Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity...

l – U

Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia

2 years ago in Bled…

• ESUP-Portail: open-source Single Sign-On with CAS– Pascal Aubry, Vincent Mathieu & Julien Marchal– EUNIS’2004, Bled, Slovenia, July 2004

Limits (and perspectives)

• CAS deals with authentication, not authorization– Mixing CAS and Shibboleth?

• No redundancy– No native load-balancing (but low load)

– No fault-tolerance (but very good reliability)

• No Single Sign-Off

• A very poor documentation

Open-source Identity Federation with Shibboleth

Pascal AubryUniversity of Rennes 1 ESUP-Portail consortium

EUNIS’2006, Tartu, Estonia

Learn Shibboleth in 20 minutes

Shibboleth for the impatient

l – U

Need and context

• Need: give access to web resources to outside users

• Context– No interoperability– Single Sign-On in establishments– Need of collaboration

l – U

University A

Greetings to SWITCHaai

Once upon a time…

• Some resources not protected at all

• Access control based on IP addresses often used

• Issues with user management at resource-level

• So many login processes

• So many accounts and passwords

• Almost no resource shared by several establishments

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications

Access control ResourceIdentity management

Authentication

l – U

University A

Greetings SWITCHaai

With SSO, it was a little better

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications

Authentication

l – U

University A

Greetings SWITCHaai

With SSO, it was a little better

• Locally, yes…

• but still the same everywhere else!

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications

Authentication

l – U

University A

Greetings SWITCHaai

Hopefully, Identity Federation has come!

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications

Authentication

l – U

University A

Greetings SWITCHaai

Hopefully, Identity Federation has come!• No user

management at resource-level

• Users authenticates only once in their establishments

• Users gain access to new resources

• Resources have a much larger audience

Moodle

Research lab C

Moodle

Thesis

Library B

Search eng.

Publications

Authentication

l – U

Shibboleth, the SSO and the LDAP directory

• Shibboleth does not replace the SSO nor the LDAP directory

• Shibboleth needs both the SSO and the LDAP directory

l – U

Formats, protocols and tools

Shibboleth Liberty Alliance

Shibboleth SourceID Sun LASSO

WS-Federation

l – U

The choice of Shibboleth

• Advanced features– Attribute management– Anonymization– confidence (PKI) management

• Adapted to our environment– Several Identity Providers

• Interoperability– Integration with the Information System– Many applications already Shibbolized– Already adopted by others colleagues (USA, Swiss, UK, Finland…)– Non intrusive solution

• In any case, more and more interoperability with other tools in the future, thanks to SAML 2.0

l – U

AssertionConsumer

AttributeRequester

Access Controller

Ressource

Webbrowser

Authentication service

Authentication Authority

Attribute Authority

Userdatabase

SSOServer

userId

attributes

userId

attributes

ticket

attributes

Shibboleth, it’s easy ;-)

• Many actors

nameId

nameIdnameId

• Many interactions

l – U

Webbrowser

Service Provider(SP)

Without Single Sign On

l – U

Webbrowser

Identity Provider(IdP) Service Provider

Without Single Sign On(first request to a SP)

l – U

Webbrowser

userId

password

nameIdnameId

nameId

attributes

l – U

Webbrowser

userId

password

l – U

Webbrowser

Without Single Sign On(next requests to the same SP)

l – U

Service Provider(SP)

AssertionConsumer

AttributeRequester

Access Controller

Resource

Webbrowser

Identity Provider(IdP)

attributes

nameId

Service Provider architecture

userId

password

nameIdnameId

attributes

l – U

Fournisseurd’identités

Attribute Authority

Userdatabase

nameId

attributes

userId

AssertionConsumer

AttributeRequester

Access Controller

Resource

Webbrowser

attributes

nameId

nameIdnameId

Identity Provider architecture

userId

password

userId

attributes

l – U

Fournisseurd’identités

Attribute Authority

Userdatabase

nameId

attributes

userId

AssertionConsumer

AttributeRequester

Access Controller

Resource

Webbrowser

attributes

nameId

nameIdnameId

What is Shibboleth?

userId

password

userId

attributesShibbo

Shibbo

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On(first request to a SP)

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

userId

attributes

userId

attributes

ticket

attributes

With Single Sign On(first request to a SP)

nameId

password

nameId

nameIdnameId

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On (the user’s point of view)

userId password

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On (next requests to the same SP)

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

userId

ticket

With Single Sign On (next requests to another SP)

nameId

nameIdnameId

attributes

userId

attributes

nameId

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With Single Sign On (next requests to another SP)

userId

ticket

nameId

nameIdnameId

attributes

userId

attributes

nameId

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With SSO and WAYF (first request to a SP)

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

userId

attributes

userId

attributes

ticket

attributes

nameId

password

nameId

nameIdnameId

l – U

Resource

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Userdatabase

SSOserver

With SSO and WAYF (the user’s point of view)

userId password

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With SSO and WAYF (next requests to the same SP)

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

With SSO and WAYF (next requests to another SP)

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

userId

ticket

nameId

nameIdnameId

attributes

userId

attributes

nameId

l – U

Webbrowser

Attribute Authority

AssertionConsumer

AttributeRequester

Access Controller

Resource

Userdatabase

SSOserver

l – U

Service Provider #1

Webbrowser

Identity Provider(IdP)

attributes for SP#1

nameId

Service Provider #2

(encrypted)attributes for SP#2

nameId

Multi-tiers installations

(encrypted)attributes for SP#2

l – U

Portal

Webbrowser

Content provider#1

An application : meta search engines

Content provider# 2

Content provider# n

l – U

Anonymous accessto a Service Provider

• The users’ profiles can be transmitted without any personal data

• An opaque but persistent identifier can be provided (targetedId)

• The users’ UID and global identifier are managed just like any other attribute

l – U

Online course reserved to students in mathematics

Autorisation based on the students’ profile

specialityspeciality

The need of a common naming space

University A

University C

University B

speciality spec topic

l – U

The need of a common semantics

University A

Online course reserved to students in mathematics

University C

University B

Autorisation based on the students’ profile

speciality = mathematics speciality = Mathematics speciality = MATH

References:

http://shibboleth.internet2.eduhttp://federation.cru.fr

EUNIS’2006, Tartu, Estonia

Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity...

Documents

Transcript of Copyright © 2005 – ESUP-Portail – University of Rennes 1 – Pascal Aubry Open-source Identity...

Compositionality in Dataflow Synchronous …Compositionality in Data ow Synchronous Languages: Speci cation & Code Generation Albert Benveniste, Paul Le Guernic, Pascal Aubry To cite

Copyright 2010 © Consortium ESUP-Portail TOC ESUP-Days 10, Paris, 2 juillet 2010 De LDAP à Kerberos à lUniversité de Rennes 1 Pascal Aubry François Dagorn.

ESUP Days - Apereo OAE

rené aubry

Esupdays 19 : Packaging Esup Cas

Gide on Music - Jean-Aubry

Engebretsen, L., Steffen, K., Alonso, J.M., Aubry, M ...

Introduction en psychopharmacologie Jean-Michel Aubry, Daniele Zullino

Single Sign-On open source avec CAS (Central Authentication Service) Vincent Mathieu Pascal Aubry Julien Marchal.

ESUP-Portail Helpdesk 1 ESUP HelpDesk @ RPI - “A common work of both our nations” Or A Queue with a View Gary Schwartz Rensselaer Polytechnic Institute.

Aubry: The Laman Encounter

Apereo & ESUP-Portail: Brothers in Arms

MICHEL AUBRY 30th São Paulo Bienal // The imminence of Poeticsgalerieevameyer.com/cspdocs/exhibition/files/aubry presskit.pdf · manufacturing of “launeddas”2. The length of

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004-2005 – ESUP-Portail.

Mountain Goat Software, LLC Présenté par Introduction à Scrum Traduction de Claude Aubry Traduction de Claude Aubry.

Http:// Copyright © 2006 ESUP-Portail consortium The ESUP-Portail project Pascal Aubry Consortium ESUP-Portail / University of Rennes.

All HR Get-Together An Update on ESUP for HR Professionals

Dossier de Noël, Séverine Aubry

"Esup CAS Packaging" : Deploy and customize easily a CAS4 server

Format PDF The tools used by esup-helpdesk developers: Eclipse, Omondo EclipseUML plugin, Apache OJB JDO Pascal Aubry & Alexandre Boisseau IFSIC – University.