Shibboleth Update

Michael Gettes

Principal Technologist

Georgetown University

Ken Klingenstein

Director

Interne2 Middleware Initiative

2

Target Web

Server

Origin Site Target Site

Browser

Authentication Phase

First Access - Unauthenticated

Authorization Phase

Pass content if user is allowed

Shibboleth ArchitectureConcepts - High Level

3

Second Access - Authenticated

Target Web

Server

Origin Site Target Site

Browser

First Access - Unauthenticated

Web Login Server Redirect User to Local Web Login

Ask to Obtain Entitlements

Pass entitlements for authz decision

Pass content if user is allowedAuthentication

AttributeServer

Entitlements

Auth OK

Req Ent

Ent Prompt

Authentication Phase

Authorization Phase

Success!

Shibboleth ArchitectureConcepts (detail)

4

Shibboleth Architecture

5

Shibboleth Components

6

Descriptions of services

1. local authn server - assumed part of the campus environment

2. web sso server - typically works with local authn service to provide web single sign-on

3. resource manager proxy, resource manager - may serve as control points for actual web page access

4. attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables

5. attribute repository - an LDAP directory, or roles database or….

6. Where are you from service - one possible way to direct external users to their own local authn service

7. attribute mapper - converts user entitlements into local authorization values

8. PDP - policy decision points - decide if user attributes meet authorization requirements

9. SHAR - Shibboleth Attribute Requestor - used by target to request user attributes

7

Shibboleth Flows Draft

8

Target Web

Server

Origin Site Target Site

Browser

Shibboleth Architecture -- Managing Trust

TRUST

AttributeServer

Shibengine

9

Personal Privacy

Web Login Server provides a pseudononymous identity

An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on:

• Site Defaults– Business Rules

• User control– myAA

• Filtered by– Contract provisions

My AASiteDefaults

Contact Provisions

BrowserUser

10

Managing ARPs

Middleware Marketing

12

Drivers of Vapor Convergence

JA-SIG uPortal Authen

OKI/Web Authentication

Local Web SSO Pressures

We all get Web SSO for Local Authentication and an Enterprise Authorization Framework with an Integrated Portal that will all work inter-institutionally!

Shibboleth Inter-Realm AuthZ

13

Middleware Inputs & Outputs

GridsGrids JA-SIG &JA-SIG &uPortaluPortalOKIOKI Inter-realmInter-realm

calendaringcalendaring

Shibboleth, eduPerson, Affiliated Dirs, etc.Shibboleth, eduPerson, Affiliated Dirs, etc.

EnterpriseEnterpriseDirectoryDirectory

EnterpriseEnterpriseAuthenticationAuthentication

LegacyLegacySystemsSystems

CampusCampusWeb SSOWeb SSO

futuresfutures

EnterpriseEnterpriseauthZauthZ

LicensedLicensedResourcesResources

EmbeddedEmbeddedApp SecurityApp Security

Errata--ica

15

National Science FoundationNMI program

•$12 million over 3 years

•www.nsf-middleware.org

•Middleware Service Providors, Integrators, Distributors

•GRID (Globus)

•Internet2 + EDUCAUSE + SURA

•May 2002 – first set of deliverables from all parties

16

The Liberty Alliancewww.project-liberty.org

Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony …

Initiated in September 2001.

Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service

Funny, doesn’t this stuff sound familiar?