1 / 13

Shibboleth: Enhancing Access Control and Privacy for Academic Services

Discover how Shibboleth, an open-source middleware initiative, provides an architecture for secure attribute exchange and access control decisions in higher education institutions. Learn about its concepts, components, and principles, and how it is being implemented at The Pennsylvania State University.

louismorrison
Download Presentation

Shibboleth: Enhancing Access Control and Privacy for Academic Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet2 Middleware Initiative Shibboleth Renée Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University rshuey@psu.edu

  2. Why Shibboleth? • PS physics professor has more in common with a OSU physics professor than a PSU english professor • PS faculty can access library resources that a PS medical faculty cannot • Classes with extremely small numbers could be taught across higher ed institutions • Library vendor allows searches and saves information for next access

  3. What is Shibboleth? • Architecture to provide inter-realm authn/authz with emphasis on user privacy and a policy framework for web services • Utilizes eduPerson, SAML, and OpenSAML • Provides secure exchange of attributes which can be used in access control decisions • Designed to work with existing systems requiring as little change as possible. • Co-developed by Internet2/MACE and IBM/Tivoli • Open Source (also based on MIT License)

  4. Shibboleth Concepts • Target Site • The protected resource the user wishes to access • Consists of Resource Manager, SHIRE, and SHAR • Where authorization rules reside and access decisions are made • Receives all information about the user from the Origin Site • Origin Site • Where the user's attributes, authentication database, and attribute release policy are located • Consists of the Handle Service, Attribute Authority, and Attribute Release policy • Asserts identity and attributes of the user to the Target Site • WAYF (Where Are You From) Server • Queries user to determine what institution they are from • Redirects them to their Origin Site's Handle Service • Can be a separate server, or part of the Target Site

  5. Origin Site Components • Handle Server • Works with local authentication system to authenticate user • Generates an opaque handle to identify user • Maintains a mapping from the opaque handle to the user's identity • Responds to an Attribute Query Handle Request • Sends Authentication SAML assertion to the Target Server's SHIRE component • Attribute Authority • Works with local directory to acquire user attributes • Uses the Attribute Release Policy to determine which attributes can be released • Responds to an Attribute Query Message from the SHAR • Sends Authorization SAML Assertion to Target Site's SHAR component • Attribute Release Policy • Specifies rules for what attributes are to be released to which Target Site • Can also be user specific and user controlled

  6. Target Site Components • SHIRE • SHibboleth Indexical Reference Establisher • Accepts and validates Authentication SAML assertions from Handle Service • Associates the opaque handle with a session it creates • Passes control to the SHAR • SHAR • SHibboleth Attribute Requester • Using the opaque handle from the SHIRE, requests attributes from the Attribute Authority, then passes them to the Resource Manager • Resource Manager • Accepts attributes from the SHAR • Makes authorization decisions based on local rules and the user's Attributes

  7. Shibboleth Principles • Authentication system agnostic • Authentication is handled by the web server at the Origin Site • Open Source & Open Standards • No vendor supplied software is required • All protocols and messages are documented RFC-style • Active privacy protection • End user/organization determines which attributes are released to which Target • No identifying attributes (example: username) are sent by default • Security • x.509 certificates assure validity of SAML assertions • Encryption may be employed in a variety of ways (XML-encryption, SSL, etc) • Builds on existing campus security architecture instead of replacing it.

  8. Shibboleth Requirements • SSL Web Server • Apache 1.3.x • IIS • LDAP Server • Tomcat Application engine (Origin Site) • Java Runtime Environment (Origin Site) • Digital Certificate with DigitalSignature attribute • OpenSSL • Log4cpp • Libapreq, libxml2, libxslt, xmlsec

  9. Penn State/NC State Pilot • Summer 2002 • ~20 students • 2 weeks • 1 class • Fall 2002 • ~200 students • 3 classes • Spring 2003 • 1808 students • Succesful logins: 63,026 • All physics classes

  10. Request from User Attribute Release Policies Authentication Request Web Services Trust Origin Site (user browser) Target Site (Web Resource)

  11. Penn State DLT Pilot • OCLC • Autho • attribute • JSTOR • Ebsco

  12. Next Steps • Define attributes • Turnover as production service by fall • Continue piloting new features • Integrate with credential management system(web single sign on) • Expand platform support

  13. References • eduPerson Specification • SAML 1.0 Assertions and Protocol • OpenSAML FAQ • Shibboleth Update -- Ken Klingenstein • Shibboleth Update - Steven Carmody Graphics and text from the following resources were used in the development of this presentation.

More Related