7 october 2015 shibboleth. agenda shibboleth background and status why is shibboleth important (to...
TRANSCRIPT
April 21, 2023
Shibboleth
Agenda
Shibboleth Background and StatusWhy is Shibboleth Important (to Higher Ed)?Current Pilots
• Course Management• Library Pilots• Other Pilot Projects
Next Steps
Shibboleth Background and Status
Why is Shibboleth Important?
Current Pilots
Next Steps
What is Shibboleth?
An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services
A project delivering an open source implementation of the architecture and framework
What is Shibboleth?
What is Shibboleth?
A system...
with an emphasis on privacy•users control release of their attributes
based on open standards (SAML) and available in open source form
built on “federated administration”
Attribute-based authorization
There is a spectrum of approaches available for attribute-based management of access to controlled resources,
• At one end is the attribute-based approach, where attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy.
• At the other end is the identity-based approach, where the identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. Since this leads with identity, this approach requires the user to trust the target to protect privacy.
Stage 1 - Addressing Four Scenario’s
Member of campus community accessing licensed resource
• Anonymity required
Member of a course accessing remotely controlled resource
• Anonymity required
Member of a workgroup accessing controlled resources• Controlled by unique identifiers (e.g. name)
Intra-university information access• Controlled by a variety of identifiers
Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.
High Level Architecture
Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users
Origin site authenticates user
Destination site requests attributes about user directly from origin site
Users (and organizations) can control what attributes are released
Technical Components
Origin Site – Required Enterprise Infrastructure• Authentication• Attribute Repository
Origin Site – Shib Components• Handle Server • Attribute Authority
Target Site - Required Enterprise Infrastructure• Web Server (Apache or IIS)
Target Site – Shib Components• SHIRE• SHAR• WAYF• Resource Manager
From Shibboleth Arch docOrigin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHIRE
WAYF
22a
3a
3b
HandleService
3
3c
Attribute Authority
4
From Shibboleth Arch docOrigin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHAR
Handle
3a
3b
HandleService
3
3c
Attribute Authority
4
SHIRE
WAYF
22a
ResourceManager
Attributes
5
6
Attribute Authority
Attribute Authority --Management of Attribute Release Policies
The AA provides ARP management tools/interfaces.
• Different ARPs for different targets• Each ARP Specifies which attributes and which values to
release• Institutional ARPs (default)
–administrative default policies and default attributes–Site can force include and exclude
• User ARPs managed via “MyAA” web interface• Release set determined by “combining” Default and User
ARP for the specified resource
Typical Attributes in the Higher Ed Community
Affiliation “active member of community”
EPPN Identity [email protected]
Entitlement An agreed upon opaque URI
urn:mace:vendor:contract1234
OrgUnit Department Economics Department
EnrolledCourse Opaque course identifier
urn:mace:osu.edu:Physics201
Managing Trust
When a target receives a request to create a session, the Authn Assertion must be signed (PKI validation), and the origin must be a member of a common Federation.
(today) When an Origin receives a request for attributes, it must be transported across SSL. The name of the Requestor is used to locate the appropriate ARP.
Target – Managing Attribute Acceptance
IC will NOT require members to do business with each other
So, targets will NOT have to accept attributes from every origin
Targets use Attribute Acceptance Policies
Managing Authorization
Target manages rules specifying what attributes must be supplied in order to gain access
Rules are attribute based
Various Federation Deploy Models
A target can be a member of multiple federations.
For each transaction, it will determine the origin, and the federation that origin belongs to, and the policies that federation is operating under
(Currently), an origin can be a member of only one federation.. So a campus that is in multiple federations would have to deploy multiple instances of the Shib origin software…
Soon… support for a multi-federation origin.
InCommon
A federation to support academic and research activities.
Members can be organizations that are :• origins (IdSP’s)• targets (student loan services, content providers) • both (universities, museums, etc.)
Federation functions :• Central registry service and WAYF service• Origin practices on attributes and authentication• Target practices on the management of exchanged attributes• Attribute sets (eduPerson and eduOrg) for use to exchange
attributes
InCommon Operation
Operated by Internet2, open to all interested parties; registration fees modest and likely absorbed internally for Internet2 members
Initial governance by NPPAC (I2 CIO policy/planning council) with the intent to propose a light-weight governance structure to club members
Registration services on line; distribution of registry updates nightly
Self-audits by members
Shibboleth Status
Version 1.1 available summer 2003• Target support for Apache and IIS• Origin implemented in java• Supports ldap and SQL repositories
InQueue operational, InCommon soon
25 campuses have deployed Shib origins
Growing vendor activity• Information vendors (eg JSTOR, EBSCO, etc)• Admin App’s
Shibboleth Background and Status
Why is Shibboleth Important?
Current Pilots
Next Steps
Why Shibboleth?
Higher Ed is a collaborative enterprise• Faculty have strong ties to peers at other institutions• With wed-based IMS systems, faculty share resources with
their peers
Research is a collaborative enterprise• During the next three to five years, Brown will establish
several multidisciplinary centers or institutes that will bring faculty expertise and resources together in optimal ways, possibly through collaboration with other institutions. - Robert Zimmer, Provost, Brown University
• “Research in the future will be all about collaboration and distributed research groups that are facilitated through technology.” - Andries van Dam, VP Research, Brown University
Why Shibboleth? Security
Better security tools will make collaboration more “painless” and more secure
Current "solutions" are primitive; we can do better today and without local overhaul
Shibboleth Simplifies Management and Use of Distributed Systems
Why Shibboleth?Improved Access Control
Simplifies management of access to extended functionality
• Librarians, based on their role, are given a higher-than-usual level of access to an online database to which a college might subscribe.
• Librarians and publishers can enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers
Why Shibboleth?Federated Administration
Users registered only at their “home” or “origin” institution
Flexibly partitions responsibility, policy, technology, and trust
Authorization information sent, instead of authentication information
• when possible, use groups instead of people on ACLs• identity information still available for auditing and for
applications that require it
Why Shibboleth?Privacy
Higher Ed has privacy obligations•In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access
General interest and concern for privacy is growing
Shibboleth has active (vs. passive) privacy provisions “built in”
Shibboleth Background and Status
Why is Shibboleth Important
Current Pilots
Next Steps
Current Pilots
Course Management
Library Pilots
Other Pilot Projects
Course Management
WebCT
BlackBoard
Webassign
Library Pilot
A dozen+ campuses working with 6 information vendors
Using Shibboleth to control access to electronic resources
Good test case for privacy requirements, trust model needs
Project Goals
Explore and Evaluate the utility of the Shibboleth model (attributes) for controlling access to licensed resources
Identify problems and issues with this approach
• How well do existing licenses map to attributes?• Library “walk-in” customers• Physical location sometimes important (being “in” the Law
Library)• Managing an environment with both Shib’ed and non-
Shib’ed resources
Campus Participants
Carnegie Mellon
Columbia
Dartmouth
Georgetown
London School of Economics
New York Unv.
Ohio State
Penn StateU. ColoradoU. MichiganU. WashingtonU. Wisconsin – MadisonUCOP (U. California System)U.Texas Health Science Center at Houston
Vendor Participants
EBSCO
Elsevier
OCLC
Sfx (Ex libris)
JSTOR
McGraw Hill eBooks
Shibboleth Deployment Issues
Access Issues Kiosks and walk-ins logins for on-campus use Licensing issues reconciling license structures with directory structures system and consortial issues mitigating disintermediation Functional issues handling Shibbed and non-Shibbed resources roll-out strategies entitlements vs attributes what attributes to pass how to structure the attribute name space
Other Pilot Projects
Univ Admin ApplicationsStudent Financial Aid (eg Meteor)American Association of Medical CollegesNSDL (National Science Digital Library)SWITCH - The Swiss National Academic CommunityUK/JISC - Controlled Access to Licensed ResourcesUniv Texas, Medical Center and instructionWashington Research Library Consortium (WRLC)
Shibboleth Background and Status
Why is Shibboleth Important
Current Pilots
Next Steps
Next Steps
Get InCommon OperationalNon-Web Use Cases
• Federated P2P (LionShare)• Information Access (WebDAV, Streaming Server)• Collaboration (IM, VideoConference)• 3-tier
GUI - Attribute Release Policy Management
Native java-based target implementation
So… What is Shibboleth?
A Web Single-Signon System (SSO)?
An Access Control Mechanism for Attributes?
A Standard Interface and Vocabulary for Attributes?
A Standard for Adding Authn and Authz to Applications?