Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
2 years ago in Bled…
• ESUP-Portail: open-source Single Sign-On with CAS– Pascal Aubry, Vincent Mathieu & Julien Marchal– EUNIS’2004, Bled, Slovenia, July 2004
Limits (and perspectives)
• CAS deals with authentication, not authorization– Mixing CAS and Shibboleth?
• No redundancy– No native load-balancing (but low load)
– No fault-tolerance (but very good reliability)
• No Single Sign-Off
• A very poor documentation
Copyright © 2006 – ESUP-Portail consortium – University of Rennes 1 – Pascal Aubry
Open-source Identity Federation with Shibboleth
Pascal AubryUniversity of Rennes 1 ESUP-Portail consortium
EUNIS’2006, Tartu, Estonia
Learn Shibboleth in 20 minutes
Shibboleth for the impatient
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Need and context
• Need: give access to web resources to outside users
• Context– No interoperability– Single Sign-On in establishments– Need of collaboration
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
University A
Greetings to SWITCHaai
Once upon a time…
• Some resources not protected at all
• Access control based on IP addresses often used
• Issues with user management at resource-level
• So many login processes
• So many accounts and passwords
• Almost no resource shared by several establishments
Sympa
Moodle
Research lab C
Moodle
Thesis
Library B
Search eng.
Publications
Access control ResourceIdentity management
Authentication
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
University A
Greetings SWITCHaai
With SSO, it was a little better
Sympa
Moodle
Research lab C
Moodle
Thesis
Library B
Search eng.
Publications
Access control ResourceIdentity management
Authentication
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
University A
Greetings SWITCHaai
With SSO, it was a little better
• Locally, yes…
• but still the same everywhere else!
Sympa
Moodle
Research lab C
Moodle
Thesis
Library B
Search eng.
Publications
Access control ResourceIdentity management
Authentication
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
University A
Greetings SWITCHaai
Hopefully, Identity Federation has come!
Sympa
Moodle
Research lab C
Moodle
Thesis
Library B
Search eng.
Publications
Access control ResourceIdentity management
Authentication
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
University A
Greetings SWITCHaai
Hopefully, Identity Federation has come!• No user
management at resource-level
• Users authenticates only once in their establishments
• Users gain access to new resources
• Resources have a much larger audience
Sympa
Moodle
Research lab C
Moodle
Thesis
Library B
Search eng.
Publications
Access control ResourceIdentity management
Authentication
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Shibboleth, the SSO and the LDAP directory
• Shibboleth does not replace the SSO nor the LDAP directory
• Shibboleth needs both the SSO and the LDAP directory
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Formats, protocols and tools
SAML
Shibboleth Liberty Alliance
Shibboleth SourceID Sun LASSO
Oblix
WS-*
WS-Federation
ADFS
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
The choice of Shibboleth
• Advanced features– Attribute management– Anonymization– confidence (PKI) management
• Adapted to our environment– Several Identity Providers
• Interoperability– Integration with the Information System– Many applications already Shibbolized– Already adopted by others colleagues (USA, Swiss, UK, Finland…)– Non intrusive solution
• In any case, more and more interoperability with other tools in the future, thanks to SAML 2.0
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
AssertionConsumer
AttributeRequester
Access Controller
Ressource
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
Userdatabase
SSOServer
userId
ssoId
attributes
userId
attributes
ticket
ticket
ticket
attributes
Shibboleth, it’s easy ;-)
• Many actors
WAYF
nameId
nameId
nameIdnameId
• Many interactions
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Service Provider(SP)
Without Single Sign On
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Identity Provider(IdP) Service Provider
(SP)
Without Single Sign On(first request to a SP)
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Identity Provider(IdP) Service Provider
(SP)
userId
password
Without Single Sign On(first request to a SP)
nameIdnameId
nameId
attributes
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Identity Provider(IdP) Service Provider
(SP)
1
2
3
4
Without Single Sign On(first request to a SP)
userId
password
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Identity Provider(IdP) Service Provider
(SP)
Without Single Sign On(next requests to the same SP)
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Service Provider(SP)
AssertionConsumer
AttributeRequester
Access Controller
Resource
Webbrowser
Identity Provider(IdP)
attributes
nameId
Service Provider architecture
userId
password
nameIdnameId
attributes
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Fournisseurd’identités
Authentication service
Authentication Authority
Attribute Authority
Userdatabase
Userdatabase
nameId
attributes
userId
AssertionConsumer
AttributeRequester
Access Controller
Resource
Webbrowser
attributes
nameId
nameIdnameId
Identity Provider architecture
userId
password
userId
attributes
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Fournisseurd’identités
Authentication service
Authentication Authority
Attribute Authority
Userdatabase
Userdatabase
nameId
attributes
userId
AssertionConsumer
AttributeRequester
Access Controller
Resource
Webbrowser
attributes
nameId
nameIdnameId
What is Shibboleth?
userId
password
userId
attributesShibbo
leth
Shibbo
leth
Shibbo
leth
Shibbo
leth
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With Single Sign On(first request to a SP)
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
userId
userId
attributes
userId
attributes
ticket
ticket
ticket
attributes
With Single Sign On(first request to a SP)
nameId
password
nameId
nameIdnameId
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With Single Sign On (the user’s point of view)
1
2
3
4
userId password
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With Single Sign On (next requests to the same SP)
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
userId
ssoId
ticket
ticket
With Single Sign On (next requests to another SP)
nameId
nameIdnameId
attributes
userId
attributes
attributes
nameId
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With Single Sign On (next requests to another SP)
userId
ssoId
ticket
ticket
nameId
nameIdnameId
attributes
userId
attributes
attributes
nameId
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With SSO and WAYF (first request to a SP)
WAYF
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With SSO and WAYF (first request to a SP)
WAYF
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With SSO and WAYF (first request to a SP)
WAYF
userId
userId
attributes
userId
attributes
ticket
ticket
ticket
attributes
nameId
password
nameId
nameIdnameId
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Resource
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Userdatabase
SSOserver
With SSO and WAYF (the user’s point of view)
WAYF
1
4
5
6
2
3
userId password
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With SSO and WAYF (next requests to the same SP)
WAYF
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
WAYF
With SSO and WAYF (next requests to another SP)
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
With SSO and WAYF (next requests to another SP)
WAYF
userId
ssoId
ticket
ticket
nameId
nameIdnameId
attributes
userId
attributes
attributes
nameId
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Webbrowser
Authentication service
Authentication Authority
Attribute Authority
AssertionConsumer
AttributeRequester
Access Controller
Resource
Userdatabase
SSOserver
WAYF
With SSO and WAYF (next requests to another SP)
1
4
2
3
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Service Provider #1
Webbrowser
Identity Provider(IdP)
attributes for SP#1
nameId
Service Provider #2
(encrypted)attributes for SP#2
nameId
Multi-tiers installations
(encrypted)attributes for SP#2
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Portal
Webbrowser
Content provider#1
An application : meta search engines
Content provider# 2
Content provider# n
. . .
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Anonymous accessto a Service Provider
• The users’ profiles can be transmitted without any personal data
• An opaque but persistent identifier can be provided (targetedId)
• The users’ UID and global identifier are managed just like any other attribute
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
Online course reserved to students in mathematics
Autorisation based on the students’ profile
specialityspeciality
The need of a common naming space
University A
University C
University B
speciality spec topic
Co
pyr
igh
t ©
200
5 –
ES
UP
-Po
rtai
l – U
niv
ersi
ty o
f R
enn
es 1
– P
asca
l Au
bry
Open-source Identity Federation with Shibboleth, Pascal Aubry, EUNIS’2006, Tartu, Estonia
The need of a common semantics
University A
Online course reserved to students in mathematics
University C
University B
Autorisation based on the students’ profile
speciality = mathematics speciality = Mathematics speciality = MATH
Copyright © 2006 – ESUP-Portail consortium – University of Rennes 1 – Pascal Aubry
References:
http://shibboleth.internet2.eduhttp://federation.cru.fr
EUNIS’2006, Tartu, Estonia