310 likes | 332 Views
Shibboleth Deployment Overview. Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 28-June-04. Shibboleth v 1.2 Deployment Overview. Identity Provider (Origin) Deployment Authentication/Identifier Assertion Phase Components & Dependencies
E N D
Shibboleth Deployment Overview Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 28-June-04
Shibboleth v 1.2 Deployment Overview • Identity Provider (Origin) Deployment • Authentication/Identifier Assertion Phase Components & Dependencies • Identity Attribute Assertion Phase • Service Provider (Target) Deployment • Two scenarios for each: • Shib “classic” e-Lib: accessing licensed resources • Shib federation across a state system: shared services 2
Identity Provider / (Origin) Ident. Provider “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 3
Identity Provider / (Origin): AuthN, Identifier Campus WebISO Identity Provider “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 4
WebISO requirements from Shib Campus WebISO • WebISO can authenticate a set of users based on locally issued/registered credentials • Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide. • For details & download, see http://middleware.internet2.edu/webiso/ 5
WebISO alternatives Campus WebISO • But end-user PKI certs work fine, too (configurable filter) • And there are ways to support multiple AuthN methods with failover (see poster session on “World’s Smallest WebISO”) 6
WebISO requirements from Shib Campus WebISO • WebISO can authenticate a set of users based on locally issued/registered credentials • Are all the people who should get the licensed resources included? • Do the policies governing accounts and credentials keep service provider’s risk at an acceptable level? 7
Shib assumes core middleware includingIdentity Management (IdM) Services Meta- Directory Processes Registry Student System of Record Campus WebISO Human Resources System of Record LDAP Directory Other Systems of Record Enterprise Directory 8
Identity Provider Middleware Campus WebISO Enterprise Directory “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 9
Identity Provider / (Origin) Ident. Provider “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 10
Identity Provider / (Origin)Attribute Assertion Phase Ident. Provider “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 11
Identity Provider Middleware Campus WebISO Enterprise Directory “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 12
Attribute Authority (AA) <–> Ent. Directory • Shib AA Deployment Issues: • Configure AA to connect to Ent. Directory • Data connectors can be JNDI-based, JDBC-based (xml-configurable) or custom user plug-ins • Map Directory attributes to SAML attributes 13
Attribute Authority (AA) <–> Ent. Directory • Fragment of ..conf/origin.xml 14
Attribute Authority (AA) <–> Ent. Directory • Resolver links named attributes to specific data connectors: 15
Attribute Authority (AA) <–> Ent. Directory • …and specifies connector (here JNDI LDAP): 16
Attribute Authority (AA) <–> Ent. Directory • …and specifies connector (here JDBC SQL): 17
Attribute Authority (AA) <–> Ent. Directory • Shib AA Deployment Issues, cont.: • Comply with Attribute Release Policy (ARP) in determining which service providers get which attributes • Federation rules are given • Bilateral rules need to be worked out & agreed to 18
Attribute Authority (AA) <–> Ent. Directory • Ah, yes, data access policy • This may drag stakeholders kicking & screaming into the room to confront policy • How you manage this will be key to successful deployment • The big, friendly “DON’T PANIC” on the InCommon Book may help 19
Attribute Authority (AA) <–> Ent. Directory • Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics • “Simple matter of configuration” • Some of the newer attributes • eduPersonTargetedID if you want a persistent identifier, but one that is specific to a given Identity Provider-Service Provider pair • Course-related attributes. URN-based identifier guideline near for course offering. eduCourse coming. 20
Service Provider / (Target) Service Provider Identity Provider Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6 21
Shib Features for Service Providers • WAYF for federations, other options configurable • Authentication method can be passed in attribute assertion for fine tuning risk management • A site may have a public face with specific links that invoke Shib 22
Services you might not have thought of Shibbing • Roaming Access to WLAN • http://www.terena.nl/conferences/tnc2004/ programme/presentations/show.php?pres_id=165 • Mikael Linden, CSC, the Finnish IT center for Science • RADIUS-based access controller is a Shibboleth target • Network access control decision based on user’s “home” attributes 23
Services you might not have thought of Shibbing • Portal as Shib Service • Apache in front of Portal on Tomcat • Other approaches under consideration • See Wed. am session, John Paschoud 24
Coming Shib Features for Service Providers • PKI-based direct-to-target scenario • Cert would contains • (possibly opaque) subject id • Identifier for associated Identity Provider • Would eliminate the first several steps in the classic Shib flow diagram • First Service Provider contact to Identity Provider would be the request for attributes • Lots of points of agreement to be worked out 25
Multi-campus system deployment model 1 CampusA IdProv CampusB Service Provider CampusB IdProv Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6 CampusC IdProv CampusD IdProv CampusE IdProv 26
Multi-campus system deployment model 1 • Identity Provider per campus (vs. System IdP model) • Create a system federation (some policy & configuration work here) • Any campus can put up Shibbed service • Or a system library can offer system-licensed resources • Each campus retains control of Identity Management--high autonomy model 27
Multi-campus system deployment model 2 CampusA Dir Browser User System-level Identity Provider Service Provider Service Provider Service Provider CampusB Dir Service Provider CampusC Dir 28
Multi-campus system deployment model 2 • System-level Identity Provider model • Significant campus-to-system metadirectory infrastructure • Create a system federation (some policy & configuration work here) • Any campus can put up Shibbed service • Or a system library can offer system-licensed resources • More seamless “system citizen” experience 29
Coming: Shib breaks free of the browser • Number of open source projects are exploring this space (details in afternoon session) • Ongoing work on a Java implementation of Service Provider components of Shibboleth will really open the door 30
Q & A • Which of these issues seem tough to you? • Lunch BoFs 31