shibboleth on-line authentication system jon browne senior consultant drew heald bsc (hons), mphil,...
TRANSCRIPT
Shibboleth On-line Authentication System
Jon BrowneSenior Consultant
Drew Heald BSc (Hons), MPhil, MCPSystems Developer
IBIS Business Consultants Ltd
Accessing a Web Resource
• Client user accesses a free resource• Client user is authenticated via a username and
password to access a protected resource• Client user is responsible for setting up that
account
ServerW W WClient
Request
Response
Web Resources for Education
• Educational establishments subscribe to resources on behalf of many users
• Parts of a given resource may only be accessible by some of the users in a given educational establishment
• The resources to which a given user has access change periodically
Authentication
School
Students
Directory/Database
Student data
…
…
…
…
Directory/Database
Student data
…
…
…
…
Resource
Available to all
Available to year 3 and above
Available to year 6 and above
Authentication
Authorisation
Authentication
• Common Issues– Exposure of personal information– High administrative burden– Lack of traceability– Password leakage– Many passwords problem– Resource accessibility is restricted– Complicated to use
Shibboleth
• Aims to:– Ensure no personal information is exposed
unless necessary– Minimise the number of passwords a user
needs to remember– Minimise the administrative burden– Enable user traceability– Be transparent to the user– Enable access from any location
Shibboleth User Authentication
LEA/RBC (Origin) Resource (Target)
SHIRE
SHAR
Handle Service
Attribute Authority
Request
User Authentication
User Attributes
(LDAP/SQL)
Resource(s)
Bash Street
St Trinians
Hogwarts
LGfL
Oxford
…
WAYF
9. User Attributes
4. Username + password
Shibboleth User Authentication
Resource (Target)
SHIRE
SHAR
Handle Service
Attribute Authority
1.Request URL
User Authentication
User Attributes
(LDAP/SQL)
Resource(s)
2. Request URL + SHIRE URL
3. Request URL + SHIRE URL
5. Request URL + Handle + AA URL
6. Request URL + Handle + AA URL
7. Request URL + Handle
8. Handle returns User ID
10. Request URL + User Attributes
11. User Attributes
LEA/RBC (Origin)
Bash Street
St Trinians
Hogwarts
LGfL
Oxford
…
WAYF
Shibboleth User Authentication
Resource (Target)
SHIRE
SHAR
Handle Service
Attribute Authority
1.Subsequent Request URL (Same Domain)
User Authentication
User Attributes
(LDAP/SQL)
Resource(s)
SHIRE has Cached Session & Handle = OK
SHAR has Cached Attributes = OK
LEA/RBC (Origin)
Bash Street
St Trinians
Hogwarts
LGfL
Oxford
…
WAYF
Bash Street
St Trinians
Hogwarts
LGfL
Oxford
…
Shibboleth User Authentication
Resource (Target)
WAYF
SHIRE
SHAR
Handle Service
Attribute Authority
1.Subsequent Request URL (Different Domain)
User Authentication
User Attributes
(LDAP/SQL)
Resource(s)
SHIRE has Cached Session & Handle = OK
SHAR has no Cached Attributes for the new Domain so ask AA
Handle returns User ID
Request New Domain Attributes
Return New Domain Attributes
LEA/RBC (Origin)
User Authentication
Shibboleth User Authentication
Resource (Target)
SHIRE
SHAR
Handle Service
Attribute Authority
User Attributes
(LDAP/SQL)
Resource(s)
Portal
LEA/RBC (Origin)
Shibboleth User Authentication
• Pros– Low administrative
burden– Exposure of personal
information under user’s control
– Same identity for all resources
– User traceability– Resources can be
accessed from any location
• Cons– (Possible) multi-stage
authentication
Shibboleth Demonstration
Browser
Shibboleth Origin Windows XP Pro Apache Server 2.0.49
LDAP Directory (Active Directory) Windows 2003 Server
WAYF Service Windows 2003 Server IIS 6.0
Shibboleth Target Windows 2003 Server IIS 6.0
1
2
3
4
5
6
7
Shibboleth Demonstration
Browser
Shibboleth Origin Windows 2003 ServerApache Server 2.0.49
LDAP Directory (Active Directory)
WAYF Service
Shibboleth Target Windows 2003 Server IIS 6.0
1
2
3
4
5
6
7
Shibboleth
“Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.”
Judges 12:6
http://shibboleth.internet2.edu