Embed Size (px)
Citation preview
Shibboleth Update
a.k.a. “shibble-ware”
Michael R Gettes, Duke University
On behalf of the project team
November 2004
What is Shibboleth? (Biblical)
• A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii.
• Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.
Webster's Revised Unabridged Dictionary (1913)
What is Shibboleth? (modern era)• An initiative to develop an architecture and policy
framework supporting the sharing – between domains -- of secured web resources and services
• A project delivering an open source implementation of the architecture and framework
• Deliverables:–Software for Identity Provider (Origins/campuses)
–Software for Service Providers (targets/vendors)–Operational Federations (scalable trust)
So… What is Shibboleth?
• A Web Single-Signon System (SSO)?
• An Access Control Mechanism for Attributes?
• A Standard Interface and Vocabulary for Attributes?
• A Standard for Adding Authn and Authz to Applications?
Attribute-based Authorization
• Identity-based approach–The identity of a prospective user is passed to the controlled
resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access.
–This approach requires the user to trust the target to protect privacy.
• Attribute-based approach–Attributes are exchanged about a prospective user until the
controlled resource has sufficient information to make a decision.
–This approach does not degrade privacy.
How Does it Work?
Hmmmm…. It’s magic. :-)
Shibboleth AA Process
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where are you from?
HS
5
6
I don’t know you.Please authenticateUsing WEBLOGIN
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
AR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
From Shibboleth Arch doc
Identity Provider Service Provider
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHIRE
WAYF
22a
3a
3b
HandleService
3
3c
Attribute Authority
4
From Shibboleth Arch doc
Identity Provider Service Provider
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHAR
Handle
3a
3b
HandleService
3
3c
Attribute Authority
4
SHIRE
WAYF
22a
ResourceManager
Attributes
5
6
Attribute Authority
WAYF a second!
• WAYF–Provides NO, ZERO, NADA, ZIP security–It does NOT represent the federation–Federation != WAYF–WAYF != Federation–Consideration for WAYF security is a future item
• WAYF is just a simple navigation tool
Demo!
• http://shibboleth.blackboard.com/
Shibboleth Architecture
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
32
HS
5
6
7
User DB
Credentials
4
AR
Handle
Handle8
Handle9AA
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
© SWITCH
Shibboleth Architecture -- Managing Trust
Service Provider
Web Server
Browser
TRUST
AttributeServer
Shibengine
Typical Attributes in the Higher Ed Community
Affiliation “active member of community”
EPPN Identity [email protected]
Entitlement An agreed upon opaque URI
urn:mace:vendor:contract1234
OrgUnit Department Economics Department
EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201
Target – Managing Attribute Acceptance
• Rules that define who can assert what…..• MIT can assert [email protected]• Chicago can assert [email protected]• Brown CANNOT assert [email protected]
• Important for entitlement values
What are federations?
• Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions
• Built on the premise of
–Initially “Authenticate locally, act globally”–Now, “Enroll and authenticate and attribute locally, act
federally.”• Federation provides only modest operational support and consistency in
how members communicate with each other• Enterprises (and users) retain control over what attributes are released to
a resource; the resources retain control (though they may delegate) over the authorization decision.
• Over time, this will all change…
InCommon federation
• First US Higher Ed Federation• Precursor federation, InQueue, a proving
ground or testbed and will feed into InCommon after organizations are deemed interoperable.
• http://www.incommonfederation.org
Service Providers
http://shibboleth.internet2.edu/
And see the link on the left labeled
“Shib-enabled Service Providers”
So… What is Shibboleth?
• A Web Single-Signon System (SSO)?
• An Access Control Mechanism for Attributes?
• A Standard Interface and Vocabulary for Attributes?
• A Standard for Adding Authn and Authz to Applications?
Sample InterFederation
Got SHIB?
Inter-Enterprise Authentication
• Is Shibboleth authentication?– If so, to what degree?
• How does Shibboleth compare to PKI?– PKI basics, no crypto -- just process
• Greater understanding of what Shibboleth really brings to the landscape– Knowing what we are doing and why
PKI Authentication Basics
Private KeyUser Certificate
Server
CA
Validation
• Server (application) performs validation steps of credential presented
• Verifies CA signing cert is valid– Certificate Path Validation processing
• Verifies the cert presented is valid– Certificate Revocation Tests
• OCSP, CRLs
• Applying the Private Key authenticates the end entity directly
Inter-Realm (server chooses trust)
Private KeyUser Certificate
Server
CA CA
Shibboleth Architecture
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
32
HS
5
6
7
User DB
Credentials
4
AR
Handle
Handle8
Handle9AA
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
© SWITCH
Attribute Release
Authentication
What shib does…
• SAML assertion from HS to ACS– The Identity Provider is testifying about the Handle
being passed
• The ACS performs validation of Id Provider– Like PKI Path Validation (albeit simple)
• The Service Provider trusts that the End Entity has been authenticated per the rules of the trust fabric
What shib does… (2)
• Are Attributes the result of authentication?• Where does Level of Assurance fit in?
– Is LoA an attribute or part of authN?– Are shib LoA and PKI LoA different?
• Q & A -- How can we help you?
