CAMP Integration

Provisioning and Relaying:The Integration Story

http://arch.doit.wisc.edu/keith/camp/

provrel-050628-01.ppt

Keith Hazelton (hazelton@doit.wisc.edu)

Sr. IT Architect, University of Wisconsin-Madison

Internet2 MACE

CAMP Integration, Denver, June 28, 2005

2

CAMP Integration Shibboleth v 1.2.1a Integration Overview

• Shibboleth Introduction (The Relay tool from NMI / Internet2 / MACE)

• Identity Provider (Origin) Deployment, Integration– Authentication/Identifier Assertion Phase Components & Dependencies– Identity Attribute Assertion Phase

• Service Provider (Target) Deployment, Integration

• Two scenarios for each:– Shib “classic” e-Lib: accessing licensed resources– Shib federation across a state system: shared services

• The craft of federation

3

CAMP Integration Basic IAM functions mapped to theNMI / MACE components

System

s of R

ecord

Enterprise Directory

Grouper Signet

WebISO

Shibboleth

Apps / Resources

4

CAMP Integration Basic IAM functions mapped to theNMI / MACE components

System

s of R

ecord

Enterprise Directory

Grouper Signet

WebISO

Shibboleth

Apps / Resources

5

CAMP Integration Basic IAM functions mapped to theNMI / MACE components

System

s of R

ecord

Enterprise Directory

Grouper Signet

WebISO

Shibboleth

Apps / Resources

6

CAMP Integration

Alternatives to IP Address Based Access Restriction

1. User-based access restrictionA. Each service provider manages credentials for

all of its users

B. One big credential database of all users used by all service providers

C. Each user has a “home organization” whose credential database can, by magic, be used by each service provider

2. ???

7

CAMP Integration Federated Identities

• “Federated identities” is option C on previous slide– A hierarchical approach to decompose the problem into

manageable pieces– Analogous to the problem that IAM addresses, and rests

upon IAM infrastructure

• “Federating technology” is the “magic” part of option C• “Identity federation” (noun) is a set of service

providers, identity providers, and other context in which the magic happens

8

CAMP Integration Federating Technologies

• SAML implementations– Security Assertion Markup

Language– Shibboleth– Bodington/Guanxi– AthensIM– SourceID– SAMUEL– MS ADFS– Other proprietary

• Liberty Identity Federation implementations– SourceID– Lasso– Proprietary

• Others– MS Inter-Forest Trust

9

CAMP Integration

Shibboleth

Athenticate at home org

Authorize at resource without knowing user’s identity

10

CAMP Integration

Swiss Research/Education Network Demo

• http://www.switch.ch/aai/demo/

11

CAMP Integration Shibboleth Underpinnings

• Elements of shibboleth infrastructure must identify and authenticate each other– Home org or Identity Provider (IdP) pieces– Resource or Service Provider (SP) pieces

• Attribute assertions about authenticated principals are sent from IdPs to SPs

• For it all to work, IdPs and SPs must agree about which attributes and values are tossed around, and their semantics

12

CAMP Integration Federation Value Proposition

• Set of cooperating IdPs and SPs forms a community needing agreement on:– Trust Fabric

• X.509 certs• IdP and SP identifiers & other metadata

– Community standard for attribute semantics– Community standards for IdP and SP operational practices

• Strength of authentication• Confidentiality

• For N IdPs and M SPs, which is easier?– N*M agreements– N+M agreements

13

CAMP Integration Federations …

• Might support trust fabric maintenance– Operate a metadata distribution service

• Might be the locus for attribute standards• Might be the locus for “minimum but sufficient” IdP

and SP operational practice standards• Are not a party to the transactions between IdPs and

SPs• Are not involved with entitling access to resources

14

CAMP Integration The Research and EducationFederation Space

REFCluster

InQueue(a starting point)

InCommon

SWITCH

The ShibResearch Club

Other national nets

Other clusters

Other potential USR+E feds

State of Penn Fin Aid Assoc

NSDL

Slippery slope- Med Centers, etc

Indiana

15

CAMP Integration Shib Identity Provider / (Origin)

Ident.

Provider (wasabi)

ServiceProvider

(gari)Browser User

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

“HS”

Attribute Authority

Inspired by SWITCH (Swiss REN) HTTP://www.switch.ch/aai/demo/

WAYF

16

CAMP Integration Identity Provider / (Origin): AuthN, Identifier

Identity

Provider (wasabi)

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

“HS”

Attribute Authority

CampusWebISO

17

CAMP Integration WebISO requirements from Shib

• WebISO can authenticate a set of users based on locally issued/registered credentials

• Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide.

• For details & download, seehttp://middleware.internet2.edu/webiso/

CampusWebISO

18

CAMP Integration WebISO alternatives

• But end-user PKI certs work fine, too (configurable filter)

• And there are ways to support multiple AuthN methods with failover • “UW-Madison 2” InQueue IdP runs this

configuration• End entity certificate with failover to LDAP basic

auth.• See wasabiHttpd.conf, lines 1017 et seq.

CampusWebISO

19

CAMP Integration Shib assumes Identity and Access Management (IAM) Services

Student System of Record

Meta-Directory

Processes

LDAP Directory

CampusWebISO

Registry

Human Resources System of Record

Other Systems of Record

Enterprise Directory

20

CAMP Integration

CampusWebISO

Identity Provider Middleware

wasabi

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

“HS”

Attribute Authority

Enterprise

Directory

21

CAMP Integration

“HS”

Identity Provider / (Origin)

Ident.

Provider (wasabi)

ServiceProvider

(gari)Browser User

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

Attribute Authority

22

CAMP Integration

“HS”

Identity Provider / (Origin)Attribute Assertion Phase

Ident.

Provider

ServiceProvider

Browser User

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

Attribute Authority

23

CAMP Integration

CampusWebISO

Identity Provider Middleware

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

“HS”

Attribute Authority

Enterprise

Directory

24

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• Shib AA Deployment Issues:

• Configure AA to connect to Ent. Directory– Data connectors can be JNDI-based, JDBC-based (xml-

configurable) or custom user plug-ins

• Map Directory attributes to SAML attributes

25

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• Fragment of ..conf/origin.xml

26

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• Resolver links named attributes to specific data connectors:

27

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• …and specifies connector

(here JNDI LDAP):

28

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• …and specifies connector

(here JDBC SQL):

29

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• Shib AA Deployment Issues, cont.:• Comply with Attribute Release Policy (ARP)

in determining which service providers get which attributes– Federation rules are given– Bilateral or Community of Interest rules need to

be worked out & agreed to

30

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• Ah, yes, data access policy

• This may drag stakeholders kicking & screaming into the room to confront policy

• How you manage this will be key to successful deployment

• The “DON’T PANIC” in big friendly letters on the InCommon Book may help

31

CAMP Integration Attribute Authority (AA) <–> Ent. Directory

• Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics– “Simple matter of configuration”

• Some of the newer attributes– eduPersonTargetedID if you want a persistent identifier,

but one that is specific to a given Identity Provider-Service Provider pair

– Course-related attributes. URN-based identifier guideline near for course offering. eduCourse (currently in last call).

32

CAMP Integration Service Provider / (Target)

IdentityProvider(wasabi)

ServiceProvider (gari)

Browser User Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

or

IIS 5.x or 6

33

CAMP Integration Shib Features for Service Providers

• WAYF for federations, other options configurable

• Authentication method can be passed in attribute assertion for fine tuning risk management

• A site may have a public face with specific links that invoke Shib

34

CAMP Integration Services you might not have thought of Shibbing

• Roaming Access to WLAN• http://www.terena.nl/conferences/tnc2004/

programme/presentations/show.php?pres_id=165• Mikael Linden, CSC, the Finnish IT center for

Science• RADIUS-based access controller is a Shibboleth

service provider• Network access control decision based on user’s

“home” attributes

35

CAMP Integration Services you might not have thought of Shibbing

• Portal as Shib Service• Apache in front of Portal on Tomcat• Other approaches under consideration

36

CAMP Integration Coming Shib Features for Service Providers

• PKI-based direct-to-target scenario• Cert would contains

– (possibly opaque) subject id– Identifier for associated Identity Provider– Would eliminate the first several steps in the

classic Shib flow diagram– First Service Provider contact to Identity

Provider would be the request for attributes• Lots of points of agreement to be worked out

37

CAMP Integration Multi-campus system deployment model 1

CampusB ServiceProvider

Browser User Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

or

IIS 5.x or 6

CampusBIdProv

CampusAIdProv

CampusCIdProv

CampusDIdProv

CampusEIdProv

38

CAMP Integration Multi-campus system deployment model 1

• Identity Provider per campus (vs. System IdP model)

• Create a system federation (some policy & configuration work here)

• Any campus can put up Shibbed service• Or a system library can offer system-licensed

resources• Each campus retains control of Identity

Management--high autonomy model

39

CAMP Integration Multi-campus system deployment model 2

System-levelIdentity Provider

ServiceProvider

Browser User

ServiceProviderService

ProviderServiceProvider

CampusB Dir

CampusA Dir

CampusC Dir

40

CAMP Integration Multi-campus system deployment model 2

• System-level Identity Provider model• Significant campus-to-system metadirectory

infrastructure• Create a system federation (some policy &

configuration work here)• Any campus can put up Shibbed service• Or a system library can offer system-licensed

resources• More seamless “system citizen” experience

41

CAMP Integration Coming: Shib breaks free of the browser

• Number of open source projects are exploring this space

• A pure Java implementation of Service Provider components of Shibboleth (now in beta) will really open the door

42

CAMP Integration

Joining and leveraging federations

• InCommon: See participant agreements on the web site

• http://www.incommonfederation.org– Talks much more about IAM infrastructure than

Shibboleth per se

• Other documents

43

CAMP Integration

Federation givens

• Key attributes, their syntax and semantics• eduPersonAffiliation

– faculty, student, staff, employee, member, alum, affiliate

• eduPersonScopedAffiliation– member@ohio.edu

• eduPersonEntitlement

44

CAMP Integration

eduPersonEntitlement in InQueue“If a Federation member sends or receives an eduPersonEntitlement

Attribute Assertion containing the InQueue policy uri and containing the value

urn:mace:incommon:entitlement:common:1

The semantics should conform to this definition:

The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in".

45

CAMP Integration

eduPersonTargetedIDService providers or directory-enabled applications with the need to maintain a persistent but opaque identifier for a given user for purposes of personalization or record-keeping.

Identity or service providers or directory-enabled applications with the need to link an external account to an internal account maintained within their own system. This attribute is often used to represent a long-term account linking relationship between an identity provider and service provider(s). Note that such a service provider might itself also be an identity provider.

46

CAMP Integration

eduPersonTargetedIDIt MAY be a pseudorandom value generated and stored by the

identity provider, or MAY be derived from some function over the service provider's identity and other principal-specific input(s), such as a serial number or UUID assigned by the identity provider.

It MUST NOT exceed 256 characters in length.

47

CAMP Integration

Multiple Federation scenarios

• Simplest example: US IdP and UK IdP accessing an Open University course hosted in UK

• US Institution is an InCommon member• UK institution belongs to a UK federation• Open U. Service Provider has to belong to

both to serve members of both federations

48

CAMP Integration

Multiple Federation scenarios

• Likely scenario: US Universities with Medical Schools will have to support both – InCommon &– Some Health Science federation(s)

49

CAMP Integration How many federations? How many levels of federations?

• An umbrella level: e.g., InCommon• Hard, foundational topics handled here:

– Trust/risk framework– Attributes, syntax, semantics

• Under that umbrella, any number of Communities of Interest (or Virtual Organizations) who build on the foundation– Profiles, refinements, extensions

50

CAMP Integration

Q & A

• http://shibboleth.internet2.edu

• Which of these issues seem tough, confusing to you?