Shibboleth The Next Generation ISIS Technical Information Session
Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008 Administrative Information Systems
Today’s Goals • Demystify Shibboleth • Provide a technical overview of Shibboleth • Outline Application considerations when migrating to Shibboleth • Sketch Migration plan • Q/A Administrative Information Systems
Shibboleth Overview • Shibboleth is a standards-based, open source middleware software designed to provide web Single Sign-On (SSO) solution within or across organization boundaries • Authentication/Attribute Query protocol • Standards Based. Built on SAML • Developed by Internet 2 Administrative Information Systems
Shibboleth Overview • Emphasis on protecting user privacy • Fine grained Attribute Release control mechanism • Browser based authentication only • Quickly gaining momentum in higher education community • UC is adopting Shibboleth as its standard federated authentication mechanism: UCTrust Administrative Information Systems
Shibboleth Benefits • Standards Based, SAML etc. • Focus on Privacy and Security • Adapted by lot of Organizations • Manage Identity for local users only • Federated • Open Source Software, supported by Internet 2 – Client Modules – No coding necessary – Works with static web sites Administrative Information Systems
What is not • SSO but not Authentication • No Authorization Administrative Information Systems
Shibboleth Vocabulary • • • Federation Identity Provider (Id. P) Service Provider (SP) Where Are You From Service (WAYF) Handle Service (HS) Attribute Authority (AA) Attribute Requester (AR) Assertion Consumer Service (ACS) Attribute Release Policy (ARP) Attribute Acceptance Policy (AAP) Bilateral deployment Administrative Information Systems
Shibboleth: Federation • Provides standard approach to policies, practices, technologies that members adopt • Interoperability & trust • Which Federation to join? • Not a must to operate Shibboleth Administrative Information Systems
Shibboleth: Identity Provider (Id. P) • The “server” side of Shibboleth • Performs authentication • Issues Authentication Assertion • Responds to attribute queries • Issues Attribute Assertion • Analogous to the ISIS Login Server and Web Service • One instance per campus Administrative Information Systems
Shibboleth: Service Provider (SP) • The “consumer” side of Shibboleth • Apache Module or IIS ISAPI filter plus daemon • Handles all communications with WAYF and Id. P • Places returned attributes in HTTP header • Provided by Internet 2 Administrative Information Systems
Shibboleth: Where Are Your From (WAYF) Service • Part of the Federation services • A directory service of Identity Providers • Hosted by the federation operator * * In Shibboleth 2. 0, WAYF function will be part of the Service Provider module Administrative Information Systems
Shibboleth: Id. P Components • Handle Service (HS) – Directs the incoming user to the authentication authority (i. e. , login page) – Issues Shibboleth Handle (similar to a session token, ala ISIS ticket) • Attribute Authority (AA) – Responds to attribute requests – Queries data repositories – Constructs and returns Attribute Assertion (XML document containing requested user data) Administrative Information Systems
Shibboleth: SP Components • Attribute Consumer Service (ACS) – Processes the Shibboleth handled returned by the Id. P – Initiates an optional attribute request – Establishes a security context at the SP, and redirects the client to the desired target resource. • Attribute Requester (AR) – Establishes a direct connection to the Attribute Authority at the Id. P – Exchanges attribute query and attribute response Administrative Information Systems
Shibboleth: Attribute Release Policy • Rules for releasing attributes, XML format • Fine grained control for the release of attributes • Individual & Organization have control over release of attributes • Site ARP & User ARP Administrative Information Systems
ARP Examples • edu. Person. Affiliation release policy <Rule> <Target> <Any. Target/> </Target> <Attribute name="urn: mace: dir: attribute-def: edu. Person. Principal. Name"> <Any. Value release="permit"/> </Attribute> <Attribute name="urn: mace: dir: attribute-def: edu. Person. Affiliation"> <Value release="permit"/>member@ucla. edu</Value> </Attribute> </Rule> <Target> <Requester>https: //myhost. ucla. edu</Requester> </Target> Administrative Information Systems
Shibboleth: Attribute Acceptance Policy (AAP) • Rules for accepting attributes, XML format • Regular Expression check • Places attributes in http headers for use by applications Administrative Information Systems
AAP Examples • edu. Person. Affiliation acceptance rules <Attribute. Rule Name="urn: mace: dir: attribute-def: edu. Person. Affiliation" Case. Sensitive="false" Header="SHIB-AFFILIATION" > <Any. Site> <Value>FACULTY</Value> <Value>STUDENT</Value> </Any. Site> </Attribute. Rule> <Value Type="regexp">^[^@]+$</Value> <Any. Value> <Site. Rule Name="provider. Id"> $$$ </Site. Rule> Administrative Information Systems
Shibboleth Architecture WAYF 4 5 3 6 Identity Provider 2 1 Service Provider Web Site 7 Credentials HS Handle 8 ACS Handle AA AR Attributes Resource 9 Resource Manager Handle User DB 10 Attributes © SWITCH Administrative Information Systems
OK, I redirect your request now to the Handle Service of UCLA. Please tell me where are you from? I don’t know you. Not even which home org you are from. Redirect your request to the WAYF I don’t know you. Please authenticate Using ISIS 2 4 3 5 6 1 Service Provider Web Site 7 Identity Provider at UCLA Credentials HS 8 ACS 9 AA Attributes Handle AR 10 Resource Handle User DB OK, I know you now. Redirect your request to the SP, together with a handle Resource Manager Handle Attributes Let’s pass over the attributes the user has allowed me to release I don’t know the attributes of this user. Let’s ask the Attribute Authority OK, based on the attributes, I grant access to the resource Administrative Information Systems
Shibboleth @ UCLA • Shibboleth Id. P already running in production • Leverages ISIS authentication engine • Running in parallel with ISIS 5 • Attributes in ED Administrative Information Systems
Shibboleth @ UCLA • Will eventually replace the ISIS Web Service API • Early adopters include CCLE, My. Events, Plone site • ARP Administration is still a manual process • Customized login page • Supports Bilateral and Federated deployment Administrative Information Systems
To. Do’s • ISIS Login Server will continue to serve login form • Integrate Shibboleth SP administration with ISIS Administration • Incorporate data release approval from data stewards into the SP set up process • Need more attribute data! • Improve user experience during redirects • More support materials (Confluence) • Helpdesk coordination • Metadata generation • Logout? Administrative Information Systems
Migrating to Shibboleth • Migration Philosophy – Parallel support for ISIS 5 and ISIS/Shib – Gradual Migration: Move when it’s a good time for your application to move – … within reason, of course – Emphasis on user experience Administrative Information Systems
Migrating to Shibboleth • 2007 – Early adopters and new applications – Applications with unique requirements – Applications could choose between ISIS 5 and Shibboleth • 2008 – All MI Team supported apps – All new applications – Voluntary migration • 2009 – Mandatory migration – End ISIS support Administrative Information Systems
Preparing Your Application for Shibboleth • Choose your Web Server – IIS – Apache • Separate test and production environments • Deployment Scenario – Federated – Bilateral Administrative Information Systems
Federated Deployment • With federated deployment, your application joins a Shibboleth federation (In. Common, UCTrust) • Need to register and obtain federation issued digital certificate • Application enjoys common standards, but needs to comply with all federation requirements – Security and audit requirements – Attribute Assertion agreements (more work on Id. P side than SP side) – Coordinated helpdesk support • Choose federated deployment if: – You plan to accept authentication assertions from multiple Id. P’s – You have business requirements to participate in a federation Administrative Information Systems
Bilateral Deployment • With bilateral deployment, your application exchanges credentials and negotiates attribute exchanges directly with Id. P • No need to obtain federation digital certificates • Likely a simpler deployment model for UCLA-only applications • Choose bilateral deployment if: – You plan to accept authentication assertions only from UCLA’s Id. P • Can always move to a federated deployment mode Administrative Information Systems
Preparing Your Application for Shibboleth • Rethink your user access provisioning process – Shib’s privacy policy may mean that you won’t get all the attributes you want from all the users. You may need to ask for more information – Especially with federated deployment, you will receive login attempts from unexpected users. – An on-demand access provisioning model is preferred – Need to provide much more descriptive help information on screen Administrative Information Systems
Preparing Your Application for Shibboleth The user may be confused if you show him: Login Failed: Access Denied. Administrative Information Systems
Preparing Your Application for Shibboleth This may make it just a bit clearer to the user why he cannot continue, and what he can do to remedy the situation: Thank you for your interest in using the Foobar system. It appears that you authenticated successfully. However, you have not registered to become a user with Foobar is a restricted system. If you believe you should have access, please click here to complete an access request. For additional inquires, please contact our helpdesk at helpdesk@foobar. ucla. edu Administrative Information Systems
Preparing Your Application for Shibboleth • Rethink your logging and helpdesk support model – Especially with federated deployment, the user’s Id. P may not be UCLA. – Helping a user through the troubleshooting process is critical – Think about your hours of support – Think about the kind of information you need to keep in your application log Administrative Information Systems
Preparing Your Application for Shibboleth: Next Steps • Install Fest? • Usability Workshops? • Diagnostic/Testing modules? • Common Logging format? • Helpdesk Coordination – KB: kb. ucla. edu? Something else? – Shared diagnostics support scripts? Administrative Information Systems
Resources • Official Shibboleth Website: http: //shibboleth. internet 2. edu • Shibboleth Wiki: https: //spaces. internet 2. edu/display/SHIB • In. Common Federation: http: //www. incommonfederation. org/ • UCTrust Federation: http: //www. ucop. edu/irc/itlc/uctrust/ • 3 cool demos of how Shib works from the Swiss Shibboleth Federation folks: http: //www. switch. ch/aai/demo/ • Middleware Infrastructure Group’s Website: http: //spaces. ais. ucla. edu Administrative Information Systems
Q&A Administrative Information Systems
- Slides: 34