1 / 28

Shibboleth

Shibboleth. A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.

kyleigh
Download Presentation

Shibboleth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shibboleth • A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. • Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. • - Webster's Revised Unabridged Dictionary (1913):

  2. Shibboleth - What is it? • an initiative to analyze and develop mechanisms(architectures, frameworks, protocols and implementations) for inter-institutional web access control • facilitated by Mace (a committee of leading higher ed IT architects) and Internet2 • “authenticate locally, act globally” the Shibboleth shibboleth • oriented towards privacy and complements corporate standards efforts • open solution • http://middleware.internet2.edu/shibboleth • vendor participation - IBM/Tivoli and OASIS

  3. Isn’t This What PKI Does? • PKI could do some of this and a whole lot more; as a consequence, PKI does very little right now • End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well • Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certs) and avoids the parts of PKI that don’t work today (eg client certs). • Allows campuses to use other forms of authentication locally • May actually have benefits over the end-user to target-site direct interactions...

  4. Related Work • Previous DLF work • http://www.clir.org/diglib/presentations/cnis99/sld001.htm • OASIS Security Services Technical Committee (vendor activity, kicked off 1/2001) • http://www.oasis-open.org/committees/security/index.shtml • http://lists.oasis-open.org/archives/security-services/ • UK - Athens and Sparta projects • http://www.jisc.ac.uk/pub00/sparta_disc.html • Spain - rediris project • http://www.rediris.es/app/papi/index.en.html

  5. Assumptions • Leverage vendor and standards activity wherever possible (OASIS) • (Initially) disturb as little of the existing campus infrastructure as possible • Work with common, minimal authorization systems (eg htaccess) • Encourage good campus behaviors • Learn through doing • Create a marketplace and reference implementations • Protect Personal Privacy!

  6. Stage 1 - Addressing Three Scenario’s • Member of campus community accessing licensed resource • Anonymity required • Member of a course accessing remotely controlled resource • Anonymity required • Member of a workgroup accessing controlled resources • Controlled by unique identifiers (e.g. name) • Taken individually, each of these situations can be solved in a variety of straightforward ways. • Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

  7. Architectural Model • Local Authentication • Local Entity Willing to Create and Sign Entitlement • Set of assertions about the user (Attribute/value pairs) • User has control over disclosure • Identity optional • “active member of community”, “Associated with Course XYZ” • Target responsible for Authorization • Rules engine • Matches contents of entitlements against ruleset associated with target object • Cross Domain Trust • Previously created between origin and target • Perhaps there is a contract (information providers..)

  8. Shibboleth ArchitectureConcepts - High Level Browser Pass content if user is allowed Target Web Server Authorization Phase Authentication Phase First Access - Unauthenticated Target Site Origin Site

  9. Shibboleth ArchitectureConcepts (detail) Browser Target Web Server Authorization Phase Authentication Phase Success! Entitlements Attribute Server Ent Prompt Req Ent Second Access - Authenticated Auth OK Pass entitlements for authz decision Web Login Server Redirect User to Local Web Login Pass content if user is allowed Authentication Ask to Obtain Entitlements First Access - Unauthenticated Target Site Origin Site

  10. Shibboleth Components

  11. local authentication server - assumed part of the campus environment web sso server - typically works with local authn service to provide web single sign-on resource manager proxy, resource manager - may serve as control points for actual web page access attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables attribute repository - an LDAP directory, or roles database or…. Where are you from service - one possible way to direct external users to their own local authn service attribute mapper - converts user entitlements into local authorization values PDP - policy decision points - decide if user attributes meet authorization requirements SHAR - Shibboleth Attribute Requestor - used by target to request user attributes Descriptions of services

  12. Shibboleth Flows Draft

  13. Component Relationship Model TARGET ORIGIN

  14. Authorization Attributes • Typical Assertions in the Higher Ed Community • EPPN=gettes@georgetown.edu • “active member of the community” • “active in course X” • member of group “georgetown.giia • ? • Signed by the institution! (optional in OASIS, required in Shib)

  15. Isn’t This What LDAP Does? • Since this doesn’t exist yet, it can do a lot more than LDAP! (-: • XML is so extensible that this is the last protocol that we’ll ever need! (-: • OK, tell me really….. • The key here is the CONTROLLED dissemination of attribute information, based on multiple factors.

  16. Shibboleth Architecture -- Managing Trust • TRUST Shib engine Attribute Server Target Web Server Browser Target Site Origin Site

  17. Personal Privacy • Web Login Server provides a pseudonymous identity • An Attribute Authority releases Personal Information associated with that pseudonymous identity to site X based on: • Site Defaults • Business Rules • User control • myAA • Filtered by • Contract provisions My AA Site Defaults Contact Provisions Browser User

  18. Charge -- OASIS Security Services Technical Committee • Standardize: • an XML format for "assertions” (authentication, authorization, authorization decision, access yes/no) • (maybe) a (stateless ?) request/response protocol for obtaining assertions • transport bindings for this protocol to HTTP, S/MIME, RMI, etc. • This will be accompanied by requirements/scenarios, compliance info, security considerations, etc • Out of Scope… • How authentication is done • Defining specific attributes (eg “member of community”) • Establishing trust between origin and target • Note.. • Inter-product, not explicitly inter-domain

  19. Shibboleth vs OASIS Security Effort vs Products • OASIS Security Effort • Defining Standards to support inter-operation of web access control products • Vendor Products • Implement Standards • Add value in Authentication, Attribute Authority, PDP • Shibboleth • Open Source Implementation! • Create Trust Framework • Define Higher Ed specific Attributes • (hopefully) “Where are you from?” service

  20. It’s Policies All the Way Down • to trust the security domain to provide attributes correctly, handle attributes responsibly, protect its signing key, etc… • to set controls on the type of information that an institution will release for a remote request for attributes • to translate global attributes into local syntax and semantics • to handle requests to the user for a release decision in a reasonable fashion

  21. It’s Policy Languages All the Way Down • Club Shibboleth to reach out-of-band agreements among institutions and digital resource providers • Controls for the type of information to be released to a target is a complex set of tools: • a matching engine to determine the applicable policy for the target • an XML oriented expression of the policy to map to local attributes • a LISP (???) oriented tool to integrate policy constraints from other sources, such as the user’s preferences, etc. • First pass of mapping of attributes will be from XML into eduPerson attributes • User interface?????????

  22. Campus and Resource Requirements • To participate in Shibboleth, a site must have: • Campus-wide authentication service • Campus-wide identifier space (EPPN) • Implementation of EduPerson objectclass • Ability to generate attributes (eg “active member of the community”)

  23. Issues • Personal Privacy (reasonable expectation, laws) • Relation to local weblogin (Single Signon) • Portals • Use of Shibboleth framework by services beyond the web • Grid resources and users

  24. Web Login SSO Attribute Authority Service 2 Shib Target Service 1 Portal Local Web Login Server Browser user

  25. Relationship - Shibboleth to Portals Apps Web Resource Web Res Portal Portal Dir Shibboleth Shibboleth Shibboleth Shibboleth PDP AuthN Dir Web Login

  26. Project Status/Next Steps • Requirements and Scenarios document nearly finished • IBM and Mace-Shibboleth are refining architecture and evaluating issues • IBM intends to develop an Apache web module • Internet2 intends to develop supporting materials (documentation, installation, etc) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery). • Technical design complete - May, 2001 • Coding of a prototype begins June 1 • Pilot sites start-up - Aug, 2001 • Public demo of the prototype by the pilots - Internet2 Fall Member Meeting 2001

  27. Shibboleth, eduPerson, and everything else Middleware Inputs & Outputs Licensed Resources Embedded App Security Grids OKI JA-SIG & uPortal Inter-realm calendaring futures Shibboleth, eduPerson, Affiliated Dirs, etc. Enterprise authZ Campus web sso Enterprise Directory Enterprise Authentication Legacy Systems

  28. Questions?

More Related