Joint Information Systems Committee 30-May-2007 | | Slide 1

Access Management Technologies Update 

Simon McLeish

London School of Economics

Joint Information Systems Committee Supporting education and research

Access Management Programme meeting, May 2007

[AMP meeting title slide]

Joint Information Systems Committee 30-May-2007 | | Slide 2

[Overview]

1) Areas of (potential/actual) development around Shib/FAM

2) Outline of Shib v2 timetable and features

– … according to the latest information available to us

– (You may know different…???)

Joint Information Systems Committee 30-May-2007 | | Slide 3

Shibboleth and Federated Access Management [1]

Increased Sophistication of Access Management

– Use of attributes to give fine grained access

• Signet http://middleware.internet2.edu/signet/

• Grouper and others

– Use of certificates to give fine grained access

• PERMIS http://sec.cs.kent.ac.uk/permis/

– [this is a fairly arbitrary distinction!]

Improved Shibboleth usage experience

– User-editable attribute release policies

• ShARPE http://federation.org.au/twiki/bin/view/Federation/ShARPE

• with two interfaces, WebShARPE and Autograph

• Also ARPViewer http://www.switch.ch/aai/support/tools/arpviewer.html

– Federation management tools

• Directory at http://www.rediris.es/wiki/tf-emc2/index.php/FederationTools

• SWITCHaai Resource Registry http://www.switch.ch/aai/support/tools/resourceregistry.html

– IdP and SP configuration and management tools (???)

Joint Information Systems Committee 30-May-2007 | | Slide 4

Shibboleth and Federated Access Management [2]

Better Accounting

– Using IdP and SP logs together to discover usage statistics

– AAIEye http://www.csc.fi/english/institutions/haka/technology/aaieye

– Not just technical work: requires agreement between IdP and SP

Wider Integration

– Multi-federation work (also needs more than technical work here)

• Feide Cross Federation Demonstration (this is not just Shib, it's PAPI and SUN Access Manager too!)http://rnd.feide.no/category/saml-20/

– Adding Shibboleth support to wider range of tools

• See list of software currently known to support Shib athttp://www.protectnetwork.org/shib-sp.html

• GridShib, the Athens gateway, and the ADFS extension fall into this category as well

...things we haven't thought of or don't know about yet

Joint Information Systems Committee 30-May-2007 | | Slide 5

Shib 2.0 Overview (The more techie picture) [1]

Extending support for SAML 2.0, particularly Web Browser Single Sign-on, Single Logout and (some of) Authentication Request profiles

– for differences between SAML 1.1 (as used in Shib up to 1.3) and SAML 2.0 (as used for Shib metadata in 1.3 but not much elsewhere) see:https://spaces.internet2.edu/display/SHIB/SAMLDiffs

– The Web Browser SSO profile combines the SAML 1.1 Browser/Artifact and Browser/POST profiles used in Shib 1.2 and 1.3

– The Authentication Request Protocol provides support for SP-initiated web SSO exchanges. This protocol allows the SP to make requests to an IdP and potentially control various aspects of the user authentication at the IdP, the binding to be used to return the response message, the set of SAML attributes to be included in the resulting assertion, etc. As part of this request, the SP can also indicate the desire to dynamically establish a new federated identity for the user

– The Single Logout Protocol supports near-simultaneous logout of sessions at (SAML-compliant) web SSO participants. Non-SAML applications that maintain session information independently of Shib (which includes the majority of web applications which allow Shib login) will need modification to handle logout requests, but it's not entirely determined how this will work in Shib 2.0. It is expected that logout will add considerably to the overheads of an IdP installation, so this is an optionally supported feature to make lightweight installations possible where the feature is not needed.

Joint Information Systems Committee 30-May-2007 | | Slide 6

Shib 2.0 Overview (The more techie picture) [2]

Will be interoperable with Shib 1.3 and will not be interoperable with Shib 1.1

– (we think) It will continue to interoperate with the gateway

Shib 1.2 interoperability will probably not be complete (1.2 IdP to 2.0 SP more so)

The Java SP will finally see the light of day

– >2 years later than originally planned

– Not identical in functionality to the C++ SP

The default mode of Attribute transfer will change to attribute push from the IdP to the SP

– Uses changes in SAML 2.0 which allow encryption of the assertions in a different way.

– This means that Shib will no longer be have to communicate attributes separately to the authentication assertion, as is done in 1.3 by default.

– (Attribute push is supported, but not heavily used in 1.3.)

Increased modularisation of code

Joint Information Systems Committee 30-May-2007 | | Slide 7

Shib 2.0 Changes (How existing installations might be affected)

IdP will now be able to handle authentication directly (to accommodate Authentication Request profile)

– Likely to need reconfiguration as part of an upgrade to 2.0; or from-scratch installation may be easier

Certificates will need to be embedded directly in metadata (they can now be referred to by key name only)

– Likely to affect about 2/3 of the entities listed in the UK federation

Enhancements to attribute resolution and release policy management

– ShARPe itself won't be included; but code extensions needed to make it work will

New logout features may need some coding behind the scenes in SP protected resources

Export of attribute information by SP to the protected applications will be modified

– Apache attribute export will be performed by default with subprocess environment variables rather than HTTP header variables

– Will almost certainly require recoding for protected applications

DiscoveryModule (WAYF replacement) has multi-federation support

Enhancements to extension mechanisms may make integration easier (and hopefully won't require recoding of existing extensions!)

– E.g. MS ADFS code more tightly integrated into Shib code

Joint Information Systems Committee 30-May-2007 | | Slide 8

When?

Roadmap doesn't say

Some early versions of minor modules have already been released (e.g. WAYF replacement, the DiscoveryModule)

It won't be by the third quarter of 2006 (http://edina.ac.uk/news/newsline11-1/allstories.shtml)!

Guestimate: by end of 2007

See https://spaces.internet2.edu/display/SHIB/ShibTwoRoadmapfor an updated description.

Joint Information Systems Committee 30-May-2007 | | Slide 9

The End

Joint Information Systems Committee Supporting education and research

Access Management Technologies Update

[JISC Conf title slide]

from / © www.thebricktestament.com

Joint Information Systems Committee 30-May-2007 | | Slide 10

Links, Questions and Conclusions

JISC FAM Transition: www.jisc.ac.uk/federation.html

UK Federation: www.ukfederation.org.uk

Shibboleth: shibboleth.internet2.edu

Contact: S.McLeish@LSE.ac.uk or JISC-ACCESS-MANAGEMENT@jiscmail.ac.uk