1 / 29

Shibboleth and Single Signon among Great Plains Network Institutions

8/16/2012. Single Signon in the Great Plains Network. 2. What is Shibboleth?. From the Shibboleth page:"The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisio

river
Download Presentation

Shibboleth and Single Signon among Great Plains Network Institutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Shibboleth and Single Signon among Great Plains Network Institutions Denis Hancock, Gordon Springer

    2. 8/17/2012 Single Signon in the Great Plains Network 2 What is Shibboleth? From the Shibboleth page: "The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner."

    3. 8/17/2012 Single Signon in the Great Plains Network 3 What Is A Virtual Organization? From Wikipedia: A Virtual Organization is a corporate, not-for-profit, educational, or otherwise productive organizational entity that uses telecommunication tools to enable, maintain and sustain member relationships in distributed work environments. Critical management dimensions are those that apply to the (1) spatial (e.g., distance between members), (2) temporal (e.g., overlapping work hours), and (3) configurational (e.g., where members are located and how activities are coordinated across member sites) aspects of member relationships in these work environments.

    4. 8/17/2012 Single Signon in the Great Plains Network 4 What Is A Virtual Organization? In the networking world, a VO can be defined as loosely or tightly as you wish Email lists Weekly conference calls Formal research agreements The more tightly you define it, the closer it comes to a federation

    5. 8/17/2012 Single Signon in the Great Plains Network 5 What Is A Federation? Technical: A common means of asserting attributes of users Shared metadata between members, including identity providers and service providers a minimum level of assurance that an asserted identity corresponds to one and only one real person Technical standards are published and made available to the members (and prospective members)

    6. 8/17/2012 Single Signon in the Great Plains Network 6 What Is A Federation? Part 2 Political: Institutions have to agree at the administrative level Lawyers will generally be involved Expectations and obligations will be defined Financial implications will be addressed This is likely the biggest hurdle

    7. 8/17/2012 Single Signon in the Great Plains Network 7 What Is A Federation? Part 3 Social: In view of the fact that resources will be shared across institutional boundaries, what behavioral expectations are there? What are the consequences of acceptable use policy violations?

    8. 8/17/2012 Single Signon in the Great Plains Network 8 Identity Levels of Assurance LOA-1 -- username/password and the ability to send and receive email.  No verification of identity is made LOA-2 -- username/password with verification that user is a real person LOA-3 -- two-factor authentication via a personal X.509 certificate in addition to passphrase LOA-4 -- Hardware-based X.509 certificate; may involve biometric data References http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm

    9. 8/17/2012 Single Signon in the Great Plains Network 9 InCommon Federation

    10. 8/17/2012 Single Signon in the Great Plains Network 10 InCommon Service Levels Bronze: Roughly equivalent to LOA-1 Silver: Roughly equivalent to LOA-2

    11. 8/17/2012 Single Signon in the Great Plains Network 11 Regional Members of InCommon Oklahoma State University (not in metadata) University of Iowa University of Minnesota University of Missouri University of Nebraska (not in metadata) University of Wisconsin

    12. 8/17/2012 Single Signon in the Great Plains Network 12 Other Members of InCommon National Science Foundation National Institutes of Health Lawrence National Laboratory TeraGrid

    13. 8/17/2012 Single Signon in the Great Plains Network 13 Who Is Using InCommon? Microsoft DreamSpark Apple iTunes University New York University Human Resources VIVA library consortium University of California System Penn State web-based assignment system National Institutes of Health Google Apps NSF Fastlane

    14. 8/17/2012 Single Signon in the Great Plains Network 14 Issues Addressed by Shibboleth Single Sign On -- using one username/password to gain access to multiple services Works with existing identity management systems Works within a single organization or across organizational boundaries Providing secure assertions of identity, affiliation, and in some cases, privileges User (ideally) has control over what attributes, if any, are released Service providers can make their decisions based on as many or as few attributes as they choose

    15. 8/17/2012 Single Signon in the Great Plains Network 15 Issues Not Easily Addressed Authorization decisions that cross institutional boundaries Building trust relationships outside a federation structure Single Logout -- part of the original intent, but reality gets in the way International differences in what attributes can be released

    16. 8/17/2012 Single Signon in the Great Plains Network 16 Why Shibboleth? Open standards based: Apache (httpd) Tomcat (Java) XML SAML 2.0 Federal Agencies starting to accept Shibboleth identities Allows the user to authenticate at his or her home institution rather than having multiple identities and passwords scattered all over Allows trust relationships to be established among institutions Supports privacy requirements, including total anonymity

    17. 8/17/2012 Single Signon in the Great Plains Network 17 Shibboleth in the Great Plains Network Four institutions with varying degrees of Shibboleth implementation Four identity providers Great Plains Network (development, production) University of Kansas (production) University of Missouri System (production) MU Research Network (development, production) University of Arkansas-Little Rock (development) multiple service providers Bioinformatics tools at MU Microsoft DreamSpark UM System web applications, web hosting, BigBrother KU administrative applications Great Plains Network wiki

    18. 8/17/2012 Single Signon in the Great Plains Network 18 Glossary Attribute – A piece of information about a user AuthN – User authentication AuthZ – User authorization IdP – Identity Provider (usually the user’s home institution); also known as “Origin” LDAP – Lightweight Directory Access Protocol SAML – Security Assertion Markup Language SP – Service Provider; also known as “Target” WAYF – “Where are you from?” A server normally associated with a federation that accepts redirects from an SP and in turn redirects to an IdP

    19. 8/17/2012 Single Signon in the Great Plains Network 19 More Alphabet Soup AA – Attribute Authority (on the IdP) AR – Attribute Requester (on the SP) HS – Handle Service (on the IdP) ACS – Assertion Consumer Service (on the SP)

    20. 8/17/2012 Single Signon in the Great Plains Network 20 The Shibboleth Protocol

    21. 8/17/2012 Single Signon in the Great Plains Network 21 Attributes These are typically defined in an LDAP directory. The eduPerson schema (www.educause.edu) is added to the standard LDAP schemas to provide additional attributes appropriate for educational institutions. The IdP determines its attribute release policy (ARP) taking into account federal and state law, institutional policies, owner preferences, etc. The SP determines its attribute acceptance policy (AAP) taking into account institutional/security needs. The SP generally filters these based on various criteria, thus retaining control over which attributes are accepted, and from whom. With proper planning, a hierarchy of privileges can be established, giving the SP fined-grained control over access to resources.

    22. 8/17/2012 Single Signon in the Great Plains Network 22 What Attributes Are Actually Needed? In general, the fewest needed for a service provider (SP) to make an informed access decision Where accountability is required, an eduPersonPrincipalName should be released by the Identity Provider (IdP) Another useful attribute might be eduPersonAffiliation If required by policy, a Shibboleth session can be anonymous (e.g. access to a library catalog) The IdP is free to follow the user’s preferences in the release of attributes. The SP is free to determine whether the released attributes meet its requirements or not

    23. 8/17/2012 Single Signon in the Great Plains Network 23 InCommon Recommended Attrributes eduPersonScopedAffiliation eduPersonPrincipalName eduPersonEntitlement eduPersonTargetedID sn (surname) givenName displayName mail

    24. 8/17/2012 Single Signon in the Great Plains Network 24 FERPA Considerations FERPA is the Family Educational Rights and Privacy Act Source: http://www.ed.gov/policy/gen/guid/fpco/ferpa/mndirectoryinfo.html Anything outside of “Directory Information” must be explicitly released by the student or parent A student or parent can assert rights under FERPA and authorize release as few or as many of the directory attributes as desired An institution can choose to limit release of attributes to a subset of the standard directory information HIPAA compliance presents similar issues

    25. 8/17/2012 Single Signon in the Great Plains Network 25 What Does FERPA Call “Directory Information?” Student's name Participation in officially recognized activities and sports Address Telephone listing Weight and height of members of athletic teams Electronic mail address Photograph Degrees, honors, and awards received Date and place of birth Major field of study Dates of attendance Grade level The most recent educational agency or institution attended

    26. 8/17/2012 Single Signon in the Great Plains Network 26 New Directions and Thinking The level of trust between organizations does not lead to an easy way to ask, for example, the University of Arkansas IdP to provide attributes that the University of Missouri can use for authorization. Let the Identity Providers authenticate and let the Service Providers handle authorizations. If the IdP can release an eduPersonPrincipalName, the SP can use that to lookup the authorizations in its own database. This avoids the situation where all eduPersonEntitlements are released to the SP where only one is needed. Do SPs really need to know all the entitlements a given user has? Or just the fact that they have the one the SP requires?

    27. 8/17/2012 Single Signon in the Great Plains Network 27 Case Study: Inter-Institutional Access to Bioinformatics Tools Bioinformatics tools need to be shared across institutional boundaries. Authorized persons need appropriate access to web-based services and data. Unauthorized persons need to be excluded from access to any services or data. We need to be able to trust other institutions to handle authentication properly. User privacy must be maintained consistent with applicable laws and individual user preferences.

    28. 8/17/2012 Single Signon in the Great Plains Network 28 How do we do it? Adminstrative Manage authentication and authorization in a consistent way between institutions. Agree upon a set of attributes that allow access decisions to be made. Develop a trust relationship between all members of the Virtual Organization. Technical Employ existing open technologies (LDAP, eduPerson schema, Shibboleth, Apache, Tomcat, SAML, etc.) in a Shibboleth installation Employ a locally-developed Entitlement Server to allow the service provider full control over authorization

    29. 8/17/2012 Single Signon in the Great Plains Network 29 How this works The Identity Provider (IdP) authenticates the user and releases only the eduPersonPrincipalName (eppn) to the Service Provider (SP). The SP queries a local entitlement server with the eppn which returns a yes or a no. The SP makes no demands on the IdP other than requesting a standard attribute that uniquely identifies the user. Shibboleth (shibboleth.internet2.edu), along with a federation, provides the framework in which full trust can be achieved among organizations.

More Related