shibboleth update michael gettes principal technologist georgetown university ken klingenstein...
Post on 01-Jan-2016
219 Views
Preview:
TRANSCRIPT
Shibboleth Update
Michael Gettes
Principal Technologist
Georgetown University
Ken Klingenstein
Director
Interne2 Middleware Initiative
2
Target Web
Server
Origin Site Target Site
Browser
Authentication Phase
First Access - Unauthenticated
Authorization Phase
Pass content if user is allowed
Shibboleth ArchitectureConcepts - High Level
3
Second Access - Authenticated
Target Web
Server
Origin Site Target Site
Browser
First Access - Unauthenticated
Web Login Server Redirect User to Local Web Login
Ask to Obtain Entitlements
Pass entitlements for authz decision
Pass content if user is allowedAuthentication
AttributeServer
Entitlements
Auth OK
Req Ent
Ent Prompt
Authentication Phase
Authorization Phase
Success!
Shibboleth ArchitectureConcepts (detail)
6
Descriptions of services
1. local authn server - assumed part of the campus environment
2. web sso server - typically works with local authn service to provide web single sign-on
3. resource manager proxy, resource manager - may serve as control points for actual web page access
4. attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables
5. attribute repository - an LDAP directory, or roles database or….
6. Where are you from service - one possible way to direct external users to their own local authn service
7. attribute mapper - converts user entitlements into local authorization values
8. PDP - policy decision points - decide if user attributes meet authorization requirements
9. SHAR - Shibboleth Attribute Requestor - used by target to request user attributes
8
Target Web
Server
Origin Site Target Site
Browser
Shibboleth Architecture -- Managing Trust
TRUST
AttributeServer
Shibengine
9
Personal Privacy
Web Login Server provides a pseudononymous identity
An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on:
• Site Defaults– Business Rules
• User control– myAA
• Filtered by– Contract provisions
My AASiteDefaults
Contact Provisions
BrowserUser
12
Drivers of Vapor Convergence
JA-SIG uPortal Authen
OKI/Web Authentication
Local Web SSO Pressures
We all get Web SSO for Local Authentication and an Enterprise Authorization Framework with an Integrated Portal that will all work inter-institutionally!
Shibboleth Inter-Realm AuthZ
13
Middleware Inputs & Outputs
GridsGrids JA-SIG &JA-SIG &uPortaluPortalOKIOKI Inter-realmInter-realm
calendaringcalendaring
Shibboleth, eduPerson, Affiliated Dirs, etc.Shibboleth, eduPerson, Affiliated Dirs, etc.
EnterpriseEnterpriseDirectoryDirectory
EnterpriseEnterpriseAuthenticationAuthentication
LegacyLegacySystemsSystems
CampusCampusWeb SSOWeb SSO
futuresfutures
EnterpriseEnterpriseauthZauthZ
LicensedLicensedResourcesResources
EmbeddedEmbeddedApp SecurityApp Security
15
National Science FoundationNMI program
•$12 million over 3 years
•www.nsf-middleware.org
•Middleware Service Providors, Integrators, Distributors
•GRID (Globus)
•Internet2 + EDUCAUSE + SURA
•May 2002 – first set of deliverables from all parties
16
The Liberty Alliancewww.project-liberty.org
Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony …
Initiated in September 2001.
Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service
Funny, doesn’t this stuff sound familiar?
top related