Access Management Technologies Update by Simon McLeish and John Paschoud
description
Transcript of Access Management Technologies Update by Simon McLeish and John Paschoud
Joint Information Systems Committee 30-May-2007 | | Slide 1
Access Management Technologies Update
Simon McLeish
London School of Economics
Joint Information Systems Committee Supporting education and research
Access Management Programme meeting, May 2007
[AMP meeting title slide]
Joint Information Systems Committee 30-May-2007 | | Slide 2
[Overview]
1) Areas of (potential/actual) development around Shib/FAM
2) Outline of Shib v2 timetable and features
– … according to the latest information available to us
– (You may know different…???)
Joint Information Systems Committee 30-May-2007 | | Slide 3
Shibboleth and Federated Access Management [1]
Increased Sophistication of Access Management
– Use of attributes to give fine grained access
• Signet http://middleware.internet2.edu/signet/
• Grouper and others
– Use of certificates to give fine grained access
• PERMIS http://sec.cs.kent.ac.uk/permis/
– [this is a fairly arbitrary distinction!]
Improved Shibboleth usage experience
– User-editable attribute release policies
• ShARPE http://federation.org.au/twiki/bin/view/Federation/ShARPE
• with two interfaces, WebShARPE and Autograph
• Also ARPViewer http://www.switch.ch/aai/support/tools/arpviewer.html
– Federation management tools
• Directory at http://www.rediris.es/wiki/tf-emc2/index.php/FederationTools
• SWITCHaai Resource Registry http://www.switch.ch/aai/support/tools/resourceregistry.html
– IdP and SP configuration and management tools (???)
Joint Information Systems Committee 30-May-2007 | | Slide 4
Shibboleth and Federated Access Management [2]
Better Accounting
– Using IdP and SP logs together to discover usage statistics
– AAIEye http://www.csc.fi/english/institutions/haka/technology/aaieye
– Not just technical work: requires agreement between IdP and SP
Wider Integration
– Multi-federation work (also needs more than technical work here)
• Feide Cross Federation Demonstration (this is not just Shib, it's PAPI and SUN Access Manager too!)http://rnd.feide.no/category/saml-20/
– Adding Shibboleth support to wider range of tools
• See list of software currently known to support Shib athttp://www.protectnetwork.org/shib-sp.html
• GridShib, the Athens gateway, and the ADFS extension fall into this category as well
...things we haven't thought of or don't know about yet
Joint Information Systems Committee 30-May-2007 | | Slide 5
Shib 2.0 Overview (The more techie picture) [1]
Extending support for SAML 2.0, particularly Web Browser Single Sign-on, Single Logout and (some of) Authentication Request profiles
– for differences between SAML 1.1 (as used in Shib up to 1.3) and SAML 2.0 (as used for Shib metadata in 1.3 but not much elsewhere) see:https://spaces.internet2.edu/display/SHIB/SAMLDiffs
– The Web Browser SSO profile combines the SAML 1.1 Browser/Artifact and Browser/POST profiles used in Shib 1.2 and 1.3
– The Authentication Request Protocol provides support for SP-initiated web SSO exchanges. This protocol allows the SP to make requests to an IdP and potentially control various aspects of the user authentication at the IdP, the binding to be used to return the response message, the set of SAML attributes to be included in the resulting assertion, etc. As part of this request, the SP can also indicate the desire to dynamically establish a new federated identity for the user
– The Single Logout Protocol supports near-simultaneous logout of sessions at (SAML-compliant) web SSO participants. Non-SAML applications that maintain session information independently of Shib (which includes the majority of web applications which allow Shib login) will need modification to handle logout requests, but it's not entirely determined how this will work in Shib 2.0. It is expected that logout will add considerably to the overheads of an IdP installation, so this is an optionally supported feature to make lightweight installations possible where the feature is not needed.
Joint Information Systems Committee 30-May-2007 | | Slide 6
Shib 2.0 Overview (The more techie picture) [2]
Will be interoperable with Shib 1.3 and will not be interoperable with Shib 1.1
– (we think) It will continue to interoperate with the gateway
Shib 1.2 interoperability will probably not be complete (1.2 IdP to 2.0 SP more so)
The Java SP will finally see the light of day
– >2 years later than originally planned
– Not identical in functionality to the C++ SP
The default mode of Attribute transfer will change to attribute push from the IdP to the SP
– Uses changes in SAML 2.0 which allow encryption of the assertions in a different way.
– This means that Shib will no longer be have to communicate attributes separately to the authentication assertion, as is done in 1.3 by default.
– (Attribute push is supported, but not heavily used in 1.3.)
Increased modularisation of code
Joint Information Systems Committee 30-May-2007 | | Slide 7
Shib 2.0 Changes (How existing installations might be affected)
IdP will now be able to handle authentication directly (to accommodate Authentication Request profile)
– Likely to need reconfiguration as part of an upgrade to 2.0; or from-scratch installation may be easier
Certificates will need to be embedded directly in metadata (they can now be referred to by key name only)
– Likely to affect about 2/3 of the entities listed in the UK federation
Enhancements to attribute resolution and release policy management
– ShARPe itself won't be included; but code extensions needed to make it work will
New logout features may need some coding behind the scenes in SP protected resources
Export of attribute information by SP to the protected applications will be modified
– Apache attribute export will be performed by default with subprocess environment variables rather than HTTP header variables
– Will almost certainly require recoding for protected applications
DiscoveryModule (WAYF replacement) has multi-federation support
Enhancements to extension mechanisms may make integration easier (and hopefully won't require recoding of existing extensions!)
– E.g. MS ADFS code more tightly integrated into Shib code
Joint Information Systems Committee 30-May-2007 | | Slide 8
When?
Roadmap doesn't say
Some early versions of minor modules have already been released (e.g. WAYF replacement, the DiscoveryModule)
It won't be by the third quarter of 2006 (http://edina.ac.uk/news/newsline11-1/allstories.shtml)!
Guestimate: by end of 2007
See https://spaces.internet2.edu/display/SHIB/ShibTwoRoadmapfor an updated description.
Joint Information Systems Committee 30-May-2007 | | Slide 9
The End
Joint Information Systems Committee Supporting education and research
Access Management Technologies Update
[JISC Conf title slide]
from / © www.thebricktestament.com
Joint Information Systems Committee 30-May-2007 | | Slide 10
Links, Questions and Conclusions
JISC FAM Transition: www.jisc.ac.uk/federation.html
UK Federation: www.ukfederation.org.uk
Shibboleth: shibboleth.internet2.edu
Contact: [email protected] or [email protected]