E N D
1. Shibboleth - An Introduction UCAR Web Advisory Group
Peter Burkholder
6 October 2004
3. Outline Shibboleth philosophy
Use Contexts
Architecture
Trust model: Federations
Technical notes
Challenges
4. Starting From This… Suppose I am:
Chris Jones, with these attributes in campus directory:
UW student number 62-3407;
home phone number 715-555-1234;
e-mail chris.jones@uw.edu…
Currently enrolled UW student;
undergraduate;
psychology major;
enrolled in Psych 402 senior seminar…
5. We Want This: Unambiguous mechanism that:
Protects your privacy
Demonstrates you really a member of an appropriate group (e.g., UW Student, or enrolled in Pysch 402)
Works securely
6. Not This: EXP DATE[p43]=09-30-04
RANK[p44]=v
CAMPUS[p45]=a
DEPT[p46]=0
P TYPE[p47]=5
TOT CHKOUT[p48]=13
TOT RENWAL[p49]=1
CUR CHKOUT[p50]=0
HOME LIBR[p53]=none
PMESSAGE[p54]=
MBLOCK[p56]=-
REC TYPE[p80]=p
RECORD #[p81]=1383699
REC LENG[p82]=252
CREATED[p83]=08-12-99
UPDATED[p84]=01-07-04
REVISIONS[p85]=100
AGENCY[p86]=1
CL RTRND[p95]=0
MONEY OWED[p96]=$0.00
BLK UNTIL[p101]= - -
CUR ITEMA[p102]=0
CUR ITEMB[p103]=0
PIUSE[p104]=0
OD PENALTY[p105]=0
ILL REQUES[p122]=0
CIRCACTIVE[p163]=08-14-03
PATRN NAME[pn]=JONES, CHRIS M
ADDRESS[pa]=Cheyenne$2455 N STAR RD$SUITE 300$VIA U.S. CARGO
ZIP CODE[pz]=CAMPUS
TELEPHONE[pt]=614-728-3600
UNIQUE NO[ps]=391******
S/N[pu]=391******
7. Enter Shibboleth FAQ #1: Why is it called Shibboleth?
A: Judges 12:5-6And the Gileadites took the fords of the Jordan…when any of the fugitives of Ephraim said, “Let me go over,” the men of Gilead said to him, “Then say Shibboleth,” and he said “Sibboleth,” for he could not pronounce it right; then they seized him and slew him at the fords of the Jordan.
8. Enter Shibboleth Product of Internet2 development
“Secure framework for one organization to transmit attributes about a web-browsing individual across security domains to another institution.”
Only end-user requirement is a browser that supports cookies, redirection, and SSL
Only for web apps
Reduces # of passwords, protects privacy (vs. Passport, or Liberty Alliance)
Authentication, not security (use TLS/SSL)
9. Shibboleth Vocabulary Four main structures:
Origin: site with user directory information
Target: site with restricted resource
Where Are You From (WAYF): service to let a target site’s users select an appropriate origin
Federations: groups of origins and targets with agreed-upon policies for authentication
10. Use Contexts - 1 Napster (target) & Cornell (origin)
Cornell buys reduced-rate student subscription
Napster creates special Cornell login page
Student logs in using Napster username
Napster redirects user to Cornell origin node
Cornell’s Shibboleth Origin Node tells Napster whether or not user is a student
Napster isn’t privy to any additional information
http://shibboleth.internet2.edu/seas.html
11. Use Contexts - 2 DLESE
An origin authenticating users as Library members or as educators (tricky) to access resources at remote targets
A target providing services limited to members of a library federation or educational federation
UCAR
An origin authenticating users as UCAR staff to access resources at remote targets, e.g Books 24x7 Very difficult for us to be authoritative Very difficult for us to be authoritative
12. Shibboleth Vocabulary Origin components
Attribute Authority (AA): manages attribute release policies (ARPs) for different targets
Handle Service (HS): manages temporary references (handles) to identify user sessions
Local sign-on system (SSO): performs check against user directory for a valid login
User directory with necessary attributes User dir: LDAP
AA & HS - provided by Shibboleth
Local SSO: User dir: LDAP
AA & HS - provided by Shibboleth
Local SSO:
13. Shibboleth Vocabulary Target components
Resource Manager (RM): passes unauthenticated requests to SHIRE, grants access to authenticated requests
Shib. Indexical Reference Establisher (SHIRE): consults the WAYF to get a handle to query
Shib. Attribute Requester (SHAR): contacts origin Attribute Authority for needed attributes
14. A Shibboleth Login Resource could be Napster, if Uwyoming is subscribed, or Book 24x7 as a Faculty Member
The resource Target is protected by an Apache <Location> stanza and mod_shibResource could be Napster, if Uwyoming is subscribed, or Book 24x7 as a Faculty Member
The resource Target is protected by an Apache <Location> stanza and mod_shib
15. A Shibboleth Login Rm could be as simple as
# Configure a test directory
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
HS could be
<Location /shibboleth/HS>
AuthType Basic
AuthName "Internet2 Handle Service"
AuthUserFile /usr/local/apache/conf/user.db
require valid-user
</Location>
Or could use mod_authser or Kerberos or pubcookieRm could be as simple as
# Configure a test directory
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
HS could be
<Location /shibboleth/HS>
AuthType Basic
AuthName "Internet2 Handle Service"
AuthUserFile /usr/local/apache/conf/user.db
require valid-user
</Location>
Or could use mod_authser or Kerberos or pubcookie
16. A Shibboleth Login The HS may not need to re-authenticate
The SSO my go against a different User Dir than the AA: e.g. Kerberos
The Shar is a stand-alone process, needs to be started before httpdThe HS may not need to re-authenticate
The SSO my go against a different User Dir than the AA: e.g. Kerberos
The Shar is a stand-alone process, needs to be started before httpd
17. A Shibboleth Login AA is governed by the site or individual;s Attribute Release Policy (ARP)AA is governed by the site or individual;s Attribute Release Policy (ARP)
18. A Shibboleth Login
19. Example https://wayf.internet2.edu/InQueue/sample.jsp
20. Federations Group of mutually trusting institutions
Origins and targets
Common policies on attributes to request, certificate authorities to accept, sec. standards
Higher Ed federations:
InQueue - loose standards, free
http://inqueue.internet2.edu/who/
InCommon - production quality, ~$1000/annum
http://www.incommonfederation.org/participants.cfm Attributes to request need to meet schema definition standards, such as Attributes to request need to meet schema definition standards, such as
21. Technical notes - Target Target software
written for Apache 1.3/2.0 and IIS
C++, compiles under GCC 3.2
OpenSAML required
Creates mod_shib and shar
ShibConfig /opt/…/shibboleth.xml.
<Location /secure>
AuthType shibboleth
ShibRequireSession On
require valid-user
</Location>
SSL required to provide security 1.
The main Applications element's providerId attribute must be changed to reflect the URI this target will use to identify itself to origins by default. This will often be approved or supplied by a federation.
2.
The supportContact and error templates for the target found in the Errors element should be changed to ensure that users have a proper support mechanism.
3.
Proper credentials for this target signed by an authority that the federation recognizes must be referenced by the Credentials element. The default configuration points at files containing widely-available, insecure keys and certificates. Note that keys are supported in a variety of formats: DER, PEM, encrypted PEM, PKCS8, and encrypted PKCS8.
4.
FederationProvider and TrustProvider elements must be added or changed as needed to reflect the arrangements required. This information is often provided by federations to their members.
1.
The main Applications element's providerId attribute must be changed to reflect the URI this target will use to identify itself to origins by default. This will often be approved or supplied by a federation.
2.
The supportContact and error templates for the target found in the Errors element should be changed to ensure that users have a proper support mechanism.
3.
Proper credentials for this target signed by an authority that the federation recognizes must be referenced by the Credentials element. The default configuration points at files containing widely-available, insecure keys and certificates. Note that keys are supported in a variety of formats: DER, PEM, encrypted PEM, PKCS8, and encrypted PKCS8.
4.
FederationProvider and TrustProvider elements must be added or changed as needed to reflect the arrangements required. This information is often provided by federations to their members.
22. Technical notes - Origin Origin software
Written in Java for Tomcat 4.1/5.X
Suggested run w/ Apache and mod_jk
Installing is 1% of the job…
Protect Handle Service: auth, provide REMOTE_USER
<Location shibboleth/HS>
AuthType Kerberos
AuthName "Internet2 Handle Service”
KrbAuthRealms UCAR.EDU
KrbMethodK4Passwd off
require valid-user
</Location>
SSL required the Handle Service
23. Challenges - Origin Side Authoritative User Directory
What UCAR directory?
How could DLESE verify anyone’s a teacher?
No Personal ARP GUI
Single-Sign On Service (pubcookie?)
Attribute provision
AA does mapping
Meeting Federation requirements, e.g eduPersonScopedAffiliation (faculty, alum, student,..)
24. URLs of Note http://shibboleth.internet2.edu/
http://inqueue.internet2.edu