Post on 02-Jan-2016
Internet2 CAMPShibbolethInternet2 CAMPShibboleth
Scott Cantorcantor.2@osu.edu (Hey, that’s my EPPN too.)
Tom Dopiraktgd@cmu.edu
Scott Cantorcantor.2@osu.edu (Hey, that’s my EPPN too.)
Tom Dopiraktgd@cmu.edu
2
Outline
Overview and Status
Life as an Origin Site
Life as a Destination Site
Pilots and Next Steps
3
What is Shibboleth?
An initiative to develop an architecture, policy framework, and practical technologies to support inter-organizational sharing of secured web resources and services
An Internet2/MACE project with intellectual and financial support from IBM/Tivoli
4
Division of Labor
Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users
Origin site authenticates user (federated identity)
Destination site requests attributes about user directly from origin site and manages access policies based on them
Users (and organizations) can control what attributes are released
5
Establishing a User Context
6
Getting Attributesand Determining Access
7
Planned Deliverables
•An open-source reference implementation of much (but not all) of SAML and all Shibboleth components
•Documentation (reference materials, deployment assistance)
•Policies and procedures for joining an initial community of sites (Club Shib)
8
Licensing
The Shibboleth implementation will be open-source under one of the prevailing license models (which one is TBD).
Every effort to require only open-source (and non-copylefted) libraries and supporting products is being made (so far, so good).
By aligning with SAML, commercial solutions may develop.
9
Status Report
•Architecture and policy discussions wrapping up, documents being drafted
•Programming is underway, divided among IBM/Tivoli, Carnegie Mellon, and Ohio State
•Early implementations of a Handle Service and SHIRE are functioning
10
Schedule
•SAML headed to last call imminently, allowing “1.0” publication of architecture and APIs
•Some alpha code due in late February
•Beta implementation due in late Spring
11
Early Implementation Details
•Operating Systems: Red Hat Linux, Solaris
•Java SDK 1.3.1
•XML libraries from xml.apache.org
•Apache 1.3.x
•mod_ssl and OpenSSL
•Tomcat
•Web ISO (e.g. pubcookie)
•Directory Services: OpenLDAP, iPlanet
•MySQL
•Perl
12
Interesting URLs
Shibboleth
http://middleware.internet2.edu/shibboleth/
SAML
http://www.oasis-open.org/committees/security/
API Docs (for those with copious free time)
http://usfs2.us.ohio-state.edu/webdev/shibboleth/
13
Outline
Overview and Status
Life as an Origin Site
Life as a Destination Site
Pilots and Next Steps
14
Shibbolization Cookbook forOrigin Sites
•Apply to the club as an origin site
•Choose any web server that can host Java Servlet and JSP applications
•Deploy a HS behind web initial sign-on
•Deploy an AA in conjunction with the HS
•Install AA plugins for attributes (Java API)
•Establish default ARPs for community
15
It’s About the Data: Attributes
To share resources securely, authorization attributes are needed.
Cooperating sites share a common core of attributes, and may define custom attributes for special needs (such as a contract).
eduPerson is the starting point.
16
Some “Club Shib” Attributes
eduPersonPrincipalName(identity-based access)
eduPersonAffiliation(broad demographic access)
eduPersonEnrolledCourse(class membership access)
eduPersonEntitlement(access per-agreement)
eduPersonExtension(used for groups)
ou (organizational unit)(member of department)
Demographic information?
17
Attribute Sources
Shibboleth defines logical attributes that may (but not must) map directly to their directory or database representation.
Initial attributes are designed to easily map to the eduPerson LDAP schema.
Attribute Authority obtains attributes from plugins (LDAP, JDBC, ????).
18
Privacy and ARPs
The P3P makes privacy the voluntary responsibility of the site collecting the information (you may have no privacy, but now it’s explicit).
Shibboleth allows the origin site and the user to share an explicit role in the responsibility with Attribute Release Policies.
19
Attribute Release Policies
Default policies let users and admins pick a starting point in the privacy spectrum with minimal effort (e.g. member of community only).
Admins work with vendors and partners to define special release policies or attributes needed for a specific destination site.
Local privacy concerns can be addressed.
20
Managing ARPs
21
Shibboleth and Web-ISO
User authentication is up to the origin site.
The Shibboleth Handle Service is like a web application that needs to authenticate its users (though of more importance).
Use pubcookie, client certificates, or <insert ISO system here> to populate REMOTE_USER and let Shibboleth take over.
22
Outline
Overview and Status
Life as an Origin Site
Life as a Destination Site
Pilots and Next Steps
23
Shibbolization Cookbook for Destination Sites
•Apply to the club as a destination site
•Choose any web server (as long as it’s Apache 1.3.x, but others to follow)
•Equip it with the SHIRE and SHAR modules (note the SHIRE includes a Java servlet for the time being)
• Install SHAR plugins for attributes (C++ API)
24
Access Control andAttribute Consumption
•A Resource Manager leveraging .htaccess will be provided to evaluate and test simple policy rules before fulfilling requests.
•Shibboleth defines a standard interface between web applications and attribute data (a CGI header mechanism).
•Attributes provide their own serialization and matching rules (via plugins).
25
Sample Attribute Expressions(still a work in progress)
To test an attribute, we must know its unique name (URN?), its value, and possibly its scope/domain.
urn:mace:eduPerson:EPPNcantor.2@osu.edu
urn:mace:eduPerson:Affiliationstaff@osu.edu
urn:mace:eduPerson:Entitlementhttp://jstor.org/shib/contracts/osu.edu/1234
26
Existing Applications(from most to least integrated)
•Shibbolize the application and unify intra-campus and inter-campus users
•Add a second URL tree for inter-campus users
•Use a Shibbolized proxy server
(The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)
27
Outline
Overview and Status
Life as an Origin Site
Life as a Destination Site
Pilots and Next Steps
28
Profile of Pilot Sites
Member of campus community accessing licensed resource• University hosting licensed databases accessed from other universities• Talking to several commercial vendors (they need “their customers” asking
for this functionality…)
Member of a course accessing remotely controlled resource• Web based testing• Clearinghouse for curriculum packages• Web based tools used in courses
Member of a workgroup accessing controlled resources• Multi-institution project teams
Intra-campus scenario• Unified access for internal and external users to resources
29
Some Pilots
Penn State, Virginia, WebAssignweb-based testing for courses
University of DelawareProblem Based Learning Clearinghouse (resource for instructors)
EDINA (Edinburgh, UK), London School of Economicslicensed information resources
OSUintra-campus use
Internet2multi-campus workgroups
30
We’re Talking To….
•SFX
•Commercial Information Vendors
•Project Meteor