http://iamsect.ncl.ac.uk/
Inter-institutional Authorisation using Shibboleth:Myths, Lies and the Truth
Jon DowlandIAMSECT project officer
University of Newcastle upon Tyne
http://iamsect.ncl.ac.uk/
Overview
• Definition and demonstration
• Current state of the art• Shibboleth is…• Who’s doing what?
• Wrap-up• Questions
http://iamsect.ncl.ac.uk/
Shibboleth
Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.
Judges 12:5-7
http://iamsect.ncl.ac.uk/
Shibboleth
“Shibboleth, is a bit like the duck which moves serenely through the water, but is paddling furiously beneath the surface.”
- Derek Morrison
http://iamsect.ncl.ac.uk/
Live demonstration
http://iamsect.ncl.ac.uk/
Shibboleth is a Single Sign-On (SSO) solution
Statement
http://iamsect.ncl.ac.uk/
Shibboleth is a Single Sign-On (SSO) solution
Statement
http://iamsect.ncl.ac.uk/
Single Sign-On solutions
• Pubcookie - http://www.pubcookie.org/
• Yale CAS http://www.yale.edu/tp/auth/
http://iamsect.ncl.ac.uk/
Authentication/Authorisation
Existing approaches
http://iamsect.ncl.ac.uk/
HTTP Authentication (May 1996 or earlier)
http://iamsect.ncl.ac.uk/
>>> GET /temp/auth/ HTTP/1.0
<<< HTTP/1.1 401 Authorization Required<<< WWW-Authenticate: Basic realm="Invitation Only"<<< Content-Type: text/html
>>> GET /temp/auth/ HTTP/1.0>>> Authorization: Basic xxxxxx
<<< HTTP/1.1 200 OK<<< Content-Type: text/html<<<<<< hello world
Browser prompts for username/password
http://iamsect.ncl.ac.uk/
HTTP: Drawbacks
• Lack of ‘theme-able’ log-in– ‘help’
– ‘mail me my password’
– Etc.
• ‘Authorization:’ and authentication mixed-up
• Passwords sent in-the-clear
• No log-out mechanism
http://iamsect.ncl.ac.uk/
Athens (1996)
• Admired internationally, best of breed
• Single ID, multiple sign-on
• UK education and health
• Secure
• centralised
User Athens Service
http://iamsect.ncl.ac.uk/
Athens D.A. (Oct 2002)
• Athens + SSO +
• devolved (locally managed) authentication
Athens
Login
ServiceUser
Service
Institution
http://iamsect.ncl.ac.uk/
ADITUSAMADEUSAMICO libraryAPU Library ProxyAxiomBANKSCOPEBIDS CAB AbstractsBIDS IBSS ServiceBIDS Silver Platter INSPEC serviceBIDS SilverPlatter PsycINFO ServiceBLISSBMJ JournalsBioMed CentralBlackwell-Synergy.comBritish Standards OnlineBusiness Ratio ReportsButterworths Accountancy DirectButterworths All England DirectButterworths Banking Law DirectButterworths Businesscompliancedirect.coButterworths CaseSearchButterworths Civil Procedure OnlineButterworths Commercial Property LawButterworths Corporate FinanceButterworths Corporate Law DirectButterworths Crime OnlineButterworths EBL Direct EssentialsButterworths EBL Direct PremiumButterworths EOR DirectButterworths EU DirectButterworths Employment OnlineButterworths Family and Child DirectButterworths Financial Regulations ServiButterworths Forms and Precedents DirectButterworths HSE DirectButterworths Halsbury's Laws of ...Butterworths Human Rights DirectButterworths IRS Employment ReviewButterworths Immigration and Asylum LawButterworths Insolvency Law DirectButterworths Intellectual Property ...Butterworths International TaxButterworths Law DirectButterworths Law Reports DirectButterworths Legal UpdaterButterworths Legislation DirectButterworths Licensing DirectButterworths Local Government DirectButterworths PI OnlineButterworths PensionsProButterworths Property Tax DirectButterworths Scotland DirectButterworths Scots Law DirectButterworths Sergeant Sims Stamp Duty
Butterworths Stair MemorialButterworths Stone's Justices ManualButterworths Tax DirectButterworths Tax Planning ServiceButterworths Trusts and Estates DirectButterworths UK & International GAAPplusButterworths US Banking Editions OnlineCHEST Associated Site ContactsCHEST Further Education Site ContactsCHEST Higher Education Site ContactsCHEST Ireland Site ContactsCSA AqualineCSA Artbibliographies ModernCSA Internet Database ServiceCSA Linguistics & Language BehaviourCSA e-psycheCartalinxCensus Dissemination UnitCensus Geography Data Unit (UKBORDERS)Census Interaction Data ServiceCensus Learning ResourcesCensus Microdata Unit at the CCSRCensus Registration ServiceChadwyck-Healey KnowEuropeChadwyck-Healey KnowUK DatabaseChadwyck-Healey LION for collegesChadwyck-Healey Literature OnlineChadwyck-Healey PCI Full Text DatabaseChildlink.co.ukCity University Virtual LibraryCochrane LibraryComputer AbstractsCreative ClubCrossFire Service (PLUSABGM)CrossFire self-teach modules (MIMAS-XFT)Dialog DataStarDialog Education@SiteDialog@SiteEBSCOhost EJSEBSCOhost databasesEDINA AGDEXEDINA BIOSISEDINA BIOSIS Previews 1969 - 1984EDINA CAB AbstractsEDINA CompendexEDINA DigimapEDINA EconLitEDINA INSPECEDINA Index to The Times, 1790 - 1980EDINA MLAEDINA PAISEDINA UPDATEEEBOEIU Citydata
EIU CountrydataEIU Marketindicators & ForecastsESDS InternationalESDU DataESRI NTF ConvertersEducation Image GalleryEducation Media OnLineEducation Media OnLine medical-restrictElectronic Surgeons in Training EducatioEmerald FulltextEmerald Management ReviewsEncyclopaedia BritannicaEngineering Village 2Extenza e-Publishing ServiceFAMEGale Group InfoTracISI JCR Science EditionISI JCR Social Sciences EditionISI Web of KnowledgeIdrisiIngenta Full Text JournalsIngenta SelectInt. Civil Engineering AbstractsIrish Reports and DigestIsle of Man GIS dataJASPERJUSTIS Celex and OJCJUSTIS Daily CasesJUSTIS ECJ ProceedingsJUSTIS Family LawJUSTIS HermesJUSTIS Human RightsJUSTIS Industrial CasesJUSTIS Law Reports (eLR)JUSTIS Law Reports DigestJUSTIS Lloyd's Law ReportsJUSTIS Mental Health Law ReportsJUSTIS Official Journal CJUSTIS Prison Law ReportsJUSTIS UK Statutes and SIsJUSTIS Weekly LawJobs admin stuffJustCiteKeynoteKumarandClark.comLexisNexisMD ConsultMETAPRESSMIMAS ISI BIOSIS PreviewsMIMAS ISI Chemistry ServerMIMAS ISI Current Contents ConnectMIMAS ISI Derwent Innovations IndexMIMAS InfoterraMIMAS Landmap
MIMAS Landmap MediterraneanMIMAS LitLinkMIRA Virtual Automotive Info CentreMartindale & Stockleys Drug InteractionsMintel ReportsMulberryNeLH Evidence-Based on CallNeLH Journal of Medical ScreeningNetLibraryNewsBank InfoWebOCLC FirstSearch ServiceOSIRISOvid OnlineOxford English Dictionary OnlineOxford Reference OnlinePapyrus software for DOSPapyrus software for the MacParlianetPerfect AnalysisPrimal Pictures Basic Anatomy (NHS)Primal Pictures anatomy.tvProQuestProQuest Reference AsiaRCS Affiliates AreaRCS Discussion ForaRCS Library Electronic JournalsRCS Members AreaRefWorksReuters Business Insight UnlimitedSCOTBIS: Members AreaSCRAN Web SiteScienceDirectSentient DISCOVERSilverPlatter Arc2Snapshots International: Market ResearchStatistical Accounts of ScotlandSwetsWiseSynsoft HYDRA and HYDRA ONLINETRILTTaylor and Francis eBook SubscriptionsTechnical Indexes Info4EducationTechnical Indexes Info4HealthEstatesThe Academic LibraryThe Times Law ReportsUK JSTOR Mirror ServiceWILSONWEBWestlaw UKWiley InterScienceWriteNoteXpertHRZETOC - BL Electronic Table of ContentseSTEP administrators resourceimages.MDxreferplus
Athens services
http://iamsect.ncl.ac.uk/
Shortcomings
http://iamsect.ncl.ac.uk/
Shortcomings
• Usage statistics
• Bureaucracy and ad-hoc groups (VRGs)
• Fine-grained access control
• Privacy and anonymity
• Reluctant international services
http://iamsect.ncl.ac.uk/
Shibboleth is…
detailed demo
http://iamsect.ncl.ac.uk/
http://iamsect.ncl.ac.uk/
User attempts to access service
http://iamsect.ncl.ac.uk/
http://bruno.dur.ac.uk/
http://iamsect.ncl.ac.uk/
Interlude: where are they from?
• Autodiscovery (e.g. by host)
• Manual
http://iamsect.ncl.ac.uk/
Interlude: where are they from?
• Autodiscovery (e.g. by host)
• Manual
Unreliablewe’re trying to simplify the service provider
SimpleUser burden
http://iamsect.ncl.ac.uk/
User redirected to “WAYF”
http://iamsect.ncl.ac.uk/
https://wayf.sdss.ac.uk/shibboleth-wayf/...
http://iamsect.ncl.ac.uk/
User directed to “home”
http://iamsect.ncl.ac.uk/
https://weblogin.ncl.ac.uk/cgi-bin/index.cgi
http://iamsect.ncl.ac.uk/
User provides credentials
http://iamsect.ncl.ac.uk/
Existingdatabase
“home” authenticates user
http://iamsect.ncl.ac.uk/
Existingdatabase
Attributes are exchanged
http://iamsect.ncl.ac.uk/
Existingdatabase
User directed to service
http://iamsect.ncl.ac.uk/
From the flyer
“Shibboleth is a fine-grained authorization framework which
separates responsibility for authenticating a user from the
responsibility of authorizing their access to a resource.”
http://iamsect.ncl.ac.uk/
Authentication Authorisation≠
Who someone is
What someone can do
http://iamsect.ncl.ac.uk/
Identity Provider
Authentication
http://iamsect.ncl.ac.uk/
Identity Provider
•home institution
•trusted
Authentication
http://iamsect.ncl.ac.uk/
Identity Provider
Attribute Exchange
•home institution
•trusted
http://iamsect.ncl.ac.uk/
Case studies
• Course specific sensitive material
• Enrolled courses!
AttributeCase Study
http://iamsect.ncl.ac.uk/
Case studies
• Fully-private, anonymous access
• Nothing!
AttributeCase Study
http://iamsect.ncl.ac.uk/
Identity Provider
Attribute Exchange
•Secure
•Pre-agreed information
•home institution
•trusted
http://iamsect.ncl.ac.uk/
Service ProviderIdentity Provider
Attribute Exchange
•Secure
•Pre-agreed information
•home institution
•trusted
http://iamsect.ncl.ac.uk/
Service ProviderIdentity Provider
•Secure
•Pre-agreed informationAttribute Exchange
•No user database
•No synchronization
issues
•home institution
•trusted
http://iamsect.ncl.ac.uk/
Terminology: Federations
?
http://iamsect.ncl.ac.uk/
Federations
24 relationships 8 relationships
Simplified relationships
http://iamsect.ncl.ac.uk/
Example Federations
• InQueue
• InCommon
• Athens
• SDSS
http://iamsect.ncl.ac.uk/
Who’s doing what
http://iamsect.ncl.ac.uk/
U.S.
• Internet2 consortium
• Incommon federation– 16 universities
– 4 others
http://iamsect.ncl.ac.uk/
Around the world
• Switzerland – SWITCH
• Finland – HAKA
• Australia, Hungary, Croatia deploying
• Rest of Europe: contemplating
http://iamsect.ncl.ac.uk/
U.K.
• BECTA – ICT/schools– Shibboleth pilot
• JISC– Core middleware
– Distributed e-learning
– Early adopters
– …
http://iamsect.ncl.ac.uk/
• “Inter-institutional Authorisation Management to Support eLearning with reference to Clinical Teaching”
• JISC Core Middleware
http://iamsect.ncl.ac.uk/
http://iamsect.ncl.ac.uk/
• Collaboration– Durham
– Newcastle• Web team
• Faculty of Medical Sciences
– Northumbria
Inter-institutional
http://iamsect.ncl.ac.uk/
Authorisation, Clinical Teaching
• a proverbial goldmine of privacy and confidentiality issues
• Involvement of Newcastle FMSC
http://iamsect.ncl.ac.uk/
• Shared students
Authorisation, Clinical Teaching
http://iamsect.ncl.ac.uk/
Authorisation, Clinical Teaching
• In-house medical-oriented virtual learning environment (VLE)
http://iamsect.ncl.ac.uk/
What we’ve done (1)
• Technical-oriented guides– Local SSO (pubcookie)
– Shibboleth Identity Provider
• Creative Commons
http://iamsect.ncl.ac.uk/
Creative Commons
http://iamsect.ncl.ac.uk/
What we’ve done (2)
• Shibboleth origin installation
• Shibboleth target installation
• target/zope integration
• federation testing
Techie
http://iamsect.ncl.ac.uk/
What we’ve done (3)
Non-techie
• Glossary
• Questionnaire
• Dissemination
http://iamsect.ncl.ac.uk/
What we’re doing
• Further Zope-based VLE work
• Blackboard VLE
• Managerial documentation
• Further events
http://iamsect.ncl.ac.uk/
Future guides (1)
How to identify attributes, attribute stores
• Which attributes are useful
• Identifying stores
• Pros and con of store types
http://iamsect.ncl.ac.uk/
Future guides (2)
A managerial guide to getting shib
• what skill set you need in your team
• Privacy & data protection issues
• Certificate provider issues
• Negotiating in a federation
http://iamsect.ncl.ac.uk/
What other people are doing
• SDSS – development federation
• AMIE – distributed attribute management
• PERSEUS – Shibboleth and portals
• GUANXI – Bodington VLE
• http://www.jisc.ac.uk/index.cfm?name=programme_middleware
http://iamsect.ncl.ac.uk/
Summary
• State of the art has drawbacks
• Shibboleth might address them
• Lots of work taking place
http://iamsect.ncl.ac.uk/
Questions