110 likes | 195 Views
Shibboleth, a potential security framework for EDIT. Lutz Suhrbier (suhrbier@inf.fu-berlin.de) AG Netzbasierte Informationssysteme ( http://www.ag-nbi.de ) FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting.
E N D
Shibboleth, a potential security framework for EDIT Lutz Suhrbier (suhrbier@inf.fu-berlin.de) AG Netzbasierte Informationssysteme (http://www.ag-nbi.de) FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting
Why using Shibboleth in EDIT ? • Highly distributed organisational (infra-)structure • Cross-national conglomerate of • Universities, Institutes, Botanical Museums, (private) Collections, others • Service Providers, Databases, Hosts, Applications, … • Users, System Administrators • Members have individual security or organisational requirements • Identity Management • Current situation reflects organisational structure: • Users have to authenticate multiple times to access different services • Problems to remember the individual authentication ids (e.g. user/pass) for services • System administrators have to manage access control for these services • Individual maintenance of user account and access control for each service or ressource • Problem • Current situation is error-prone and ressource consuming • Need for a comfortable Single Sign-On(SSO) solution considering • Security and organisational requirements of providers • Security and privacy aspects of users 06/09/2007 EDIT Developers Meeting, BGBM Berlin
What is Shibboleth ? • Internet2 Middleware Project which • Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner • is developed by a group leading campus middleware architects (since 2000) • Inter-organisational single sign-on(SSO) service for web services • Uses several widely-implemented standards such as • Security Assertion Markup Language (SAML), XML, XML Signature • Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL) • SOAP, Lightweight Directory Access Protocol (LDAP) • Relies on or extends existing Identity Management solutions in organisations • Open Source (Apache Software License 2.0) 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth Key Concepts • Federations • a framework for multiple, scaleable trust and policy sets • Specifies a group of organisations abided by a common set of policies and practices • enables interaction without defining bilateral agreements between federated parties • IdP sites (user origin) provide attribute assertions to SP sites (target) • IdP sites are responsible to authenticate users (using any reliable means) • Attribute Based Access Control • AC decisions are made using attribute assertions received by SPs from IdPs • assertions may include identity, but will not require this • access may be granted based on e.g. group membershib or origin site • A Standard (yet extensible) AttributeValue Vocabulary • eduPerson includes widely-used person attributes in higher education • Active Privacy Management • IdP sites and their origin users control what information is released to SPs • individuals can manage attribute release via a web-based user interface • absolves users mercy of the SPs privacy policies 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth Federations Source: http://switch.ch/aai/about/federation/ 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth Login Procedure Source: http://switch.ch/aai/demo/easy.html 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth Main Components • Identity Provider (IdP) • maintains user credentials and attributes • asserts authentication or attribute statements to relying parties (SPs) • single sign-on (SSO) service initiates the authentication process • authentication authority issues authentication statements to others (SPs) • Service Provider (SP) • manages secured resources • user access is based on assertions requested from an IdP • assertion consumer service processes authentication assertions returned by the SSO service • initiates an optional attribute requests (via attribute requester) • establishes a security context at the SP • redirects the client to the desired target resource. • „Where are you from?“ (WAYF) service (optional) • proxy for authentication requests passed from SPs to IdPs‘ SSO service • used by SPs to determine the user's preferred IdP (user interaction possible) 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth benefits Source: http://switch.ch/aai/about/ • IdP benefits • simple integration in existing identity management • no additional efforts establishing new services (user accounts and IP-addresses management) • SP benefits • Deliverance of user and account data management • authorisation based on defined properties • User benefits • only a single digital identity for SSO, location independent access • data transparency and data privacy management 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth SP Integration • Web Server • Apache • mod_shib • Assertions assignable to Apache environment variables (e.g. REMOTE_USER) • IIS • also possible • Drupal • modified webserver_auth module • Uses REMOTE_USER to logon to Drupal automatically • „pushes“ actual Shibboleth attributes (e.g. roles, mail, name) into Drupal user module at every login • Subversion • Currently, usage via web browser possible (work in progress, proxy ?) • Trac • Work in progress… 06/09/2007 EDIT Developers Meeting, BGBM Berlin
Shibboleth Tools • ShARPE • management of user attributes via web-based interface (WebShARPE) • editing of user attributes • edit which attributes are released to defined SPs • define user roles • extends Attribute Release Policy (ARP) with group management facilities • users can assign attributes to other users • role specific „business card“ definition (Autograph) • enables users to edit id card for different uses (e.g. student, work group) 06/09/2007 EDIT Developers Meeting, BGBM Berlin
EDIT Recent and current activities • Demo IdP and SP server installed as XEN domains • https://idp.e-taxonomy.eu • https://sp.e-taxonomy.eu • Provisional EDIT federation established • https://dev.e-taxonomy.eu will join • other sites can join on request • Comprehensive setup descriptions available • http://dev.e-taxonomy.eu/trac/wiki/Shibboleth • IdP and SP on Debian Etch • Drupal integration • ShARPE will be installed on the IdP site within the next days 06/09/2007 EDIT Developers Meeting, BGBM Berlin