April 21, 2023

Shibboleth

Agenda

Shibboleth Background and StatusWhy is Shibboleth Important (to Higher Ed)?Current Pilots

• Course Management• Library Pilots• Other Pilot Projects

Next Steps

Shibboleth Background and Status

Why is Shibboleth Important?

Current Pilots

Next Steps

What is Shibboleth?

An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services

A project delivering an open source implementation of the architecture and framework

What is Shibboleth?

What is Shibboleth?

A system...

with an emphasis on privacy•users control release of their attributes

based on open standards (SAML) and available in open source form

built on “federated administration”

Attribute-based authorization

There is a spectrum of approaches available for attribute-based management of access to controlled resources,

• At one end is the attribute-based approach, where attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy.

• At the other end is the identity-based approach, where the identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. Since this leads with identity, this approach requires the user to trust the target to protect privacy.

Stage 1 - Addressing Four Scenario’s

Member of campus community accessing licensed resource

• Anonymity required

Member of a course accessing remotely controlled resource

• Anonymity required

Member of a workgroup accessing controlled resources• Controlled by unique identifiers (e.g. name)

Intra-university information access• Controlled by a variety of identifiers

Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

High Level Architecture

Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users

Origin site authenticates user

Destination site requests attributes about user directly from origin site

Users (and organizations) can control what attributes are released

Technical Components

Origin Site – Required Enterprise Infrastructure• Authentication• Attribute Repository

Origin Site – Shib Components• Handle Server • Attribute Authority

Target Site - Required Enterprise Infrastructure• Web Server (Apache or IIS)

Target Site – Shib Components• SHIRE• SHAR• WAYF• Resource Manager

From Shibboleth Arch docOrigin Target

.

Resource ProviderUniversity

Authentication System

HT

TP

Serv

er

EnterpriseDirectory

http://www.CoolResource.com1

SHIRE

WAYF

22a

3a

3b

HandleService

3

3c

Attribute Authority

4

From Shibboleth Arch docOrigin Target

.

Resource ProviderUniversity

Authentication System

HT

TP

Serv

er

EnterpriseDirectory

http://www.CoolResource.com1

SHAR

Handle

3a

3b

HandleService

3

3c

Attribute Authority

4

SHIRE

WAYF

22a

ResourceManager

Attributes

5

6

Attribute Authority

Attribute Authority --Management of Attribute Release Policies

The AA provides ARP management tools/interfaces.

• Different ARPs for different targets• Each ARP Specifies which attributes and which values to

release• Institutional ARPs (default)

–administrative default policies and default attributes–Site can force include and exclude

• User ARPs managed via “MyAA” web interface• Release set determined by “combining” Default and User

ARP for the specified resource

Typical Attributes in the Higher Ed Community

Affiliation “active member of community”

member@washington.edu

EPPN Identity gettes@duke.edu

Entitlement An agreed upon opaque URI

urn:mace:vendor:contract1234

OrgUnit Department Economics Department

EnrolledCourse Opaque course identifier

urn:mace:osu.edu:Physics201

Managing Trust

When a target receives a request to create a session, the Authn Assertion must be signed (PKI validation), and the origin must be a member of a common Federation.

(today) When an Origin receives a request for attributes, it must be transported across SSL. The name of the Requestor is used to locate the appropriate ARP.

Target – Managing Attribute Acceptance

IC will NOT require members to do business with each other

So, targets will NOT have to accept attributes from every origin

Targets use Attribute Acceptance Policies

Managing Authorization

Target manages rules specifying what attributes must be supplied in order to gain access

Rules are attribute based

Various Federation Deploy Models

A target can be a member of multiple federations.

For each transaction, it will determine the origin, and the federation that origin belongs to, and the policies that federation is operating under

(Currently), an origin can be a member of only one federation.. So a campus that is in multiple federations would have to deploy multiple instances of the Shib origin software…

Soon… support for a multi-federation origin.

InCommon

A federation to support academic and research activities.

Members can be organizations that are :• origins (IdSP’s)• targets (student loan services, content providers) • both (universities, museums, etc.)

Federation functions :• Central registry service and WAYF service• Origin practices on attributes and authentication• Target practices on the management of exchanged attributes• Attribute sets (eduPerson and eduOrg) for use to exchange

attributes

InCommon Operation

Operated by Internet2, open to all interested parties; registration fees modest and likely absorbed internally for Internet2 members

Initial governance by NPPAC (I2 CIO policy/planning council) with the intent to propose a light-weight governance structure to club members

Registration services on line; distribution of registry updates nightly

Self-audits by members

Shibboleth Status

Version 1.1 available summer 2003• Target support for Apache and IIS• Origin implemented in java• Supports ldap and SQL repositories

InQueue operational, InCommon soon

25 campuses have deployed Shib origins

Growing vendor activity• Information vendors (eg JSTOR, EBSCO, etc)• Admin App’s

Shibboleth Background and Status

Why is Shibboleth Important?

Current Pilots

Next Steps

Why Shibboleth?

Higher Ed is a collaborative enterprise• Faculty have strong ties to peers at other institutions• With wed-based IMS systems, faculty share resources with

their peers

Research is a collaborative enterprise• During the next three to five years, Brown will establish

several multidisciplinary centers or institutes that will bring faculty expertise and resources together in optimal ways, possibly through collaboration with other institutions. - Robert Zimmer, Provost, Brown University

• “Research in the future will be all about collaboration and distributed research groups that are facilitated through technology.” - Andries van Dam, VP Research, Brown University

Why Shibboleth? Security

Better security tools will make collaboration more “painless” and more secure

Current "solutions" are primitive; we can do better today and without local overhaul

Shibboleth Simplifies Management and Use of Distributed Systems

Why Shibboleth?Improved Access Control

Simplifies management of access to extended functionality

• Librarians, based on their role, are given a higher-than-usual level of access to an online database to which a college might subscribe.

• Librarians and publishers can enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers

Why Shibboleth?Federated Administration

Users registered only at their “home” or “origin” institution

Flexibly partitions responsibility, policy, technology, and trust

Authorization information sent, instead of authentication information

• when possible, use groups instead of people on ACLs• identity information still available for auditing and for

applications that require it

Why Shibboleth?Privacy

Higher Ed has privacy obligations•In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access

General interest and concern for privacy is growing

Shibboleth has active (vs. passive) privacy provisions “built in”

Shibboleth Background and Status

Why is Shibboleth Important

Current Pilots

Next Steps

Current Pilots

Course Management

Library Pilots

Other Pilot Projects

Course Management

WebCT

BlackBoard

Webassign

Library Pilot

A dozen+ campuses working with 6 information vendors

Using Shibboleth to control access to electronic resources

Good test case for privacy requirements, trust model needs

Project Goals

Explore and Evaluate the utility of the Shibboleth model (attributes) for controlling access to licensed resources

Identify problems and issues with this approach

• How well do existing licenses map to attributes?• Library “walk-in” customers• Physical location sometimes important (being “in” the Law

Library)• Managing an environment with both Shib’ed and non-

Shib’ed resources

Campus Participants

Carnegie Mellon

Columbia

Dartmouth

Georgetown

London School of Economics

New York Unv.

Ohio State

Penn StateU. ColoradoU. MichiganU. WashingtonU. Wisconsin – MadisonUCOP (U. California System)U.Texas Health Science Center at Houston

Vendor Participants

EBSCO

Elsevier

OCLC

Sfx (Ex libris)

JSTOR

McGraw Hill eBooks

Shibboleth Deployment Issues

Access Issues Kiosks and walk-ins logins for on-campus use Licensing issues reconciling license structures with directory structures system and consortial issues mitigating disintermediation Functional issues handling Shibbed and non-Shibbed resources roll-out strategies entitlements vs attributes what attributes to pass how to structure the attribute name space

Other Pilot Projects

Univ Admin ApplicationsStudent Financial Aid (eg Meteor)American Association of Medical CollegesNSDL (National Science Digital Library)SWITCH - The Swiss National Academic CommunityUK/JISC - Controlled Access to Licensed ResourcesUniv Texas, Medical Center and instructionWashington Research Library Consortium (WRLC)

Shibboleth Background and Status

Why is Shibboleth Important

Current Pilots

Next Steps

Next Steps

Get InCommon OperationalNon-Web Use Cases

• Federated P2P (LionShare)• Information Access (WebDAV, Streaming Server)• Collaboration (IM, VideoConference)• 3-tier

GUI - Attribute Release Policy Management

Native java-based target implementation

So… What is Shibboleth?

A Web Single-Signon System (SSO)?

An Access Control Mechanism for Attributes?

A Standard Interface and Vocabulary for Attributes?

A Standard for Adding Authn and Authz to Applications?