1 / 11

Shibboleth, a potential security framework for EDIT

Shibboleth, a potential security framework for EDIT. Lutz Suhrbier (suhrbier@inf.fu-berlin.de) AG Netzbasierte Informationssysteme ( http://www.ag-nbi.de ) FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting.

anais
Download Presentation

Shibboleth, a potential security framework for EDIT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shibboleth, a potential security framework for EDIT Lutz Suhrbier (suhrbier@inf.fu-berlin.de) AG Netzbasierte Informationssysteme (http://www.ag-nbi.de) FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting

  2. Why using Shibboleth in EDIT ? • Highly distributed organisational (infra-)structure • Cross-national conglomerate of • Universities, Institutes, Botanical Museums, (private) Collections, others • Service Providers, Databases, Hosts, Applications, … • Users, System Administrators • Members have individual security or organisational requirements • Identity Management • Current situation reflects organisational structure: • Users have to authenticate multiple times to access different services • Problems to remember the individual authentication ids (e.g. user/pass) for services • System administrators have to manage access control for these services • Individual maintenance of user account and access control for each service or ressource • Problem • Current situation is error-prone and ressource consuming • Need for a comfortable Single Sign-On(SSO) solution considering • Security and organisational requirements of providers • Security and privacy aspects of users 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  3. What is Shibboleth ? • Internet2 Middleware Project which • Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner • is developed by a group leading campus middleware architects (since 2000) • Inter-organisational single sign-on(SSO) service for web services • Uses several widely-implemented standards such as • Security Assertion Markup Language (SAML), XML, XML Signature • Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL) • SOAP, Lightweight Directory Access Protocol (LDAP) • Relies on or extends existing Identity Management solutions in organisations • Open Source (Apache Software License 2.0) 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  4. Shibboleth Key Concepts • Federations • a framework for multiple, scaleable trust and policy sets • Specifies a group of organisations abided by a common set of policies and practices • enables interaction without defining bilateral agreements between federated parties • IdP sites (user origin) provide attribute assertions to SP sites (target) • IdP sites are responsible to authenticate users (using any reliable means) • Attribute Based Access Control • AC decisions are made using attribute assertions received by SPs from IdPs • assertions may include identity, but will not require this • access may be granted based on e.g. group membershib or origin site • A Standard (yet extensible) AttributeValue Vocabulary • eduPerson includes widely-used person attributes in higher education • Active Privacy Management • IdP sites and their origin users control what information is released to SPs • individuals can manage attribute release via a web-based user interface • absolves users mercy of the SPs privacy policies 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  5. Shibboleth Federations Source: http://switch.ch/aai/about/federation/ 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  6. Shibboleth Login Procedure Source: http://switch.ch/aai/demo/easy.html 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  7. Shibboleth Main Components • Identity Provider (IdP) • maintains user credentials and attributes • asserts authentication or attribute statements to relying parties (SPs) • single sign-on (SSO) service initiates the authentication process • authentication authority issues authentication statements to others (SPs) • Service Provider (SP) • manages secured resources • user access is based on assertions requested from an IdP • assertion consumer service processes authentication assertions returned by the SSO service • initiates an optional attribute requests (via attribute requester) • establishes a security context at the SP • redirects the client to the desired target resource. • „Where are you from?“ (WAYF) service (optional) • proxy for authentication requests passed from SPs to IdPs‘ SSO service • used by SPs to determine the user's preferred IdP (user interaction possible) 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  8. Shibboleth benefits Source: http://switch.ch/aai/about/ • IdP benefits • simple integration in existing identity management • no additional efforts establishing new services (user accounts and IP-addresses management) • SP benefits • Deliverance of user and account data management • authorisation based on defined properties • User benefits • only a single digital identity for SSO, location independent access • data transparency and data privacy management 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  9. Shibboleth SP Integration • Web Server • Apache • mod_shib • Assertions assignable to Apache environment variables (e.g. REMOTE_USER) • IIS • also possible • Drupal • modified webserver_auth module • Uses REMOTE_USER to logon to Drupal automatically • „pushes“ actual Shibboleth attributes (e.g. roles, mail, name) into Drupal user module at every login • Subversion • Currently, usage via web browser possible (work in progress, proxy ?) • Trac • Work in progress… 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  10. Shibboleth Tools • ShARPE • management of user attributes via web-based interface (WebShARPE) • editing of user attributes • edit which attributes are released to defined SPs • define user roles • extends Attribute Release Policy (ARP) with group management facilities • users can assign attributes to other users • role specific „business card“ definition (Autograph) • enables users to edit id card for different uses (e.g. student, work group) 06/09/2007 EDIT Developers Meeting, BGBM Berlin

  11. EDIT Recent and current activities • Demo IdP and SP server installed as XEN domains • https://idp.e-taxonomy.eu • https://sp.e-taxonomy.eu • Provisional EDIT federation established • https://dev.e-taxonomy.eu will join • other sites can join on request • Comprehensive setup descriptions available • http://dev.e-taxonomy.eu/trac/wiki/Shibboleth • IdP and SP on Debian Etch • Drupal integration • ShARPE will be installed on the IdP site within the next days 06/09/2007 EDIT Developers Meeting, BGBM Berlin

More Related