1 / 39

Shibboleth A Technical Overview

Shibboleth A Technical Overview. Tom Scavo trscavo@ncsa.uiuc.edu NCSA. What is Shibboleth?. Shibboleth provides cross-domain single sign-on and attribute-based authorization while preserving user privacy Shibboleth is simultaneously: A project A specification An implementation.

imala
Download Presentation

Shibboleth A Technical Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ShibbolethA Technical Overview Tom Scavotrscavo@ncsa.uiuc.edu NCSA

  2. What is Shibboleth? • Shibboleth provides cross-domain single sign-on and attribute-based authorization while preserving user privacy • Shibboleth is simultaneously: • A project • A specification • An implementation

  3. Shibboleth Project • Shibboleth, a project of Internet2-MACE: • Advocates a federated identity management policy framework focused on user privacy • Develops middleware architectures to facilitate inter-institutional attribute sharing • Manages an open source reference implementation of the Shibboleth spec • Shibboleth has made significant contributions to the SAML-based identity management space

  4. Collaborations Internet2 OASIS E-Auth Shibboleth Educause Liberty Vendors

  5. Shibboleth Specification • Shibboleth is an extension of the SAML 1.1 browser profiles: • Shibboleth Browser/POST Profile • Shibboleth Browser/Artifact Profile • Shibboleth Attribute Exchange Profile • See the Shibboleth spec for details:S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005.

  6. Shibboleth Implementation • The Shibboleth implementation consists of two components: • Shibboleth Identity Provider • Shibboleth Service Provider • The Identity Provider is a J2EE webapp • The Service Provider is a C++ Apache module • A pure Java Service Provider is in beta

  7. The Shibboleth Experience

  8. The Shibboleth Wiki • For example, the Shibboleth wiki (hosted at ohio-state.edu) is “shibbolized”:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome • To edit wiki pages, a user must be known to the wiki • Users have wikiNames but do not have wiki passwords • Users log into their home institution, which asserts user identity to the wiki

  9. Shib Browser Profile • The user clicks the link “Login via InQueue IdP” • This initiates a sequence of steps known as the Shibboleth Browser Profile 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8

  10. Shib Browser Profile • InQueue provides a “Where Are You From?” service • The user chooses their preferred identity provider from a menu 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8

  11. Shib Browser Profile • The user is redirected to UIUC login page • After login, the user is issued a SAML assertion and redirected back to the wiki 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8

  12. Shib Browser Profile • After validating the assertion, the wiki@OSU retrieves user attributes via back-channel Shib attribute exchange 3 C L I E N T UIUC 4 InQueue 1 6 7 2 5 OSU 8

  13. Asserting Identity • Initially, the user is unknown to the wiki • After querying the home institution, the wiki knows the user’s identity • “trscavo-uiuc.edu” is wiki-speak for trscavo@uiuc.edu • The latter is eduPersonPrincipalName, an identity attribute asserted by the user’s home institution

  14. OpenIdP.org • By design, a user with an account at an institution belonging to InCommon, InQueue, or SDSS can log into the wiki:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome • Other users can register at openidp.org, which is a zero-admin Shibboleth IdP • The openidp asserts an alternate form of identity (email addresses as opposed to eduPersonPrincipalName)

  15. Shibboleth SSO Profiles

  16. The Actors • Identity Provider • The Identity Provider (IdP) creates, maintains, and manages user identity • A Shibboleth IdP produces SAML assertions • Service Provider • The Service Provider (SP) controls access to services and resources • A Shibboleth SP consumes SAML assertions Identity Provider Authentication Authority Attribute Authority SSO Service Artifact Resolution Service Assertion Consumer Service Attribute Requester Resource Service Provider

  17. Shib SSO Profiles • Shibboleth SSO profiles are SP-first • Shibboleth specifies an Authentication Request Profile • Shibboleth Browser/POST Profile = Shib Authn Request Profile + SAML Browser/POST Profile • Shibboleth Browser/Artifact Profile = Shib Authn Request Profile + SAML Browser/Artifact Profile

  18. Shib AuthN Request Profile • A Shibboleth authentication request is an ordinary GET request:https://idp.org/shibboleth/SSO? providerId=https://sp.org/shibboleth/& shire=https://sp.org/shibboleth/SSO& target=https://sp.org/myresource& time=1102260120 • The client is redirected to this location after requesting a protected resource at the SP without a security context

  19. Shib Browser/POST Profile • Browser/POST is an SP-first profile • The IdP produces an assertion at step 4, which the SP consumes at step 5 Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 Assertion Consumer Service 6 5 8 Resource 7 2 1 Service Provider

  20. Attributes

  21. Shib Attribute Exchange • A Shibboleth SP often queries an IdP for attributes after validating an authN assertion • An opaque, transient identifier called a handle is embedded in the authN assertion • The SP sends a SAML AttributeQuery message with handle attached

  22. Browser/POST Profile • The first 5 steps of this profile are identical to ordinary Browser/POST • Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 10 Resource 9 2 1 Service Provider

  23. Browser/POST Step 1 • The Client requests a target resource at the SP Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority Assertion Consumer Service Resource 1 Service Provider

  24. Browser/POST Step 2 • The SP performs a security check on behalf of the target resource • If a valid security context at the SP does not exist, the SP redirects the Client to the single sign-on (SSO) service at the IdP Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority Assertion Consumer Service Resource 2 1 Service Provider

  25. Browser/POST Step 3 • The Client requests the SSO service at the IdP Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 3 Assertion Consumer Service Resource 2 1 Service Provider

  26. Browser/POST Step 4 • The SSO service processes the authN request and performs a security check • If the user does not have a valid security context, the IdP identifies the principal (details omitted) • The SSO service produces an authentication assertion and returns it to the Client Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 Assertion Consumer Service Resource 2 1 Service Provider

  27. Browser/POST Step 5 • The Client issues a POST request to the assertion consumer service at the SP • The authN assertion is included with the request Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 Assertion Consumer Service 5 Resource 2 1 Service Provider

  28. Browser/POST Step 6 • The assertion consumer service validates the request, creates a security context at the SP • The attribute requester sends a (mutually authenticated) attribute query to the AA Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 6 Assertion Consumer Service Attribute Requester 5 Resource 2 1 Service Provider

  29. Browser/POST Step 7 • The IdP returns an attribute assertion subject to attribute release policy • The SP filters the attributes according to attribute acceptance policy Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 5 Resource 2 1 Service Provider

  30. Browser/POST Step 8 • The assertion consumer service updates the security context and redirects the Client to the target resource Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 Resource 2 1 Service Provider

  31. Browser/POST Step 9 • The Client requests the target resource at the SP (again) Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 Resource 9 2 1 Service Provider

  32. Browser/POST Step 10 • Since a security context exists, the SP returns the resource to the Client Identity Provider C L I E N T Authentication Authority SSO Service Attribute Authority 4 3 7 6 Assertion Consumer Service Attribute Requester 8 5 10 Resource 9 2 1 Service Provider

  33. Directory Schema • Neither Shibboleth nor SAML define any attributes per se • It is left to individual deployments to define their own attributes • A standard approach to user attributes is crucial • Without such standards, interoperability is impossible

  34. eduPerson • Internet2 and EDUCAUSE have jointly developed a set of attributes and associated bindings called eduPerson • The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798] • Approximately 40 attributes have been defined by InCommon as common identity attributes

  35. InCommon Attributes • InCommon’s 6 “highly recommended” attributes: (eduPersonTargetedID does not have a precise value syntax)

More Related