Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems - PowerPoint PPT Presentation

Integrating shibboleth with enterprise identity and access management iam systems l.jpg
Download
1 / 32

Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems. Presentation available at: http://arch.doit.wisc.edu/keith/midnet ShibInteg-050609-01.ppt Keith Hazelton, hazelton@doit.wisc.edu Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Integrating shibboleth with enterprise identity and access management iam systems l.jpg

Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems

Presentation available at:

http://arch.doit.wisc.edu/keith/midnet

ShibInteg-050609-01.ppt

Keith Hazelton, hazelton@doit.wisc.edu

Sr. IT Architect, University of Wisconsin-Madison

Internet2 MACE

MIDnet Spring Conference, June 10, 2005


Shibboleth v 1 2 1a integration overview l.jpg

Shibboleth v 1.2.1a Integration Overview

  • Identity Provider (Origin) Deployment, Integration

    • Authentication/Identifier Assertion Phase Components & Dependencies

    • Identity Attribute Assertion Phase

  • Service Provider (Target) Deployment, Integration

  • Two scenarios for each:

    • Shib “classic” e-Lib: accessing licensed resources

    • Shib federation across a state system: shared services


Basic iam functions mapped to the nmi mace components l.jpg

Basic IAM functions mapped to theNMI / MACE components

Apps / Resources

Enterprise Directory

AuthN

Systems of Record

AuthN

Log

Reflect

Provision

Join

WebISO

Credential

AuthZ

Mng.

Affil.

Mng.

Priv.

Deliver

Log

Grouper

Signet

Shibboleth


Identity provider origin l.jpg

Identity Provider / (Origin)

Ident.

Provider (wasabi)

WAYF

“HS”

Service

Provider

(gari)

Browser User

Attribute Authority

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

Inspired by SWITCH (Swiss REN) HTTP://www.switch.ch/aai/demo/


Identity provider origin authn identifier l.jpg

Identity Provider / (Origin): AuthN, Identifier

Campus

WebISO

Identity

Provider (wasabi)

“HS”

Attribute Authority

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container


Webiso requirements from shib l.jpg

WebISO requirements from Shib

Campus

WebISO

  • WebISO can authenticate a set of users based on locally issued/registered credentials

  • Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide.

  • For details & download, see

    http://middleware.internet2.edu/webiso/


Webiso alternatives l.jpg

WebISO alternatives

Campus

WebISO

  • But end-user PKI certs work fine, too (configurable filter)

  • And there are ways to support multiple AuthN methods with failover

    • “UW-Madison 2” InQueue IdP runs this configuration

    • End entity certificate with failover to LDAP basic auth.

    • See wasabiHttpd.conf, lines 1017 et seq.


Shib assumes identity and access management iam services l.jpg

Shib assumes Identity and Access Management (IAM) Services

Meta-

Directory

Processes

Registry

Student

System of Record

Campus

WebISO

Human Resources

System of Record

LDAP Directory

Other

Systems of Record

Enterprise Directory


Identity provider middleware l.jpg

Identity Provider Middleware

Campus

WebISO

wasabi

Enterprise

Directory

“HS”

Attribute Authority

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container


Identity provider origin10 l.jpg

Identity Provider / (Origin)

Ident.

Provider (wasabi)

“HS”

Service

Provider

(gari)

Browser User

Attribute Authority

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container


Identity provider origin attribute assertion phase l.jpg

Identity Provider / (Origin)Attribute Assertion Phase

Ident.

Provider

“HS”

Service

Provider

Browser User

Attribute Authority

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container


Identity provider middleware12 l.jpg

Identity Provider Middleware

Campus

WebISO

Enterprise

Directory

“HS”

Attribute Authority

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container


Attribute authority aa ent directory l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • Shib AA Deployment Issues:

  • Configure AA to connect to Ent. Directory

    • Data connectors can be JNDI-based, JDBC-based (xml-configurable) or custom user plug-ins

  • Map Directory attributes to SAML attributes


Attribute authority aa ent directory14 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • Fragment of ..conf/origin.xml


Attribute authority aa ent directory15 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • Resolver links named attributes to specific data connectors:


Attribute authority aa ent directory16 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • …and specifies connector

    (here JNDI LDAP):


Attribute authority aa ent directory17 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • …and specifies connector

    (here JDBC SQL):


Attribute authority aa ent directory18 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • Shib AA Deployment Issues, cont.:

  • Comply with Attribute Release Policy (ARP) in determining which service providers get which attributes

    • Federation rules are given

    • Bilateral rules need to be worked out & agreed to


Attribute authority aa ent directory19 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • Ah, yes, data access policy

  • This may drag stakeholders kicking & screaming into the room to confront policy

  • How you manage this will be key to successful deployment

  • The “DON’T PANIC” in big friendly letters on the InCommon Book may help


Attribute authority aa ent directory20 l.jpg

Attribute Authority (AA) <–> Ent. Directory

  • Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics

    • “Simple matter of configuration”

  • Some of the newer attributes

    • eduPersonTargetedID if you want a persistent identifier, but one that is specific to a given Identity Provider-Service Provider pair

    • Course-related attributes. URN-based identifier guideline near for course offering. eduCourse (currently in last call).


Service provider target l.jpg

Service Provider / (Target)

Service

Provider (gari)

Identity

Provider

(wasabi)

Browser User

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

or

IIS 5.x or 6


Shib features for service providers l.jpg

Shib Features for Service Providers

  • WAYF for federations, other options configurable

  • Authentication method can be passed in attribute assertion for fine tuning risk management

  • A site may have a public face with specific links that invoke Shib


Services you might not have thought of shibbing l.jpg

Services you might not have thought of Shibbing

  • Roaming Access to WLAN

  • http://www.terena.nl/conferences/tnc2004/ programme/presentations/show.php?pres_id=165

  • Mikael Linden, CSC, the Finnish IT center for Science

  • RADIUS-based access controller is a Shibboleth service provider

  • Network access control decision based on user’s “home” attributes


Services you might not have thought of shibbing24 l.jpg

Services you might not have thought of Shibbing

  • Portal as Shib Service

  • Apache in front of Portal on Tomcat

  • Other approaches under consideration


Coming shib features for service providers l.jpg

Coming Shib Features for Service Providers

  • PKI-based direct-to-target scenario

  • Cert would contains

    • (possibly opaque) subject id

    • Identifier for associated Identity Provider

    • Would eliminate the first several steps in the classic Shib flow diagram

    • First Service Provider contact to Identity Provider would be the request for attributes

  • Lots of points of agreement to be worked out


Multi campus system deployment model 1 l.jpg

Multi-campus system deployment model 1

CampusA

IdProv

CampusB Service

Provider

CampusB

IdProv

Browser User

Apache (1.3 or 2.0) / Tomcat

Web server / Servlet container

or

IIS 5.x or 6

CampusC

IdProv

CampusD

IdProv

CampusE

IdProv


Multi campus system deployment model 127 l.jpg

Multi-campus system deployment model 1

  • Identity Provider per campus (vs. System IdP model)

  • Create a system federation (some policy & configuration work here)

  • Any campus can put up Shibbed service

  • Or a system library can offer system-licensed resources

  • Each campus retains control of Identity Management--high autonomy model


Multi campus system deployment model 2 l.jpg

Multi-campus system deployment model 2

CampusA Dir

Browser User

System-level

Identity Provider

Service

Provider

Service

Provider

Service

Provider

CampusB Dir

Service

Provider

CampusC Dir


Multi campus system deployment model 229 l.jpg

Multi-campus system deployment model 2

  • System-level Identity Provider model

  • Significant campus-to-system metadirectory infrastructure

  • Create a system federation (some policy & configuration work here)

  • Any campus can put up Shibbed service

  • Or a system library can offer system-licensed resources

  • More seamless “system citizen” experience


Coming shib breaks free of the browser l.jpg

Coming: Shib breaks free of the browser

  • Number of open source projects are exploring this space

  • A pure Java implementation of Service Provider components of Shibboleth (now in beta) will really open the door


Slide31 l.jpg

Q & A

  • Which of these issues seem tough to you?


  • Login