Inter-institutional Authorisation using Shibboleth: Myths, Lies and the Truth

http://iamsect.ncl.ac.uk/

Inter-institutional Authorisation using Shibboleth:Myths, Lies and the Truth

Jon Dowland

IAMSECT project officer

University of Newcastle upon Tyne

Overview

• Definition and demonstration

• Current state of the art• Shibboleth is…• Who’s doing what?

• Wrap-up• Questions

Shibboleth

Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.

Judges 12:5-7

Shibboleth

“Shibboleth, is a bit like the duck which moves serenely through the water, but is paddling furiously beneath the surface.”

- Derek Morrison

Live demonstration

Shibboleth is a Single Sign-On (SSO) solution

Statement

Shibboleth is a Single Sign-On (SSO) solution

Statement

Single Sign-On solutions

• Pubcookie - http://www.pubcookie.org/

• Yale CAS - http://www.yale.edu/tp/auth/

Authentication/Authorisation

Existing approaches

HTTP Authentication (May 1996 or earlier)

>>> GET /temp/auth/ HTTP/1.0

<<< HTTP/1.1 401 Authorization Required<<< WWW-Authenticate: Basic realm="Invitation Only"<<< Content-Type: text/html

>>> GET /temp/auth/ HTTP/1.0>>> Authorization: Basic xxxxxx

<<< HTTP/1.1 200 OK<<< Content-Type: text/html<<<<<< hello world

Browser prompts for username/password

HTTP: Drawbacks

• Lack of ‘theme-able’ log-in– ‘help’– ‘mail me my password’– Etc.

• ‘Authorization:’ and authentication mixed-up

• Passwords sent in-the-clear

• No log-out mechanism

Athens (1996)

• Admired internationally, best of breed

• Single ID, multiple sign-on

• UK education and health

• Secure

• centralised

User Athens Service

Athens D.A. (Oct 2002)

• Athens + SSO +

• devolved (locally managed) authentication

Athens

ServiceUser

Service

Institution

ADITUSAMADEUSAMICO libraryAPU Library ProxyAxiomBANKSCOPEBIDS CAB AbstractsBIDS IBSS ServiceBIDS Silver Platter INSPEC serviceBIDS SilverPlatter PsycINFO ServiceBLISSBMJ JournalsBioMed CentralBlackwell-Synergy.comBritish Standards OnlineBusiness Ratio ReportsButterworths Accountancy DirectButterworths All England DirectButterworths Banking Law DirectButterworths Businesscompliancedirect.coButterworths CaseSearchButterworths Civil Procedure OnlineButterworths Commercial Property LawButterworths Corporate FinanceButterworths Corporate Law DirectButterworths Crime OnlineButterworths EBL Direct EssentialsButterworths EBL Direct PremiumButterworths EOR DirectButterworths EU DirectButterworths Employment OnlineButterworths Family and Child DirectButterworths Financial Regulations ServiButterworths Forms and Precedents DirectButterworths HSE DirectButterworths Halsbury's Laws of ...Butterworths Human Rights DirectButterworths IRS Employment ReviewButterworths Immigration and Asylum LawButterworths Insolvency Law DirectButterworths Intellectual Property ...Butterworths International TaxButterworths Law DirectButterworths Law Reports DirectButterworths Legal UpdaterButterworths Legislation DirectButterworths Licensing DirectButterworths Local Government DirectButterworths PI OnlineButterworths PensionsProButterworths Property Tax DirectButterworths Scotland DirectButterworths Scots Law DirectButterworths Sergeant Sims Stamp Duty

Butterworths Stair MemorialButterworths Stone's Justices ManualButterworths Tax DirectButterworths Tax Planning ServiceButterworths Trusts and Estates DirectButterworths UK & International GAAPplusButterworths US Banking Editions OnlineCHEST Associated Site ContactsCHEST Further Education Site ContactsCHEST Higher Education Site ContactsCHEST Ireland Site ContactsCSA AqualineCSA Artbibliographies ModernCSA Internet Database ServiceCSA Linguistics & Language BehaviourCSA e-psycheCartalinxCensus Dissemination UnitCensus Geography Data Unit (UKBORDERS)Census Interaction Data ServiceCensus Learning ResourcesCensus Microdata Unit at the CCSRCensus Registration ServiceChadwyck-Healey KnowEuropeChadwyck-Healey KnowUK DatabaseChadwyck-Healey LION for collegesChadwyck-Healey Literature OnlineChadwyck-Healey PCI Full Text DatabaseChildlink.co.ukCity University Virtual LibraryCochrane LibraryComputer AbstractsCreative ClubCrossFire Service (PLUSABGM)CrossFire self-teach modules (MIMAS-XFT)Dialog DataStarDialog Education@SiteDialog@SiteEBSCOhost EJSEBSCOhost databasesEDINA AGDEXEDINA BIOSISEDINA BIOSIS Previews 1969 - 1984EDINA CAB AbstractsEDINA CompendexEDINA DigimapEDINA EconLitEDINA INSPECEDINA Index to The Times, 1790 - 1980EDINA MLAEDINA PAISEDINA UPDATEEEBOEIU Citydata

EIU CountrydataEIU Marketindicators & ForecastsESDS InternationalESDU DataESRI NTF ConvertersEducation Image GalleryEducation Media OnLineEducation Media OnLine medical-restrictElectronic Surgeons in Training EducatioEmerald FulltextEmerald Management ReviewsEncyclopaedia BritannicaEngineering Village 2Extenza e-Publishing ServiceFAMEGale Group InfoTracISI JCR Science EditionISI JCR Social Sciences EditionISI Web of KnowledgeIdrisiIngenta Full Text JournalsIngenta SelectInt. Civil Engineering AbstractsIrish Reports and DigestIsle of Man GIS dataJASPERJUSTIS Celex and OJCJUSTIS Daily CasesJUSTIS ECJ ProceedingsJUSTIS Family LawJUSTIS HermesJUSTIS Human RightsJUSTIS Industrial CasesJUSTIS Law Reports (eLR)JUSTIS Law Reports DigestJUSTIS Lloyd's Law ReportsJUSTIS Mental Health Law ReportsJUSTIS Official Journal CJUSTIS Prison Law ReportsJUSTIS UK Statutes and SIsJUSTIS Weekly LawJobs admin stuffJustCiteKeynoteKumarandClark.comLexisNexisMD ConsultMETAPRESSMIMAS ISI BIOSIS PreviewsMIMAS ISI Chemistry ServerMIMAS ISI Current Contents ConnectMIMAS ISI Derwent Innovations IndexMIMAS InfoterraMIMAS Landmap

MIMAS Landmap MediterraneanMIMAS LitLinkMIRA Virtual Automotive Info CentreMartindale & Stockleys Drug InteractionsMintel ReportsMulberryNeLH Evidence-Based on CallNeLH Journal of Medical ScreeningNetLibraryNewsBank InfoWebOCLC FirstSearch ServiceOSIRISOvid OnlineOxford English Dictionary OnlineOxford Reference OnlinePapyrus software for DOSPapyrus software for the MacParlianetPerfect AnalysisPrimal Pictures Basic Anatomy (NHS)Primal Pictures anatomy.tvProQuestProQuest Reference AsiaRCS Affiliates AreaRCS Discussion ForaRCS Library Electronic JournalsRCS Members AreaRefWorksReuters Business Insight UnlimitedSCOTBIS: Members AreaSCRAN Web SiteScienceDirectSentient DISCOVERSilverPlatter Arc2Snapshots International: Market ResearchStatistical Accounts of ScotlandSwetsWiseSynsoft HYDRA and HYDRA ONLINETRILTTaylor and Francis eBook SubscriptionsTechnical Indexes Info4EducationTechnical Indexes Info4HealthEstatesThe Academic LibraryThe Times Law ReportsUK JSTOR Mirror ServiceWILSONWEBWestlaw UKWiley InterScienceWriteNoteXpertHRZETOC - BL Electronic Table of ContentseSTEP administrators resourceimages.MDxreferplus

Athens services

Shortcomings

• Usage statistics

• Bureaucracy and ad-hoc groups (VRGs)

• Fine-grained access control

• Privacy and anonymity

• Reluctant international services

Shibboleth is…

detailed demo

User attempts to access service

http://bruno.dur.ac.uk/

Interlude: where are they from?

• Autodiscovery (e.g. by host)

• Manual

Interlude: where are they from?

• Autodiscovery (e.g. by host)

• Manual

Unreliablewe’re trying to simplify the service provider

SimpleUser burden

User redirected to “WAYF”

https://wayf.sdss.ac.uk/shibboleth-wayf/...

User directed to “home”

https://weblogin.ncl.ac.uk/cgi-bin/index.cgi

User provides credentials

Existingdatabase

“home” authenticates user

Existingdatabase

Attributes are exchanged

Existingdatabase

User directed to service

From the flyer

“Shibboleth is a fine-grained authorization framework which

separates responsibility for authenticating a user from the

responsibility of authorizing their access to a resource.”

Authentication ≠ Authorisation

Who someone is

What someone can do

Identity Provider

Authentication

Identity Provider

•home institution

•trusted

Authentication

Identity Provider

Attribute Exchange

•home institution

•trusted

Case studies

• Course specific sensitive material

• Enrolled courses!

AttributeCase Study

Case studies

• Fully-private, anonymous access

• Nothing!

AttributeCase Study

Identity Provider

Attribute Exchange

•Secure

•Pre-agreed information

•home institution

•trusted

Service ProviderIdentity Provider

Attribute Exchange

•Secure

•home institution

•trusted

Service ProviderIdentity Provider

•Secure

Attribute Exchange

•No user database

•No synchronization

issues

•home institution

•trusted

Terminology: Federations

Federations

24 relationships 8 relationships

Simplified relationships

Example Federations

• InQueue

• InCommon

• Athens

• SDSS

Who’s doing what

• Internet2 consortium

• Incommon federation– 16 universities– 4 others

Around the world

• Switzerland – SWITCH

• Finland – HAKA

• Australia, Hungary, Croatia deploying

• Rest of Europe: contemplating

• BECTA – ICT/schools– Shibboleth pilot

• JISC– Core middleware– Distributed e-learning– Early adopters– …

• “Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching”

• JISC Core Middleware

• Collaboration– Durham– Newcastle

• Web team• Faculty of Medical Sciences

– Northumbria

Inter-institutional

Authorisation, Clinical Teaching

• a proverbial goldmine of privacy and confidentiality issues

• Involvement of Newcastle FMSC

• Shared students

• In-house medical-oriented virtual learning environment (VLE)

What we’ve done (1)

• Technical-oriented guides– Local SSO (pubcookie)– Shibboleth Identity Provider

• Creative Commons

Creative Commons

• Shibboleth origin installation

• Shibboleth target installation

• target/zope integration

• federation testing

Techie

Non-techie

• Glossary

• Questionnaire

• Dissemination

What we’re doing

• Further Zope-based VLE work

• Blackboard VLE

• Managerial documentation

• Further events

Future guides (1)

How to identify attributes, attribute stores

• Which attributes are useful

• Identifying stores

• Pros and con of store types

Future guides (2)

A managerial guide to getting shib

• what skill set you need in your team

• Privacy & data protection issues

• Certificate provider issues

• Negotiating in a federation

What other people are doing

• SDSS – development federation

• AMIE – distributed attribute management

• PERSEUS – Shibboleth and portals

• GUANXI – Bodington VLE

• http://www.jisc.ac.uk/index.cfm?name=programme_middleware

Summary

• State of the art has drawbacks

• Shibboleth might address them

• Lots of work taking place

Questions

Inter-institutional Authorisation using Shibboleth: Myths, Lies and the Truth

Documents

ZIMT-Beratung Shibboleth-Anleitung Shibboleth Anleitung am ...bibliothek.ph-weingarten.de/pdf/Shibboleth AnleitungPH_1.pdf · SLIChbeçriff eingeben, z a. Social Media Kaufstudien

Fernzugriff über Shibboleth

Memoire Shibboleth

Shibboleth and TAGPMA

Authentication Methods: Shibboleth

Shibboleth Archive

Shibboleth: Molecules, Music, and Middleware. Outline ● Terms ● Problem statement ● Solution space – Shibboleth and Federations ● Description of Shibboleth

IWMW 2005: Inter-institutional Authorisation using Shibboleth Myths, Lies and the Truth

Introduction to Shibboleth

Shibboleth Setup

Inter-institutional Authorisation using Shibboleth: Myths ......BANKSCOPE BIDS CAB Abstracts BIDS IBSS Service BIDS Silver Platter INSPEC service BIDS SilverPlatter PsycINFO Service

Federated Shibboleth, OpenID, oAuth, and Multifactor · 2013-04-15 · Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor

Shibboleth Tutorial

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2

Lenya and Shibboleth

Shibboleth and CU

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth

ProQuest Pivot now supports Shibboleth S · 2017-10-23 · ProQuest Pivot now supports Shibboleth Single Sign-On. What is Shibboleth? Shibboleth is the world's most widely deployed

Shibboleth and Library Resources - …Presentation... · Shibboleth and Library Resources InCommon Library/Shibboleth Project ... EZProxy No Yes No No . Holly Eggleston, UCSD Library

Shibboleth Identity Provider