Federated Identity and Shibboleth ConceptsRick SummerhillChief Technology OfficerInternet2
GEC3October 29, 2008
Slides by Nate [email protected] [email protected]
Circle University
[email protected]. Joe OvalPsych Prof.
SSN 456.78.910
Password #1
Music Service
ID #4 j.o.123
Joe OvalPsych Prof.
DOB: 4/4/1955Password #4
Grant Admin
Service
ID #2 Joval
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #2
Grading Service
ID #3 Jo456
Dr. Joe Oval
Psych Prof.
Password #3
Home
????
No
coordinatio
n
Proprietary
code
Batch uploads
Service Providers
The Challenging Way
Home
Circle University
Anonymous
ID#Dr. Joe Oval
Psych Prof.SSN
456.78.910
Circle University
Dr. Joe Oval
Psych Prof.SSN
456.78.910
Circle University
[email protected]. Joe OvalPsych Prof.
SSN 456.78.910
Password #1
Circle University
Dr. Joe Oval
Psych Prof.SSN
456.78.910
!
1. Single sign on
2. Services no longer manage user accounts & personal data stores
3. Reduced help-desk load
4. Standards-based technology
5. Home org controls privacy
The Federated Way
4
How Federated Identity Works
1.A user tries to access a protected application
2.The user tells the application where it’s from
3.The user logs in at home
4.Home tells the application about the user
5.The user is rejected or accepted
IdentityIdentityProviderProvider
ServiceServiceProvideProvide
rr
DatabasDatabasee
DirectoDirectoryry
1. I’d like access
2. What is your
home?3. Please login
at home.
4. I’d like to login for SP. UseUse
rr5. Login6. Here is
data
about you for
SP. Send it.
7. Here is my data.
8a. See the page!
8b. Access Denied
6
Shibboleth IdP
• Written in Java, runs in any Servlet 2.4 container
• Supports multiple protocols
• Does not contain attributes or logins
• Relies on external LDAP/Kerberos/SQL/etc.
• Extensive controls for the release of attributes
TomcatTomcat
Directory / Directory / DatabaseDatabase
ShibbolethShibbolethIdPIdP
AuthenticatAuthenticationion WebWeb
BrowserBrowser
ShibboletShibbolethhSPSP
ApplicatiApplicationon
8
Shibboleth SP
• Written in C++ for Apache, IIS, or NSAPI
• Apache often used to front-end other web servers: Java containers, Zope, etc.
• Extensive clustering support
• No API: attributes & data available through headers & env. variables
• Keeps identity management external to app
Apache or IISApache or IIS
Directory / Directory / DatabaseDatabase
ShibboletShibbolethhSPSP
WebWebBrowserBrowser
ShibboletShibbolethhIdPIdPPersonPerson
InformatiInformationon
shibdshibd
TomcatTomcat
10
Words• SAML: Security Assertion Markup Language
• Attribute: A name/value pair that describes a user: uid/rrsum
• Scope: The domain within which an attribute is valid: [email protected]
• Assertion: User authentication & attribute information wrapped as SAML for transport
• Name Identifier: Any attribute elevated to identifier (primary key) status
11
More words
• entityID: The name of a provider
• Identity Provider (IdP): Supplies assertions
• Attribute Authority (AA): Acquires user attributes and encodes them for transport
• Service Provider (SP): Receives assertions and protects resources
• Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along
12
Last words
• Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake
• Not necessary for federated identity
• Metadata: A file that describes how to talk to and trust a provider
An Example:
13
Basic Architecture - IDC