![Page 1: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/1.jpg)
CAMP Integration
Provisioning and Relaying:The Integration Story
http://arch.doit.wisc.edu/keith/camp/
provrel-050628-01.ppt
Keith Hazelton ([email protected])
Sr. IT Architect, University of Wisconsin-Madison
Internet2 MACE
CAMP Integration, Denver, June 28, 2005
![Page 2: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/2.jpg)
2
CAMP Integration Shibboleth v 1.2.1a Integration Overview
• Shibboleth Introduction (The Relay tool from NMI / Internet2 / MACE)
• Identity Provider (Origin) Deployment, Integration– Authentication/Identifier Assertion Phase Components & Dependencies– Identity Attribute Assertion Phase
• Service Provider (Target) Deployment, Integration
• Two scenarios for each:– Shib “classic” e-Lib: accessing licensed resources– Shib federation across a state system: shared services
• The craft of federation
![Page 3: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/3.jpg)
3
CAMP Integration Basic IAM functions mapped to theNMI / MACE components
System
s of R
ecord
Enterprise Directory
Grouper Signet
WebISO
Shibboleth
Apps / Resources
![Page 4: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/4.jpg)
4
CAMP Integration Basic IAM functions mapped to theNMI / MACE components
System
s of R
ecord
Enterprise Directory
Grouper Signet
WebISO
Shibboleth
Apps / Resources
![Page 5: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/5.jpg)
5
CAMP Integration Basic IAM functions mapped to theNMI / MACE components
System
s of R
ecord
Enterprise Directory
Grouper Signet
WebISO
Shibboleth
Apps / Resources
![Page 6: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/6.jpg)
6
CAMP Integration
Alternatives to IP Address Based Access Restriction
1. User-based access restrictionA. Each service provider manages credentials for
all of its users
B. One big credential database of all users used by all service providers
C. Each user has a “home organization” whose credential database can, by magic, be used by each service provider
2. ???
![Page 7: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/7.jpg)
7
CAMP Integration Federated Identities
• “Federated identities” is option C on previous slide– A hierarchical approach to decompose the problem into
manageable pieces– Analogous to the problem that IAM addresses, and rests
upon IAM infrastructure
• “Federating technology” is the “magic” part of option C• “Identity federation” (noun) is a set of service
providers, identity providers, and other context in which the magic happens
![Page 8: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/8.jpg)
8
CAMP Integration Federating Technologies
• SAML implementations– Security Assertion Markup
Language– Shibboleth– Bodington/Guanxi– AthensIM– SourceID– SAMUEL– MS ADFS– Other proprietary
• Liberty Identity Federation implementations– SourceID– Lasso– Proprietary
• Others– MS Inter-Forest Trust
![Page 9: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/9.jpg)
9
CAMP Integration
Shibboleth
Athenticate at home org
Authorize at resource without knowing user’s identity
![Page 10: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/10.jpg)
10
CAMP Integration
Swiss Research/Education Network Demo
• http://www.switch.ch/aai/demo/
![Page 11: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/11.jpg)
11
CAMP Integration Shibboleth Underpinnings
• Elements of shibboleth infrastructure must identify and authenticate each other– Home org or Identity Provider (IdP) pieces– Resource or Service Provider (SP) pieces
• Attribute assertions about authenticated principals are sent from IdPs to SPs
• For it all to work, IdPs and SPs must agree about which attributes and values are tossed around, and their semantics
![Page 12: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/12.jpg)
12
CAMP Integration Federation Value Proposition
• Set of cooperating IdPs and SPs forms a community needing agreement on:– Trust Fabric
• X.509 certs• IdP and SP identifiers & other metadata
– Community standard for attribute semantics– Community standards for IdP and SP operational practices
• Strength of authentication• Confidentiality
• For N IdPs and M SPs, which is easier?– N*M agreements– N+M agreements
![Page 13: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/13.jpg)
13
CAMP Integration Federations …
• Might support trust fabric maintenance– Operate a metadata distribution service
• Might be the locus for attribute standards• Might be the locus for “minimum but sufficient” IdP
and SP operational practice standards• Are not a party to the transactions between IdPs and
SPs• Are not involved with entitling access to resources
![Page 14: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/14.jpg)
14
CAMP Integration The Research and EducationFederation Space
REFCluster
InQueue(a starting point)
InCommon
SWITCH
The ShibResearch Club
Other national nets
Other clusters
Other potential USR+E feds
State of Penn Fin Aid Assoc
NSDL
Slippery slope- Med Centers, etc
Indiana
![Page 15: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/15.jpg)
15
CAMP Integration Shib Identity Provider / (Origin)
Ident.
Provider (wasabi)
ServiceProvider
(gari)Browser User
Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
“HS”
Attribute Authority
Inspired by SWITCH (Swiss REN) HTTP://www.switch.ch/aai/demo/
WAYF
![Page 16: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/16.jpg)
16
CAMP Integration Identity Provider / (Origin): AuthN, Identifier
Identity
Provider (wasabi)
Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
“HS”
Attribute Authority
CampusWebISO
![Page 17: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/17.jpg)
17
CAMP Integration WebISO requirements from Shib
• WebISO can authenticate a set of users based on locally issued/registered credentials
• Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide.
• For details & download, seehttp://middleware.internet2.edu/webiso/
CampusWebISO
![Page 18: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/18.jpg)
18
CAMP Integration WebISO alternatives
• But end-user PKI certs work fine, too (configurable filter)
• And there are ways to support multiple AuthN methods with failover • “UW-Madison 2” InQueue IdP runs this
configuration• End entity certificate with failover to LDAP basic
auth.• See wasabiHttpd.conf, lines 1017 et seq.
CampusWebISO
![Page 19: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/19.jpg)
19
CAMP Integration Shib assumes Identity and Access Management (IAM) Services
Student System of Record
Meta-Directory
Processes
LDAP Directory
CampusWebISO
Registry
Human Resources System of Record
Other Systems of Record
Enterprise Directory
![Page 20: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/20.jpg)
20
CAMP Integration
CampusWebISO
Identity Provider Middleware
wasabi
Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
“HS”
Attribute Authority
Enterprise
Directory
![Page 21: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/21.jpg)
21
CAMP Integration
“HS”
Identity Provider / (Origin)
Ident.
Provider (wasabi)
ServiceProvider
(gari)Browser User
Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
Attribute Authority
![Page 22: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/22.jpg)
22
CAMP Integration
“HS”
Identity Provider / (Origin)Attribute Assertion Phase
Ident.
Provider
ServiceProvider
Browser User
Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
Attribute Authority
![Page 23: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/23.jpg)
23
CAMP Integration
CampusWebISO
Identity Provider Middleware
Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
“HS”
Attribute Authority
Enterprise
Directory
![Page 24: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/24.jpg)
24
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• Shib AA Deployment Issues:
• Configure AA to connect to Ent. Directory– Data connectors can be JNDI-based, JDBC-based (xml-
configurable) or custom user plug-ins
• Map Directory attributes to SAML attributes
![Page 25: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/25.jpg)
25
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• Fragment of ..conf/origin.xml
![Page 26: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/26.jpg)
26
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• Resolver links named attributes to specific data connectors:
![Page 27: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/27.jpg)
27
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• …and specifies connector
(here JNDI LDAP):
![Page 28: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/28.jpg)
28
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• …and specifies connector
(here JDBC SQL):
![Page 29: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/29.jpg)
29
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• Shib AA Deployment Issues, cont.:• Comply with Attribute Release Policy (ARP)
in determining which service providers get which attributes– Federation rules are given– Bilateral or Community of Interest rules need to
be worked out & agreed to
![Page 30: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/30.jpg)
30
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• Ah, yes, data access policy
• This may drag stakeholders kicking & screaming into the room to confront policy
• How you manage this will be key to successful deployment
• The “DON’T PANIC” in big friendly letters on the InCommon Book may help
![Page 31: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/31.jpg)
31
CAMP Integration Attribute Authority (AA) <–> Ent. Directory
• Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics– “Simple matter of configuration”
• Some of the newer attributes– eduPersonTargetedID if you want a persistent identifier,
but one that is specific to a given Identity Provider-Service Provider pair
– Course-related attributes. URN-based identifier guideline near for course offering. eduCourse (currently in last call).
![Page 32: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/32.jpg)
32
CAMP Integration Service Provider / (Target)
IdentityProvider(wasabi)
ServiceProvider (gari)
Browser User Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
or
IIS 5.x or 6
![Page 33: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/33.jpg)
33
CAMP Integration Shib Features for Service Providers
• WAYF for federations, other options configurable
• Authentication method can be passed in attribute assertion for fine tuning risk management
• A site may have a public face with specific links that invoke Shib
![Page 34: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/34.jpg)
34
CAMP Integration Services you might not have thought of Shibbing
• Roaming Access to WLAN• http://www.terena.nl/conferences/tnc2004/
programme/presentations/show.php?pres_id=165• Mikael Linden, CSC, the Finnish IT center for
Science• RADIUS-based access controller is a Shibboleth
service provider• Network access control decision based on user’s
“home” attributes
![Page 35: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/35.jpg)
35
CAMP Integration Services you might not have thought of Shibbing
• Portal as Shib Service• Apache in front of Portal on Tomcat• Other approaches under consideration
![Page 36: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/36.jpg)
36
CAMP Integration Coming Shib Features for Service Providers
• PKI-based direct-to-target scenario• Cert would contains
– (possibly opaque) subject id– Identifier for associated Identity Provider– Would eliminate the first several steps in the
classic Shib flow diagram– First Service Provider contact to Identity
Provider would be the request for attributes• Lots of points of agreement to be worked out
![Page 37: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/37.jpg)
37
CAMP Integration Multi-campus system deployment model 1
CampusB ServiceProvider
Browser User Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container
or
IIS 5.x or 6
CampusBIdProv
CampusAIdProv
CampusCIdProv
CampusDIdProv
CampusEIdProv
![Page 38: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/38.jpg)
38
CAMP Integration Multi-campus system deployment model 1
• Identity Provider per campus (vs. System IdP model)
• Create a system federation (some policy & configuration work here)
• Any campus can put up Shibbed service• Or a system library can offer system-licensed
resources• Each campus retains control of Identity
Management--high autonomy model
![Page 39: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/39.jpg)
39
CAMP Integration Multi-campus system deployment model 2
System-levelIdentity Provider
ServiceProvider
Browser User
ServiceProviderService
ProviderServiceProvider
CampusB Dir
CampusA Dir
CampusC Dir
![Page 40: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/40.jpg)
40
CAMP Integration Multi-campus system deployment model 2
• System-level Identity Provider model• Significant campus-to-system metadirectory
infrastructure• Create a system federation (some policy &
configuration work here)• Any campus can put up Shibbed service• Or a system library can offer system-licensed
resources• More seamless “system citizen” experience
![Page 41: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/41.jpg)
41
CAMP Integration Coming: Shib breaks free of the browser
• Number of open source projects are exploring this space
• A pure Java implementation of Service Provider components of Shibboleth (now in beta) will really open the door
![Page 42: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/42.jpg)
42
CAMP Integration
Joining and leveraging federations
• InCommon: See participant agreements on the web site
• http://www.incommonfederation.org– Talks much more about IAM infrastructure than
Shibboleth per se
• Other documents
![Page 43: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/43.jpg)
43
CAMP Integration
Federation givens
• Key attributes, their syntax and semantics• eduPersonAffiliation
– faculty, student, staff, employee, member, alum, affiliate
• eduPersonScopedAffiliation– [email protected]
• eduPersonEntitlement
![Page 44: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/44.jpg)
44
CAMP Integration
eduPersonEntitlement in InQueue“If a Federation member sends or receives an eduPersonEntitlement
Attribute Assertion containing the InQueue policy uri and containing the value
urn:mace:incommon:entitlement:common:1
The semantics should conform to this definition:
The person possesses an eduPersonAffiliation value of faculty, staff, or student, or qualifies as a "library walk-in".
![Page 45: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/45.jpg)
45
CAMP Integration
eduPersonTargetedIDService providers or directory-enabled applications with the need to maintain a persistent but opaque identifier for a given user for purposes of personalization or record-keeping.
Identity or service providers or directory-enabled applications with the need to link an external account to an internal account maintained within their own system. This attribute is often used to represent a long-term account linking relationship between an identity provider and service provider(s). Note that such a service provider might itself also be an identity provider.
![Page 46: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/46.jpg)
46
CAMP Integration
eduPersonTargetedIDIt MAY be a pseudorandom value generated and stored by the
identity provider, or MAY be derived from some function over the service provider's identity and other principal-specific input(s), such as a serial number or UUID assigned by the identity provider.
It MUST NOT exceed 256 characters in length.
![Page 47: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/47.jpg)
47
CAMP Integration
Multiple Federation scenarios
• Simplest example: US IdP and UK IdP accessing an Open University course hosted in UK
• US Institution is an InCommon member• UK institution belongs to a UK federation• Open U. Service Provider has to belong to
both to serve members of both federations
![Page 48: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/48.jpg)
48
CAMP Integration
Multiple Federation scenarios
• Likely scenario: US Universities with Medical Schools will have to support both – InCommon &– Some Health Science federation(s)
![Page 49: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/49.jpg)
49
CAMP Integration How many federations? How many levels of federations?
• An umbrella level: e.g., InCommon• Hard, foundational topics handled here:
– Trust/risk framework– Attributes, syntax, semantics
• Under that umbrella, any number of Communities of Interest (or Virtual Organizations) who build on the foundation– Profiles, refinements, extensions
![Page 50: Provisioning and Relaying: The Integration Story](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813eba550346895da91fa3/html5/thumbnails/50.jpg)
50
CAMP Integration
Q & A
• http://shibboleth.internet2.edu
• Which of these issues seem tough, confusing to you?