1 / 16

Shibboleth Update: High-Level Browser Pass and Authentication Flow

This update explains the concepts and architecture of Shibboleth, focusing on the browser pass and authentication phases in the target web server. It discusses entitlements, attribute servers, and the authentication flow for both unauthenticated and authenticated users.

ianh
Download Presentation

Shibboleth Update: High-Level Browser Pass and Authentication Flow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative

  2. Shibboleth ArchitectureConcepts - High Level Browser Pass content if user is allowed Target Web Server Authorization Phase Authentication Phase First Access - Unauthenticated Target Site Origin Site

  3. Shibboleth ArchitectureConcepts (detail) Browser Target Web Server Authorization Phase Authentication Phase Success! Entitlements Attribute Server Ent Prompt Req Ent Second Access - Authenticated Auth OK Pass entitlements for authz decision Web Login Server Redirect User to Local Web Login Pass content if user is allowed Authentication Ask to Obtain Entitlements First Access - Unauthenticated Target Site Origin Site

  4. Shibboleth Architecture

  5. Shibboleth Components

  6. local authn server - assumed part of the campus environment web sso server - typically works with local authn service to provide web single sign-on resource manager proxy, resource manager - may serve as control points for actual web page access attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables attribute repository - an LDAP directory, or roles database or…. Where are you from service - one possible way to direct external users to their own local authn service attribute mapper - converts user entitlements into local authorization values PDP - policy decision points - decide if user attributes meet authorization requirements SHAR - Shibboleth Attribute Requestor - used by target to request user attributes Descriptions of services

  7. Shibboleth Flows Draft

  8. Shibboleth Architecture -- Managing Trust • TRUST Shib engine Attribute Server Target Web Server Browser Target Site Origin Site

  9. Personal Privacy • Web Login Server provides a pseudononymous identity • An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on: • Site Defaults • Business Rules • User control • myAA • Filtered by • Contract provisions My AA Site Defaults Contact Provisions Browser User

  10. Managing ARPs

  11. Middleware Marketing

  12. Shibboleth Inter-Realm AuthZ We all get Web SSO for Local Authentication and an Enterprise Authorization Framework with an Integrated Portal that will all work inter-institutionally! Local Web SSO Pressures Drivers of Vapor Convergence eduPerson 1.0 OKI/Web Authentication JA-SIG uPortal Authen

  13. Middleware Inputs & Outputs Licensed Resources Embedded App Security Grids OKI JA-SIG & uPortal Inter-realm calendaring futures Shibboleth, eduPerson, Affiliated Dirs, etc. Enterprise authZ Campus Web SSO Enterprise Directory Enterprise Authentication Legacy Systems

  14. Errata--ica

  15. National Science FoundationNMI program • $12 million over 3 years • www.nsf-middleware.org • Middleware Service Providors, Integrators, Distributors • GRID (Globus) • Internet2 + EDUCAUSE + SURA • May 2002 – first set of deliverables from all parties

  16. The Liberty Alliancewww.project-liberty.org • Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony … • Initiated in September 2001. • Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service • Funny, doesn’t this stuff sound familiar?

More Related