Shibboleth Update Michael Gettes Principal Technologist Georgetown University
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne 2 Middleware Initiative
Shibboleth Architecture Concepts - High Level Pass content if user is allowed Authorization Phase Browser Authentication Phase Target Web Server First Access - Unauthenticated Origin Site Target Site 2
Shibboleth Architecture Concepts (detail) Authentication Authorization Success! Phase Entitlements Attribute Server Ent Prompt Req Ent Web Login Server Target Web Server Browser Auth OK Authentication Second Access - Authenticated Pass entitlements for authz decision Redirect Pass content User toif. Local user is Web allowed Login Ask to -Obtain Entitlements First Access Unauthenticated Origin Site Target Site 3
Shibboleth Architecture 4
Shibboleth Components 5
Descriptions of services 1. local authn server - assumed part of the campus environment 2. web sso server - typically works with local authn service to provide web single sign-on 3. resource manager proxy, resource manager - may serve as control points for actual web page access 4. attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables 5. attribute repository - an LDAP directory, or roles database or…. 6. Where are you from service - one possible way to direct external users to their own local authn service 7. attribute mapper - converts user entitlements into local authorization values 8. PDP - policy decision points - decide if user attributes meet authorization requirements 9. SHAR - Shibboleth Attribute Requestor - used by target to request user attributes 6
Shibboleth Flows Draft 7
Shibboleth Architecture -Managing Trust TRUST Attribute Server Browser Origin Site Shib engine Target Web Server Target Site 8
Personal Privacy Web Login Server provides a pseudononymous identity An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on: • Site Defaults – Business Rules Site Defaults My AA • User control – my. AA • Filtered by Contact Provisions – Contract provisions Browser User 9
Managing ARPs 10
Middleware Marketing
Drivers of Vapor Convergence Shibboleth Inter-Realm Auth. Z We all get Web SSO for Local Authentication and OKI/Web Authentication an Enterprise Authorization Framework with an Integrated Portal JA-SIG u. Portal Authen that will all work inter. Local Web SSO Pressures institutionally! 12
Middleware Inputs & Outputs Licensed Resources Grids OKI Embedded App Security JA-SIG & u. Portal Inter-realm calendaring Shibboleth, edu. Person, Affiliated Dirs, etc. Campus Web SSO Enterprise Directory Enterprise Authentication futures Enterprise auth. Z Legacy Systems 13
Errata--ica
National Science Foundation NMI program • $12 million over 3 years • www. nsf-middleware. org • Middleware Service Providors, Integrators, Distributors • GRID (Globus) • Internet 2 + EDUCAUSE + SURA • May 2002 – first set of deliverables from all parties 15
The Liberty Alliance www. project-liberty. org Sun Microsystems, American Express, United Airlines, Nokia, Master. Card, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT Do. Co. Mo, Verisign, Schlumberger, Sony … Initiated in September 2001. Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service Funny, doesn’t this stuff sound familiar? 16
- Slides: 16