Embed Size (px)
Citation preview
Shibboleth & Federated Identity A Change of Mindset
University of Texas Health Science Center at HoustonBarry Ribbeck
Access to our world is changing
• What is causing the change?
• Are the changes for the better?
• Can we manage the changes?
Legacy Authentication / Authorization (AuthX)
• Current Authentication mechanisms are an extension of legacy designs
• Stand alone systems do not scale well• When AuthN is extended beyond the realm of
control, security can not be managed in any real fashion
• Privacy is never implied nor enforced• Identify remotely, authenticate remotely, authorize
remotely act remotely
Legacy Authentication Systems Issues
• Scale context makes it hard to support and manage• Privacy is not a concern• Difficult or impossible to manage the security for
Identification and Authorization reliably• User experience is diminished by yet another set
of electronic credentials and the possibility of identity release
Federated IdentityThe new mindset
• Federation: an association of resource managers (targets), identity managers (origins) cooperating via a trust broker (the federation) to access and deliver digital content
• Liberty Alliance, MS WS (.net passport) and Internet2 Shibboleth Middleware
• Only one is deployed, addresses privacy as well as security and is scaleable
• Authenticate, attribute and assert locally, act federally
What is Shibboleth
• A middleware software authentication/authorization mechanism that provides security, privacy and scale.
• Core Enterprise Middleware infrastructure• Does not provide trust, but requires and
leverages the existence of a trust fabric • Allows users to authenticate, attribute and
assert locally and act federally
Middleware Land
Source: http://www.internet2.edu/presentations/20020624-BaseCAMP-Frost.htm
ShibbolethUTHSC Houston Identity Manager
Authentication System
(Digital ID/LDAP) Resource Manager
UTHSCH User
WAYF
FEDERATED
Identity Providers
UTHSCH MemberORIGIN
TARGETLDAP (eduperson)
Web Resource
Role attributes sufficient, access
allowed
2
3. Are you a valid UT Houston Affiliate
4. What is your role ?
Trust Fabric
1 Request access
Shibboleth and Blackboardby Barry Ribbeck, UTHSC-Houstonby Barry Ribbeck, UTHSC-Houston
Home University
Attribute Authority
Authentication System (ISO/SSO/Cert)
Handle ServiceBill = X
Resource Provider
SHIREAllow HomeU AA
SHAR
Resource Manager
User “Bill”
FederationWAYF SERVICE
(IN COMMON)
1. I would like access?
3. Where are you from?
4. I am from HU, logged in?
ORIGIN TARGET
5. Authenticate me to HU
2. Can you authenticate via my Wayf ?
7. Need eppn & eduPersonEntitlement for X?
6. AuthN ok send handle X to Target
8. Link Handle X to user and Lookup attributes
RBAC Authorization
System - LDAP (eduperson)
9. Attributes found and Released
10. If ARP allows, attributes are sent to Target. If attributes are sufficient, access is granted by Resource Manager on Target
Bb remote user = [email protected]
11 Logged onto Bb
Shib Software =
What is it Being Used For?
• Access to digital content (library resources)• Learning management systems• Web based online resources• Systems access that require
– Privacy (user anonymity can be maintained)– Security (AuthN can be anything from uid/pw to 2
factor PKI)– Granularity in access control – High scalability
Federations Brokers of the Trust Fabrics
• Provide and maintain a digital venue for members• A leverage point for Relying Party Agreements
(solves the N-1 problem)• Enforces the rules of engagement for the Relying
Parties• Provide secure mechanisms for the exchange of
member institution digital credentials
Federated Identity
• Liberty: Allows the end user to link and unlink identities that are provided from differing sources
• Shib: A method of scaling identity management
• Federations provide a trust Fabric, the Liberty model ties them together
Benefits
• Scale: no need to maintain stand alone credentials, many fewer uid/passwords
• Building applications on top of Shibboleth can provide a leveraged instead of a stand alone solution.
• Security: authorization is better managed in a Federated space.
• Privacy for users can be maintained.
Demonstration
http://shibpilot.jstor.org:9010
http://bbcommerce.blackboard.com/webapps/portal/frameset.jsp
http://bb.uth.tmc.edu/
References
http://www.internet2.eduhttp://www.educause.edu
Google searches: NMI-Edit, Shibboleth, Internet2, Middleware
