280 likes | 696 Views
Shibboleth. A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.
E N D
Shibboleth • A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. • Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. • - Webster's Revised Unabridged Dictionary (1913):
Shibboleth - What is it? • an initiative to analyze and develop mechanisms(architectures, frameworks, protocols and implementations) for inter-institutional web access control • facilitated by Mace (a committee of leading higher ed IT architects) and Internet2 • “authenticate locally, act globally” the Shibboleth shibboleth • oriented towards privacy and complements corporate standards efforts • open solution • http://middleware.internet2.edu/shibboleth • vendor participation - IBM/Tivoli and OASIS
Isn’t This What PKI Does? • PKI could do some of this and a whole lot more; as a consequence, PKI does very little right now • End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well • Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certs) and avoids the parts of PKI that don’t work today (eg client certs). • Allows campuses to use other forms of authentication locally • May actually have benefits over the end-user to target-site direct interactions...
Related Work • Previous DLF work • http://www.clir.org/diglib/presentations/cnis99/sld001.htm • OASIS Security Services Technical Committee (vendor activity, kicked off 1/2001) • http://www.oasis-open.org/committees/security/index.shtml • http://lists.oasis-open.org/archives/security-services/ • UK - Athens and Sparta projects • http://www.jisc.ac.uk/pub00/sparta_disc.html • Spain - rediris project • http://www.rediris.es/app/papi/index.en.html
Assumptions • Leverage vendor and standards activity wherever possible (OASIS) • (Initially) disturb as little of the existing campus infrastructure as possible • Work with common, minimal authorization systems (eg htaccess) • Encourage good campus behaviors • Learn through doing • Create a marketplace and reference implementations • Protect Personal Privacy!
Stage 1 - Addressing Three Scenario’s • Member of campus community accessing licensed resource • Anonymity required • Member of a course accessing remotely controlled resource • Anonymity required • Member of a workgroup accessing controlled resources • Controlled by unique identifiers (e.g. name) • Taken individually, each of these situations can be solved in a variety of straightforward ways. • Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.
Architectural Model • Local Authentication • Local Entity Willing to Create and Sign Entitlement • Set of assertions about the user (Attribute/value pairs) • User has control over disclosure • Identity optional • “active member of community”, “Associated with Course XYZ” • Target responsible for Authorization • Rules engine • Matches contents of entitlements against ruleset associated with target object • Cross Domain Trust • Previously created between origin and target • Perhaps there is a contract (information providers..)
Shibboleth ArchitectureConcepts - High Level Browser Pass content if user is allowed Target Web Server Authorization Phase Authentication Phase First Access - Unauthenticated Target Site Origin Site
Shibboleth ArchitectureConcepts (detail) Browser Target Web Server Authorization Phase Authentication Phase Success! Entitlements Attribute Server Ent Prompt Req Ent Second Access - Authenticated Auth OK Pass entitlements for authz decision Web Login Server Redirect User to Local Web Login Pass content if user is allowed Authentication Ask to Obtain Entitlements First Access - Unauthenticated Target Site Origin Site
local authentication server - assumed part of the campus environment web sso server - typically works with local authn service to provide web single sign-on resource manager proxy, resource manager - may serve as control points for actual web page access attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables attribute repository - an LDAP directory, or roles database or…. Where are you from service - one possible way to direct external users to their own local authn service attribute mapper - converts user entitlements into local authorization values PDP - policy decision points - decide if user attributes meet authorization requirements SHAR - Shibboleth Attribute Requestor - used by target to request user attributes Descriptions of services
Component Relationship Model TARGET ORIGIN
Authorization Attributes • Typical Assertions in the Higher Ed Community • EPPN=gettes@georgetown.edu • “active member of the community” • “active in course X” • member of group “georgetown.giia • ? • Signed by the institution! (optional in OASIS, required in Shib)
Isn’t This What LDAP Does? • Since this doesn’t exist yet, it can do a lot more than LDAP! (-: • XML is so extensible that this is the last protocol that we’ll ever need! (-: • OK, tell me really….. • The key here is the CONTROLLED dissemination of attribute information, based on multiple factors.
Shibboleth Architecture -- Managing Trust • TRUST Shib engine Attribute Server Target Web Server Browser Target Site Origin Site
Personal Privacy • Web Login Server provides a pseudonymous identity • An Attribute Authority releases Personal Information associated with that pseudonymous identity to site X based on: • Site Defaults • Business Rules • User control • myAA • Filtered by • Contract provisions My AA Site Defaults Contact Provisions Browser User
Charge -- OASIS Security Services Technical Committee • Standardize: • an XML format for "assertions” (authentication, authorization, authorization decision, access yes/no) • (maybe) a (stateless ?) request/response protocol for obtaining assertions • transport bindings for this protocol to HTTP, S/MIME, RMI, etc. • This will be accompanied by requirements/scenarios, compliance info, security considerations, etc • Out of Scope… • How authentication is done • Defining specific attributes (eg “member of community”) • Establishing trust between origin and target • Note.. • Inter-product, not explicitly inter-domain
Shibboleth vs OASIS Security Effort vs Products • OASIS Security Effort • Defining Standards to support inter-operation of web access control products • Vendor Products • Implement Standards • Add value in Authentication, Attribute Authority, PDP • Shibboleth • Open Source Implementation! • Create Trust Framework • Define Higher Ed specific Attributes • (hopefully) “Where are you from?” service
It’s Policies All the Way Down • to trust the security domain to provide attributes correctly, handle attributes responsibly, protect its signing key, etc… • to set controls on the type of information that an institution will release for a remote request for attributes • to translate global attributes into local syntax and semantics • to handle requests to the user for a release decision in a reasonable fashion
It’s Policy Languages All the Way Down • Club Shibboleth to reach out-of-band agreements among institutions and digital resource providers • Controls for the type of information to be released to a target is a complex set of tools: • a matching engine to determine the applicable policy for the target • an XML oriented expression of the policy to map to local attributes • a LISP (???) oriented tool to integrate policy constraints from other sources, such as the user’s preferences, etc. • First pass of mapping of attributes will be from XML into eduPerson attributes • User interface?????????
Campus and Resource Requirements • To participate in Shibboleth, a site must have: • Campus-wide authentication service • Campus-wide identifier space (EPPN) • Implementation of EduPerson objectclass • Ability to generate attributes (eg “active member of the community”)
Issues • Personal Privacy (reasonable expectation, laws) • Relation to local weblogin (Single Signon) • Portals • Use of Shibboleth framework by services beyond the web • Grid resources and users
Web Login SSO Attribute Authority Service 2 Shib Target Service 1 Portal Local Web Login Server Browser user
Relationship - Shibboleth to Portals Apps Web Resource Web Res Portal Portal Dir Shibboleth Shibboleth Shibboleth Shibboleth PDP AuthN Dir Web Login
Project Status/Next Steps • Requirements and Scenarios document nearly finished • IBM and Mace-Shibboleth are refining architecture and evaluating issues • IBM intends to develop an Apache web module • Internet2 intends to develop supporting materials (documentation, installation, etc) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery). • Technical design complete - May, 2001 • Coding of a prototype begins June 1 • Pilot sites start-up - Aug, 2001 • Public demo of the prototype by the pilots - Internet2 Fall Member Meeting 2001
Shibboleth, eduPerson, and everything else Middleware Inputs & Outputs Licensed Resources Embedded App Security Grids OKI JA-SIG & uPortal Inter-realm calendaring futures Shibboleth, eduPerson, Affiliated Dirs, etc. Enterprise authZ Campus web sso Enterprise Directory Enterprise Authentication Legacy Systems