Shibboleth access management: a replacement for Athens and more?
-
Upload
beau-woodard -
Category
Documents
-
view
28 -
download
3
description
Transcript of Shibboleth access management: a replacement for Athens and more?
![Page 1: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/1.jpg)
Shibboleth access management: a replacement for Athens and more?
Mark Norman and Christian Fernau
OUCS
21 June 2007
![Page 2: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/2.jpg)
IT Support Staff Converence 21 June 2007
2
This presentation
• What is Shibboleth?– What it isn’t
• A quick run through of a common example• The UK Federation• Privacy and the 4 attributes• Shibboleth in Oxford: the architecture• Questions
![Page 3: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/3.jpg)
IT Support Staff Converence 21 June 2007
3
What is Shibboleth?
• “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation”
• Why is it called Shibboleth?– Because it is access control where it matters what you
are, rather than who you are– Judges 12:5-6 (the Gileadites seized the passages of the
Jordan before the Ephraimites, who couldn’t pronounce “ear of wheat”)
![Page 4: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/4.jpg)
IT Support Staff Converence 21 June 2007
4
It’s easier to say what it isn’t!
• It ISN’T about authentication management!– (Authentication=The act of verifying that an electronic identity is being
employed by the entity, person or process to whom it was issued.)
– Shibboleth thinks that institutions should run their own authentication systems and others should trust those processes
• It ISN’T about authorisation management!– (Authorisation=Associating rights or capabilities with a subject/person)
– Other information about individuals (groups, status etc.) should be managed by the institution too!
![Page 5: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/5.jpg)
IT Support Staff Converence 21 June 2007
5
OK, in plain English…
• It’s all about how to transmit the authorisation and role information from your home institution to outside service providers
• And how those service providers can ask for that information
• Access management and the communication of authorisation credentials
• Aims: separate authentication from authorisation– Devolve authentication to the ‘home’ organisation
– Devolve the management of authorisation information as well
![Page 6: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/6.jpg)
IT Support Staff Converence 21 June 2007
6
Replacing Athens?
• In phases:– Mid 2007 Shibboleth enabled at Oxford (possibly
without publicity)
– Athens continues (free) until July 2008
– Between mid 2007 and July 2008, Oxford users should be able to use Shibboleth or Athens to access on-line resources
– After 2008 Athens may still be available but will require a subscription from Oxford
![Page 7: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/7.jpg)
IT Support Staff Converence 21 June 2007
7
Replacing Athens – the user's perspective
• Now:– Users connect to a resource and type in their Athens
username and password to gain access
• Mid 2007– Users can do the same thing for many (most?) resources
using their Webauth username and password (actually the Webauth screens too)
– Users can still use their Athens username and password
• August 2008– Athens may be unavailable
![Page 8: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/8.jpg)
IT Support Staff Converence 21 June 2007
8
Some definitions
• Identity Provider (IdP)
• Service Provider (SP)
• WAYF (where are you from? service) [a type of IdP Discovery Service]
Your home institution (where you usually have a username/login)
Organisation/body providing a service (e.g. e-Journal)
Application/service that determines which IdP to send the user to
![Page 9: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/9.jpg)
IT Support Staff Converence 21 June 2007
9
Technically simple (SAML)*
• Shibboleth involves two types of exchanges:1. AuthnRequest << >> AuthnAssertion
“Was authentication successful?”
2. AttributeRequest << >> AttributeAssertion“I need to know... ...about this user.”“This user has the following attributes...”
* Security Assertion Markup Language
![Page 10: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/10.jpg)
IT Support Staff Converence 21 June 2007
10
What the user should see
• The user goes to a resource
• They are presented with log in options
• They select the “UK Federation” or “Institutional sign on” etc. option
![Page 11: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/11.jpg)
IT Support Staff Converence 21 June 2007
11
What the user should see
• The resource sends them to the “Where are You From” service
• They say they are from Oxford
![Page 12: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/12.jpg)
IT Support Staff Converence 21 June 2007
12
What the user should see
• They then see their familiar Webauth screen
![Page 13: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/13.jpg)
IT Support Staff Converence 21 June 2007
13
What the user should see
• Then the usual Oxford confirmation...
![Page 14: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/14.jpg)
IT Support Staff Converence 21 June 2007
14
What the user should see
• Possibly a holding screen for 2-3 seconds before the user sees...
![Page 15: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/15.jpg)
IT Support Staff Converence 21 June 2007
15
What the user should see
• the resource they were trying to reach a few seconds ago
• The next time they try to get to a resource...
![Page 16: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/16.jpg)
IT Support Staff Converence 21 June 2007
16
What the user should see
• The next time they try to get to a resource...
• They're almost straight in (no need to authenticate again) as there's a cookie kept in the browser.
![Page 17: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/17.jpg)
IT Support Staff Converence 21 June 2007
17
Trusting the SP, IdP etc.
• All of these bodies trust each other (implicitly) as they all belong to the same Federation– A federation has a set of rules that everyone obeys
• e.g. security policy for IdPs, privacy policies for SPs
– A service provider (SP) can provide services for multiple federations
– An institution such as Oxford (or its IdP) could belong to multiple federations too.
![Page 18: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/18.jpg)
IT Support Staff Converence 21 June 2007
18
The UK Federation
• A group of member organisations who sign up to a set of rules (see next slides)
• Is an independent body funded by Becta and JISC• Manages the trust relationships between members
![Page 19: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/19.jpg)
IT Support Staff Converence 21 June 2007
19
The UK Federation Rules for IdPs
• Provide data that is accurate and up-to-date
• Comply to technical specifications• Observe good practice for
– configuration, operation, and security of service, exchange of data, private keys, ...
• Must hold all licences and permissions required• Must not damage reputation of Federation• Give 'reasonable assistance' to investigate misuse
![Page 20: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/20.jpg)
IT Support Staff Converence 21 June 2007
20
The UK Federation Rules for SPs
• Must not disclose attributes to 3rd parties
• Use attributes only for access control or presentation decisions (and only for the service that the user requested)...
• ...or for generating aggregated anonymised usage statistics
• SP is responsible for management of access rights: federation has no liability
![Page 21: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/21.jpg)
IT Support Staff Converence 21 June 2007
21
Chris: Privacy and the 4 attributes
• Chris to add slides
![Page 22: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/22.jpg)
IT Support Staff Converence 21 June 2007
22
Chris: Shib architecture at Oxford
• Chris to add slides
![Page 23: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/23.jpg)
IT Support Staff Converence 21 June 2007
23
Chris: DEMO????
• Christian – check out this page for other resources– http://ukfederation.org/content/Documents/AvailableSer
vices
– (But I got• “Shibboleth Identity Provider Failure
• The inter-institutional access system experienced a technical failure.
• Please email root@localhost and include the following error message:
• Identity Provider failure at (/shibboleth-idp/SSO)
• org.opensaml.SAMLException: Invalid assertion consumer service URL.”)
![Page 24: Shibboleth access management: a replacement for Athens and more?](https://reader034.fdocuments.us/reader034/viewer/2022051416/56813176550346895d97ef5c/html5/thumbnails/24.jpg)
IT Support Staff Converence 21 June 2007
24
Questions?