Date post: | 29-Jan-2018 |
Category: |
Technology |
Upload: | john-lewis |
View: | 3,412 times |
Download: | 0 times |
Shibboleth Guided Tour
John A. LewisChief Software Architect
Unicon, Inc.
20 November 2008
Audio Bridge:1-866-625-9936
Pin 2861832
© Copyright Unicon, Inc., 2008. Some rights reserved.This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit:http://creativecommons.org/licenses/by-nc-sa/3.0/us/
2
● Software Consulting Services ● Founded in 1993● Privately-Held Company● Located in Chandler, Arizona
Our Vision
IT Services for Education Specializing in Open Source
Unicon Profile
3
IT Services● Software
Engineering● Systems
Integration● Technology
Delivery and Support
IT Services For Education
Domain Expertise● Higher Education● Curriculum & Assessment ● Learning Management● Enterprise Portals● Online Campus Services● Publishing● Secure Authentication
4
Specializing in Open Source
● TechnologySolutions– Enterprise
Portal
– Learning Management
– SecureAuthentication
– eMail and Collaboration
● Open Standards
5
Higher Education Customers
A partial list...
6
Unicon Services for Shibboleth
● Implementation Planning● Branding and User Experience● Installation and Configuration● Custom Development● Shibbolize uPortal, Sakai, and other
applications
7
Identity Management& SAML
8
Why Makes Identity Important?
● Connects– Users
– Applications
● Lots of other things– security, privacy, spam,
– secrecy, trust, authority,
– collaboration, convenience,
– ...
9
Evolution of User Identity
● Application Silos– Each with their own logins and passwords
● Common Directories / Databases– Central store for person information
● Single Sign-On– Central login system for multiple applications
● Federated Identity– Trusted identity information from others
10
Why Federated Identity?
● Authoritative information– Users, privileges, attributes
● Improved security– Fewer user accounts in the world
● Privacy when needed– Fine control over attribute sharing
● Saves time & money– Less work administrating users
11
What Is Identity Management?
● More than account creation, directories, authentication, access controls, ...
● Includes policy, process, governance, trust● Need new ways of thinking about controlling
access to IT services
“A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group
12
13
What Is SAML?
● Security Assertion Markup Language (SAML)● XML-based Open Standard● Exchange authentication and authorization
data between security domains– Identity Provider (a producer of assertions)
– Service Provider (a consumer of assertions)
● Approved by OASIS Security Services– SAML 1.0 November 2002
– SAML 2.0 March 2005
14
Major SAML Applications
● Proquest
● Project MUSE
● Thomson Gale
● Google Apps
● ExLibris MetaLib
● Sakai
● DSpace, Fedora
● Ovid
● Microsoft DreamSpark
● Moodle, Joomla, Drupal
● JSTOR, ArtSTOR, OCLC
● Blackboard & WebCT
● Webassign
● Media Wiki / Confluence
● National Institutes of Health
15
Commercial Support for SAML
● Sun● IBM● Oracle● Ericsson● SAP● HP
● Google● Ping Identity● CA/Netegrity● RSA● Novell● NTT
16
How Federated Identity Works
● A user tries to access a protected application● The user tells the application where it’s from● The user logs in at home● Home tells the application about the user● The user is rejected or accepted
17
IdentityIdentityProviderProvider
ServiceServiceProviderProviderUserUser
User User DirectoryDirectory
4. I'd like to login for SP
2. What is your home?
3. Please login at home
5. Login
1. I'd like access
6. Here is data about youfor the SP – send it
7. Here is the datafrom my IdP
8. Access Granted /Access Denied
Application / Application / DatabaseDatabase
18
Shibboleth
19
Shibboleth
● Enterprise federated identity software– Based on standards (principally SAML)
– Extensive architectural work to integrate with existing systems
– Designed for deployment by communities
● Most widely used in education, government● Broadly adopted in Europe● New 2.0 release implements SAML 2
– Backward compatible with 1.3
20
Shibboleth Project
● Free & Open Source– Apache 2.0 license
● Enterprise and Federation oriented● Started 2000 with first released code in 2003● Excellent community support
– http://shibboleth.internet2.edu
21
Quick Demo
Demo Links:● https://spaces.internet2.edu/● https://www.internet2.edu/secure/env.php● https://www.protectnetwork.org/
22
The Shibboleth IdP
● Written as a Java web applications– Runs in any Servlet 2.4 container
● Supports multiple protocols● Does not contain attributes or logins
– Relies on external LDAP / Kerberos / SQL / etc.
● Extensive controls for the release of attributes
23
TomcatTomcat
Shibboleth IdPShibboleth IdP
Directory / DatabaseDirectory / Database
Web BrowserWeb Browser
Shibboleth SPShibboleth SP
ApplicationApplication
AuthenticationAuthentication
24
The Shibboleth SP
● Written in C++ for Apache, IIS, or NSAPI– Apache often used to front-end other app servers
● Java containers, Zope, etc.
● Extensive clustering support● No API – attributes & data available through
headers & environment variables– Keeps identity management external to app
25
Application ServerApplication Server
ApacheApacheor IISor IIS
Shibboleth Shibboleth SPSP
Web BrowserWeb Browser
Shibboleth IdPShibboleth IdP
User DirectoryUser Directoryshibdshibd
26
Discovery Service
● Gives users an interface to select an IdP● Loads metadata files
– From multiple federations
– Or non-federations
● Positioned alongside SP, gives customized lists
● Positioned by federation, enables SSO across entire federation
27
Role of a Federation
● Agreed upon Attribute Definitions– Group, Role, Unique Identifier, Courses, …
● Criteria for IdM & IdP practices– user accounts, credentialing, personal information
stewardship, interoperability standards, technologies, ...
● Digital Certificates● Trusted “notary” for all members● Not needed for Federated IdM,
but does make things even easier
28
InCommon Federation
● U.S. Higher Education & Research(and its Partners)
● 1.7 Million Users● Self-organizing & Heterogeneous● Policy Entrance bar intentionally set low● Doesn’t impose lots of rules and standards● http://www.incommonfederation.org/
29
SAML Metadata
● Data that describes partners for federated identity– Trust, protocols, etc.
● Primarily a trusted list of providers– May be signed
– Many distribution methods
● EntityID is the name of a provider
30
SAML Attributes
● A lot like LDAP and database attributes– Tweaked for an inter-realm world; scope
● Name/value pairs to represent pieces of information about an identity
● Where do attributes live? Who’s authoritative?– Identity provider? Application?
– Third party?
31
SAML Identifiers
● Primary keys for people– email, login name most common; privacy, secrecy,
and security should be considered
– The dangers and necessities of recycling
● Where does user data live? How is it connected? Is it in multiple places?
● Multiple identifiers per person and per identity possible
32
Logout Support
● It’s really hard to do for federated identity– Especially large-scale
● Lots of applications loosely coupled– Many with their own cookie-based sessions
● SAML 2.0 has protocol logout support
33
Resources
● Internet2 Shibboleth website– http://shibboleth.internet2.edu/
● JISC Video on Federated Identity– http://video.google.co.uk/videoplay?docid=6664146721575915928
● Internet 2 Wiki– https://spaces.internet2.edu/
● Shibboleth Documentation● Shib Install Fest Materials
34
Questions & Answers
John A. LewisChief Software ArchitectUnicon, Inc.