Embed Size (px)
DESCRIPTION
Shibboleth and TAGPMA. Michael Helm DOEGRids/ESnet 27 Mar 2006. What is Shibboleth?. Standard Internet2 description: Architecture Project Codebase http://shibboleth.internet2.edu Offshoots InCommon – Federation (one of many) GridShib – Grid & Shibboleth Integration SAML - transport. - PowerPoint PPT Presentation
Citation preview
Shibboleth and TAGPMA
Michael Helm
DOEGRids/ESnet
27 Mar 2006
TAGPMA 27 Mar 2006 Shibboleth 2
What is Shibboleth?
• Standard Internet2 description:– Architecture– Project– Codebase– http://shibboleth.internet2.edu
• Offshoots– InCommon – Federation (one of many)– GridShib – Grid & Shibboleth Integration– SAML - transport
TAGPMA 27 Mar 2006 Shibboleth 3
What is Shibboleth?
Judges 12:6 (KJV)Then said they unto him, Say now Shibboleth: and he said
Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.
Jueces 12 Entonces, le decían: Di, pues, la palabra Shibolet; pero él
decía Sibolet, porque no podía pronunciarla correctamente. Entonces le echaban mano y lo mataban junto a los vados del Jordán. Y cayeron en aquella ocasión cuarenta y dos mil de los de Efraín.
TAGPMA 27 Mar 2006 Shibboleth 4
Why is Shibboleth Important?• US: Internet2’s “long bet” on Authentication
and Authorization– Note: Internet2 is the largest US NREN, 200+
Universities, multiple layers of projects, optical networking &c
– Relationship with ESnet, NASA &c
• US Higher Education federation• Other NREN
– There are other AAA projects
• Other - US Government– Whether all these federations can interoperate
TAGPMA 27 Mar 2006 Shibboleth 5
Shibboleth Architecture
• Next set of slides from I2 (Michael Gedes et al) – used for illustration
• Illustration probably from SWTCH
TAGPMA 27 Mar 2006 Shibboleth 6
Shibboleth Architecture• Handle Service
– Yields a “Handle token” – SAML authentication assertion – bearer credential
– Neutral – (eg LDAP)
• Attribute Authority– The AA is presented with a Handle Token, returns appropriate
attributes for this user.
• Target Resource– (Service Provider)– Find user’s institution, and understand appropriate attributes
• WAYF– External service used to find home institution
TAGPMA 27 Mar 2006 Shibboleth 7
Shibboleth Architecture
• Next set of slides from I2 (Michael Gedes et al) – used for illustration
• Illustration probably from SWTCH
TAGPMA 27 Mar 2006 Shibboleth 8
Shibboleth AA Process
Res
ou
rce
WAYF
Identity ProviderService Provider
Web Site
1
ACS
I don’t know you.Not even which home
org you are from.I redirect your request
to the WAYF32
Please tell me where are you from?
HS
5
6
I don’t know you.Please authenticateUsing WEBLOGIN
7
User DB
Credentials
OK, I know you now.I redirect your requestto the target, together
with a handle
4
OK, I redirect yourrequest now to
the Handle Service of your home org.
AR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
TAGPMA 27 Mar 2006 Shibboleth 9
From Shibboleth Arch doc
Origin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHIRE
WAYF
22a
3a
3b
HandleService
3
3c
Attribute Authority
4
TAGPMA 27 Mar 2006 Shibboleth 10
From Shibboleth Arch doc
Origin Target
.
Resource ProviderUniversity
Authentication System
HT
TP
Serv
er
EnterpriseDirectory
http://www.CoolResource.com1
SHAR
Handle
3a
3b
HandleService
3
3c
Attribute Authority
4
SHIRE
WAYF
22a
ResourceManager
Attributes
5
6
Attribute Authority
TAGPMA 27 Mar 2006 Shibboleth 11
Shibboleth Limitations• Limited IDP
– Identity Provider does all the work– What about distributed authorization???– Attribute Authority, Authentication, Authorization
often linked together – requires strong trust of IdP
• Limited deployment (web)• Grid Incompatibility• Focused on enterprises
– Marketing limitation
• Many of these issues are being addressed….
TAGPMA 27 Mar 2006 Shibboleth 12
Shibboleth Strengths
• Privacy– Chaotic story in Grids, but mostly, none
• Standardization– Relatively open development process
• Marketing– US Higher Ed– Non-US: Higher Ed & NRENs– US Government– Well supported and development continues
TAGPMA 27 Mar 2006 Shibboleth 13
GridShib (NCSA)
• NSF funded, development centered at NCSA– Argonne National Lab (ANL), Globus, University
of Chicago
• Really, Shibboleth->Grid – Enable use of some Shibboleth attributes in a
Grid context
• Replace Shibboleth “Handle token” with PKI credential
• Using XACML • Next 3 slides – from NCSA GridShib overview
TAGPMA 27 Mar 2006 Shibboleth 14
The GridShib picture
(1) Grid Authentication
(2) Shib Attribute Request
Shibboleth
(3) Attributes
GridService
(4) Attribute-basedauthorization
Campus
User
(0) Attribute Release Policy
TAGPMA 27 Mar 2006 Shibboleth 15
GridShib Integration Principles
• No modification to typical grid client applications
• Leverage Shibboleth’s attribute administration and end-user maintenance of attribute release policies
• Leverage high-quality Campus Identity Provider operations
• Leverage high-quality Shib and Grid software
TAGPMA 27 Mar 2006 Shibboleth 16
GridShib Challenges• Use of an identifier in X.509 certificate as a subject
handle for use by the Shib Attribute Authority (SAA)– Shibboleth v1.3 should handle this– Name mapping has proved challenging– Focusing on MyProxy to solve? IdP function?
• Allowing VOs to define attributes meaningful to them• Attribute Authority identification
– “Where Are You From” problem• Plumbing interconnect• Translating requirements into meaningful authorization
policy• Support pseudonymity (Shibboleth requirement)
TAGPMA 27 Mar 2006 Shibboleth 17
Shibboleth and Grid Authentication/Authorization
• Grid – community driven?
• Grid – distributed authorization
• Shibboleth – fundamentally based on site (or VO?)– That is assumes a strong site open to working
in this area – not always true
• Grid->Shibboleth?– Projects exist in this area
TAGPMA 27 Mar 2006 Shibboleth 18
US DOE Lab/ESnet Shibboleth• Something new – DOE Lab CIO’s have
commissioned a pilot Shibboleth test bed and policy development activity
• US DOE research labs are heavily influenced by trends and needs in US academic research (NSF, EDUCAUSE, and other US Gov’t funding sources)
• US DOE labs have limited resources for development in this area– Shibboleth &al is both good news & bad news here:– Standard development platform– Limited resources to make changes
TAGPMA 27 Mar 2006 Shibboleth 19
Shibboleth Federation• Shibboleth makes no sense w/o a federation
component – why bother.• InCommon (http://www.incommonfederation.org)• Internet2 – US Higher Ed example of Shibboleth
federation– There are some others: SWTCH, UK
• US Legal System– More complex bylaws, legal membership & status &c
• Good Example or Bad Example?– Some market inhibition– International legal context– Are our member organizations interested in federating
for this purpose? TAGPMA?
TAGPMA 27 Mar 2006 Shibboleth 20
E-Authentication (separate)
• Summary
• Overlapping communities
• Overlapping interests
• What interest in this?
TAGPMA 27 Mar 2006 Shibboleth 21
Acknowledgements
• Technical content in most slides drawn from Michael Geddes &al from I2; from Von Welch &al from NCSA; a bit from David Chadwick, and others.
TAGPMA 27 Mar 2006 Shibboleth 22
Summary
• Overlapping communities
• Overlapping interests
• What interest do we have in this?
