Shibboleth On-line Authentication System

Jon BrowneSenior Consultant

Drew Heald BSc (Hons), MPhil, MCPSystems Developer

IBIS Business Consultants Ltd

Accessing a Web Resource

• Client user accesses a free resource• Client user is authenticated via a username and

password to access a protected resource• Client user is responsible for setting up that

account

ServerW W WClient

Request

Response

Web Resources for Education

• Educational establishments subscribe to resources on behalf of many users

• Parts of a given resource may only be accessible by some of the users in a given educational establishment

• The resources to which a given user has access change periodically

Authentication

School

Students

Directory/Database

Student data

…

…

…

…

Directory/Database

Student data

…

…

…

…

Resource

Available to all

Available to year 3 and above

Available to year 6 and above

Authentication

Authorisation

Authentication

• Common Issues– Exposure of personal information– High administrative burden– Lack of traceability– Password leakage– Many passwords problem– Resource accessibility is restricted– Complicated to use

Shibboleth

• Aims to:– Ensure no personal information is exposed

unless necessary– Minimise the number of passwords a user

needs to remember– Minimise the administrative burden– Enable user traceability– Be transparent to the user– Enable access from any location

Shibboleth User Authentication

LEA/RBC (Origin) Resource (Target)

SHIRE

SHAR

Handle Service

Attribute Authority

Request

User Authentication

User Attributes

(LDAP/SQL)

Resource(s)

Bash Street

St Trinians

Hogwarts

LGfL

Oxford

…

WAYF

9. User Attributes

4. Username + password

Shibboleth User Authentication

Resource (Target)

SHIRE

SHAR

Handle Service

Attribute Authority

1.Request URL

User Authentication

User Attributes

(LDAP/SQL)

Resource(s)

2. Request URL + SHIRE URL

3. Request URL + SHIRE URL

5. Request URL + Handle + AA URL

6. Request URL + Handle + AA URL

7. Request URL + Handle

8. Handle returns User ID

10. Request URL + User Attributes

11. User Attributes

LEA/RBC (Origin)

Bash Street

St Trinians

Hogwarts

LGfL

Oxford

…

WAYF

Shibboleth User Authentication

Resource (Target)

SHIRE

SHAR

Handle Service

Attribute Authority

1.Subsequent Request URL (Same Domain)

User Authentication

User Attributes

(LDAP/SQL)

Resource(s)

SHIRE has Cached Session & Handle = OK

SHAR has Cached Attributes = OK

LEA/RBC (Origin)

Bash Street

St Trinians

Hogwarts

LGfL

Oxford

…

WAYF

Bash Street

St Trinians

Hogwarts

LGfL

Oxford

…

Shibboleth User Authentication

Resource (Target)

WAYF

SHIRE

SHAR

Handle Service

Attribute Authority

1.Subsequent Request URL (Different Domain)

User Authentication

User Attributes

(LDAP/SQL)

Resource(s)

SHIRE has Cached Session & Handle = OK

SHAR has no Cached Attributes for the new Domain so ask AA

Handle returns User ID

Request New Domain Attributes

Return New Domain Attributes

LEA/RBC (Origin)

User Authentication

Shibboleth User Authentication

Resource (Target)

SHIRE

SHAR

Handle Service

Attribute Authority

User Attributes

(LDAP/SQL)

Resource(s)

Portal

LEA/RBC (Origin)

Shibboleth User Authentication

• Pros– Low administrative

burden– Exposure of personal

information under user’s control

– Same identity for all resources

– User traceability– Resources can be

accessed from any location

• Cons– (Possible) multi-stage

authentication

Shibboleth Demonstration

Browser

Shibboleth Origin Windows XP Pro Apache Server 2.0.49

LDAP Directory (Active Directory) Windows 2003 Server

WAYF Service Windows 2003 Server IIS 6.0

Shibboleth Target Windows 2003 Server IIS 6.0

1

2

3

4

5

6

7

Shibboleth Demonstration

Browser

Shibboleth Origin Windows 2003 ServerApache Server 2.0.49

LDAP Directory (Active Directory)

WAYF Service

Shibboleth Target Windows 2003 Server IIS 6.0

1

2

3

4

5

6

7

Shibboleth

“Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.”

Judges 12:6

http://shibboleth.internet2.edu