federated identity and shibboleth concepts
DESCRIPTION
Federated Identity and Shibboleth Concepts. Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein [email protected] and John Krienke [email protected] Internet2. Circle University [email protected] Dr. Joe Oval Psych Prof. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/1.jpg)
Federated Identity and Shibboleth ConceptsRick SummerhillChief Technology OfficerInternet2
GEC3October 29, 2008
Slides by Nate [email protected] [email protected]
![Page 2: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/2.jpg)
Circle University
[email protected]. Joe OvalPsych Prof.
SSN 456.78.910
Password #1
Music Service
ID #4 j.o.123
Joe OvalPsych Prof.
DOB: 4/4/1955Password #4
Grant Admin
Service
ID #2 Joval
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #2
Grading Service
ID #3 Jo456
Dr. Joe Oval
Psych Prof.
Password #3
Home
????
No
coordinatio
n
Proprietary
code
Batch uploads
Service Providers
The Challenging Way
![Page 3: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/3.jpg)
Home
Circle University
Anonymous
ID#Dr. Joe Oval
Psych Prof.SSN
456.78.910
Circle University
Dr. Joe Oval
Psych Prof.SSN
456.78.910
Circle University
[email protected]. Joe OvalPsych Prof.
SSN 456.78.910
Password #1
Circle University
Dr. Joe Oval
Psych Prof.SSN
456.78.910
!
1. Single sign on
2. Services no longer manage user accounts & personal data stores
3. Reduced help-desk load
4. Standards-based technology
5. Home org controls privacy
The Federated Way
![Page 4: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/4.jpg)
4
How Federated Identity Works
1.A user tries to access a protected application
2.The user tells the application where it’s from
3.The user logs in at home
4.Home tells the application about the user
5.The user is rejected or accepted
![Page 5: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/5.jpg)
IdentityIdentityProviderProvider
ServiceServiceProvideProvide
rr
DatabasDatabasee
DirectoDirectoryry
1. I’d like access
2. What is your
home?3. Please login
at home.
4. I’d like to login for SP. UseUse
rr5. Login6. Here is
data
about you for
SP. Send it.
7. Here is my data.
8a. See the page!
8b. Access Denied
![Page 6: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/6.jpg)
6
Shibboleth IdP
• Written in Java, runs in any Servlet 2.4 container
• Supports multiple protocols
• Does not contain attributes or logins
• Relies on external LDAP/Kerberos/SQL/etc.
• Extensive controls for the release of attributes
![Page 7: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/7.jpg)
TomcatTomcat
Directory / Directory / DatabaseDatabase
ShibbolethShibbolethIdPIdP
AuthenticatAuthenticationion WebWeb
BrowserBrowser
ShibboletShibbolethhSPSP
ApplicatiApplicationon
![Page 8: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/8.jpg)
8
Shibboleth SP
• Written in C++ for Apache, IIS, or NSAPI
• Apache often used to front-end other web servers: Java containers, Zope, etc.
• Extensive clustering support
• No API: attributes & data available through headers & env. variables
• Keeps identity management external to app
![Page 9: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/9.jpg)
Apache or IISApache or IIS
Directory / Directory / DatabaseDatabase
ShibboletShibbolethhSPSP
WebWebBrowserBrowser
ShibboletShibbolethhIdPIdPPersonPerson
InformatiInformationon
shibdshibd
TomcatTomcat
![Page 10: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/10.jpg)
10
Words• SAML: Security Assertion Markup Language
• Attribute: A name/value pair that describes a user: uid/rrsum
• Scope: The domain within which an attribute is valid: [email protected]
• Assertion: User authentication & attribute information wrapped as SAML for transport
• Name Identifier: Any attribute elevated to identifier (primary key) status
![Page 11: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/11.jpg)
11
More words
• entityID: The name of a provider
• Identity Provider (IdP): Supplies assertions
• Attribute Authority (AA): Acquires user attributes and encodes them for transport
• Service Provider (SP): Receives assertions and protects resources
• Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along
![Page 12: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/12.jpg)
12
Last words
• Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake
• Not necessary for federated identity
• Metadata: A file that describes how to talk to and trust a provider
![Page 13: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/13.jpg)
An Example:
13
![Page 14: Federated Identity and Shibboleth Concepts](https://reader036.vdocuments.net/reader036/viewer/2022062409/56815085550346895dbe82b8/html5/thumbnails/14.jpg)
Basic Architecture - IDC