Federated Identity and Shibboleth ConceptsRick SummerhillChief Technology OfficerInternet2

GEC3October 29, 2008

Slides by Nate Klingensteinndk@internet2.eduandJohn Krienkea2jcwk@gmail.comInternet2

Circle University

joe@circle.eduDr. Joe OvalPsych Prof.

SSN 456.78.910

Password #1

Music Service

ID #4 j.o.123

Joe OvalPsych Prof.

DOB: 4/4/1955Password #4

Grant Admin

Service

ID #2 Joval

Dr. Joe Oval

Psych Prof.

SSN 456.78.910

Password #2

Grading Service

ID #3 Jo456

Dr. Joe Oval

Psych Prof.

Password #3

Home

????

No

coordinatio

n

Proprietary

code

Batch uploads

Service Providers

The Challenging Way

Home

Circle University

Anonymous

ID#Dr. Joe Oval

Psych Prof.SSN

456.78.910

Circle University

joe@circle.edu

Dr. Joe Oval

Psych Prof.SSN

456.78.910

Circle University

joe@circle.eduDr. Joe OvalPsych Prof.

SSN 456.78.910

Password #1

Circle University

joe@circle.edu

Dr. Joe Oval

Psych Prof.SSN

456.78.910

!

1. Single sign on

2. Services no longer manage user accounts & personal data stores

3. Reduced help-desk load

4. Standards-based technology

5. Home org controls privacy

The Federated Way

4

How Federated Identity Works

1.A user tries to access a protected application

2.The user tells the application where it’s from

3.The user logs in at home

4.Home tells the application about the user

5.The user is rejected or accepted

IdentityIdentityProviderProvider

ServiceServiceProvideProvide

rr

DatabasDatabasee

DirectoDirectoryry

1. I’d like access

2. What is your

home?3. Please login

at home.

4. I’d like to login for SP. UseUse

rr5. Login6. Here is

data

about you for

SP. Send it.

7. Here is my data.

8a. See the page!

8b. Access Denied

6

Shibboleth IdP

• Written in Java, runs in any Servlet 2.4 container

• Supports multiple protocols

• Does not contain attributes or logins

• Relies on external LDAP/Kerberos/SQL/etc.

• Extensive controls for the release of attributes

TomcatTomcat

Directory / Directory / DatabaseDatabase

ShibbolethShibbolethIdPIdP

AuthenticatAuthenticationion WebWeb

BrowserBrowser

ShibboletShibbolethhSPSP

ApplicatiApplicationon

8

Shibboleth SP

• Written in C++ for Apache, IIS, or NSAPI

• Apache often used to front-end other web servers: Java containers, Zope, etc.

• Extensive clustering support

• No API: attributes & data available through headers & env. variables

• Keeps identity management external to app

Apache or IISApache or IIS

Directory / Directory / DatabaseDatabase

ShibboletShibbolethhSPSP

WebWebBrowserBrowser

ShibboletShibbolethhIdPIdPPersonPerson

InformatiInformationon

shibdshibd

TomcatTomcat

10

Words• SAML: Security Assertion Markup Language

• Attribute: A name/value pair that describes a user: uid/rrsum

• Scope: The domain within which an attribute is valid: staff@example.com

• Assertion: User authentication & attribute information wrapped as SAML for transport

• Name Identifier: Any attribute elevated to identifier (primary key) status

11

More words

• entityID: The name of a provider

• Identity Provider (IdP): Supplies assertions

• Attribute Authority (AA): Acquires user attributes and encodes them for transport

• Service Provider (SP): Receives assertions and protects resources

• Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along

12

Last words

• Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake

• Not necessary for federated identity

• Metadata: A file that describes how to talk to and trust a provider

An Example:

13

Basic Architecture - IDC