240 likes | 336 Views
Mark Norman and Christian Fernau OUCS 21 June 2007. Shibboleth access management: a replacement for Athens and more?. This presentation. What is Shibboleth? What it isn’t A quick run through of a common example The UK Federation Privacy and the 4 attributes
E N D
Mark Norman and Christian Fernau OUCS 21 June 2007 Shibboleth access management: a replacement for Athens and more?
This presentation What is Shibboleth? What it isn’t A quick run through of a common example The UK Federation Privacy and the 4 attributes Shibboleth in Oxford: the architecture Questions
What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” Why is it called Shibboleth? Because it is access control where it matters what you are, rather than who you are Judges 12:5-6 (the Gileadites seized the passages of the Jordan before the Ephraimites, who couldn’t pronounce “ear of wheat”)
It’s easier to say what it isn’t! It ISN’T about authentication management! (Authentication=The act of verifying that an electronic identity is being employed by the entity, person or process to whom it was issued.) Shibboleth thinks that institutions should run their own authentication systems and others should trust those processes It ISN’T about authorisation management! (Authorisation=Associating rights or capabilities with a subject/person) Other information about individuals (groups, status etc.) should be managed by the institution too!
OK, in plain English… It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: separate authentication from authorisation Devolve authentication to the ‘home’ organisation Devolve the management of authorisation information as well
Replacing Athens? In phases: Mid 2007 Shibboleth enabled at Oxford (possibly without publicity) Athens continues (free) until July 2008 Between mid 2007 and July 2008, Oxford users should be able to use Shibboleth or Athens to access on-line resources After 2008 Athens may still be available but will require a subscription from Oxford
Replacing Athens – the user's perspective Now: Users connect to a resource and type in their Athens username and password to gain access Mid 2007 Users can do the same thing for many (most?) resources using their Webauth username and password (actually the Webauth screens too) Users can still use their Athens username and password August 2008 Athens may be unavailable
Some definitions Identity Provider (IdP) Service Provider (SP) WAYF (where are you from? service) [a type of IdP Discovery Service] Your home institution (where you usually have a username/login) Organisation/body providing a service (e.g. e-Journal) Application/service that determines which IdP to send the user to
Technically simple (SAML)* Shibboleth involves two types of exchanges: AuthnRequest << >> AuthnAssertion“Was authentication successful?” AttributeRequest << >> AttributeAssertion“I need to know... ...about this user.”“This user has the following attributes...” * Security Assertion Markup Language
What the user should see • The user goes to a resource • They are presented with log in options • They select the “UK Federation” or “Institutional sign on” etc. option
What the user should see • The resource sends them to the “Where are You From” service • They say they are from Oxford
What the user should see • They then see their familiar Webauth screen
What the user should see • Then the usual Oxford confirmation...
What the user should see • Possibly a holding screen for 2-3 seconds before the user sees...
What the user should see • the resource they were trying to reach a few seconds ago • The next time they try to get to a resource...
What the user should see • The next time they try to get to a resource... • They're almost straight in (no need to authenticate again) as there's a cookie kept in the browser.
Trusting the SP, IdP etc. All of these bodies trust each other (implicitly) as they all belong to the same Federation A federation has a set of rules that everyone obeys e.g. security policy for IdPs, privacy policies for SPs A service provider (SP) can provide services for multiple federations An institution such as Oxford (or its IdP) could belong to multiple federations too.
The UK Federation A group of member organisations who sign up to a set of rules (see next slides) Is an independent body funded by Becta and JISC Manages the trust relationships between members
The UK Federation Rules for IdPs Provide data that is accurate and up-to-date Comply to technical specifications Observe good practice for configuration, operation, and security of service, exchange of data, private keys, ... Must hold all licences and permissions required Must not damage reputation of Federation Give 'reasonable assistance' to investigate misuse
The UK Federation Rules for SPs Must not disclose attributes to 3rd parties Use attributes only for access control or presentation decisions (and only for the service that the user requested)... ...or for generating aggregated anonymised usage statistics SP is responsible for management of access rights: federation has no liability
Chris: Privacy and the 4 attributes Chris to add slides
Chris: Shib architecture at Oxford Chris to add slides
Chris: DEMO???? Christian – check out this page for other resources http://ukfederation.org/content/Documents/AvailableServices (But I got “Shibboleth Identity Provider Failure The inter-institutional access system experienced a technical failure. Please email root@localhost and include the following error message: Identity Provider failure at (/shibboleth-idp/SSO) org.opensaml.SAMLException: Invalid assertion consumer service URL.”)