lot like LDAP and database attributes– Tweaked for an inter-realm world; scope

● Name/value pairs to represent pieces of information about an identity

● Where do attributes live? Who’s authoritative?– Identity provider? Application?

– Third party?

31

SAML Identifiers

● Primary keys for people– email, login name most common; privacy, secrecy,

and security should be considered

– The dangers and necessities of recycling

● Where does user data live? How is it connected? Is it in multiple places?

● Multiple identifiers per person and per identity possible

32

Logout Support

● It’s really hard to do for federated identity– Especially large-scale

● Lots of applications loosely coupled– Many with their own cookie-based sessions

● SAML 2.0 has protocol logout support

33

Resources

● Internet2 Shibboleth website– http://shibboleth.internet2.edu/

● JISC Video on Federated Identity– http://video.google.co.uk/videoplay?docid=6664146721575915928

● Internet 2 Wiki– https://spaces.internet2.edu/

● Shibboleth Documentation● Shib Install Fest Materials

34

Questions & Answers

John A. LewisChief Software ArchitectUnicon, Inc.

jlewis@unicon.netwww.unicon.net