shibboleth update a.k.a. “shibble-ware” michael r gettes, duke university on behalf of the...
TRANSCRIPT
![Page 1: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/1.jpg)
Shibboleth Update
a.k.a. “shibble-ware”
Michael R Gettes, Duke University
On behalf of the project team
November 2004
![Page 2: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/2.jpg)
What is Shibboleth? (Biblical)
• A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce “sh”, called the word sibboleth. See --Judges xii.
• Hence, the criterion, test, or watchword of a party; a party cry or pet phrase.
Webster's Revised Unabridged Dictionary (1913)
![Page 3: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/3.jpg)
What is Shibboleth? (modern era)• An initiative to develop an architecture and policy
framework supporting the sharing – between domains -- of secured web resources and services
• A project delivering an open source implementation of the architecture and framework
• Deliverables:–Software for Identity Provider (Origins/campuses)
–Software for Service Providers (targets/vendors)–Operational Federations (scalable trust)
![Page 4: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/4.jpg)
So… What is Shibboleth?
• A Web Single-Signon System (SSO)?
• An Access Control Mechanism for Attributes?
• A Standard Interface and Vocabulary for Attributes?
• A Standard for Adding Authn and Authz to Applications?
![Page 5: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/5.jpg)
Attribute-based Authorization
• Identity-based approach–The identity of a prospective user is passed to the controlled
resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access.
–This approach requires the user to trust the target to protect privacy.
• Attribute-based approach–Attributes are exchanged about a prospective user until the
controlled resource has sufficient information to make a decision.
–This approach does not degrade privacy.
![Page 6: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/6.jpg)
How Does it Work?
Hmmmm…. It’s magic. :-)
![Page 7: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/7.jpg)
Shibboleth AA Process
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where are you from?
HS
5
6
I don’t know you.Please authenticateUsing WEBLOGIN
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
AR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
![Page 8: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/8.jpg)
From Shibboleth Arch doc
Identity Provider Service Provider
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHIRE
WAYF
22a
3a
3b
HandleService
3
3c
Attribute Authority
4
![Page 9: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/9.jpg)
From Shibboleth Arch doc
Identity Provider Service Provider
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHAR
Handle
3a
3b
HandleService
3
3c
Attribute Authority
4
SHIRE
WAYF
22a
ResourceManager
Attributes
5
6
Attribute Authority
![Page 10: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/10.jpg)
WAYF a second!
• WAYF–Provides NO, ZERO, NADA, ZIP security–It does NOT represent the federation–Federation != WAYF–WAYF != Federation–Consideration for WAYF security is a future item
• WAYF is just a simple navigation tool
![Page 11: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/11.jpg)
Demo!
• http://shibboleth.blackboard.com/
![Page 12: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/12.jpg)
Shibboleth Architecture
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
32
HS
5
6
7
User DB
Credentials
4
AR
Handle
Handle8
Handle9AA
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
© SWITCH
![Page 13: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/13.jpg)
Shibboleth Architecture -- Managing Trust
Service Provider
Web Server
Browser
TRUST
AttributeServer
Shibengine
![Page 14: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/14.jpg)
Typical Attributes in the Higher Ed Community
Affiliation “active member of community”
EPPN Identity [email protected]
Entitlement An agreed upon opaque URI
urn:mace:vendor:contract1234
OrgUnit Department Economics Department
EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201
![Page 15: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/15.jpg)
Target – Managing Attribute Acceptance
• Rules that define who can assert what…..• MIT can assert [email protected]• Chicago can assert [email protected]• Brown CANNOT assert [email protected]
• Important for entitlement values
![Page 16: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/16.jpg)
What are federations?
• Associations of enterprises that come together to exchange information about their users and resources in order to enable collaborations and transactions
• Built on the premise of
–Initially “Authenticate locally, act globally”–Now, “Enroll and authenticate and attribute locally, act
federally.”• Federation provides only modest operational support and consistency in
how members communicate with each other• Enterprises (and users) retain control over what attributes are released to
a resource; the resources retain control (though they may delegate) over the authorization decision.
• Over time, this will all change…
![Page 17: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/17.jpg)
InCommon federation
• First US Higher Ed Federation• Precursor federation, InQueue, a proving
ground or testbed and will feed into InCommon after organizations are deemed interoperable.
• http://www.incommonfederation.org
![Page 18: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/18.jpg)
Service Providers
http://shibboleth.internet2.edu/
And see the link on the left labeled
“Shib-enabled Service Providers”
![Page 19: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/19.jpg)
So… What is Shibboleth?
• A Web Single-Signon System (SSO)?
• An Access Control Mechanism for Attributes?
• A Standard Interface and Vocabulary for Attributes?
• A Standard for Adding Authn and Authz to Applications?
![Page 20: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/20.jpg)
Sample InterFederation
![Page 21: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/21.jpg)
Got SHIB?
![Page 22: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/22.jpg)
Inter-Enterprise Authentication
• Is Shibboleth authentication?– If so, to what degree?
• How does Shibboleth compare to PKI?– PKI basics, no crypto -- just process
• Greater understanding of what Shibboleth really brings to the landscape– Knowing what we are doing and why
![Page 23: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/23.jpg)
PKI Authentication Basics
Private KeyUser Certificate
Server
CA
![Page 24: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/24.jpg)
Validation
• Server (application) performs validation steps of credential presented
• Verifies CA signing cert is valid– Certificate Path Validation processing
• Verifies the cert presented is valid– Certificate Revocation Tests
• OCSP, CRLs
• Applying the Private Key authenticates the end entity directly
![Page 25: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/25.jpg)
Inter-Realm (server chooses trust)
Private KeyUser Certificate
Server
CA CA
![Page 26: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/26.jpg)
Shibboleth Architecture
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
32
HS
5
6
7
User DB
Credentials
4
AR
Handle
Handle8
Handle9AA
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
© SWITCH
Attribute Release
Authentication
![Page 27: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/27.jpg)
What shib does…
• SAML assertion from HS to ACS– The Identity Provider is testifying about the Handle
being passed
• The ACS performs validation of Id Provider– Like PKI Path Validation (albeit simple)
• The Service Provider trusts that the End Entity has been authenticated per the rules of the trust fabric
![Page 28: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/28.jpg)
What shib does… (2)
• Are Attributes the result of authentication?• Where does Level of Assurance fit in?
– Is LoA an attribute or part of authN?– Are shib LoA and PKI LoA different?
![Page 29: Shibboleth Update a.k.a. “shibble-ware” Michael R Gettes, Duke University On behalf of the project team November 2004](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649da75503460f94a929a9/html5/thumbnails/29.jpg)
• Q & A -- How can we help you?