1 / 15

Shibboleth On-line Authentication System

Shibboleth On-line Authentication System. Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd. Accessing a Web Resource. Request. Client. Server. W W W. Response. Client user accesses a free resource

anneliese-panagos
Download Presentation

Shibboleth On-line Authentication System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd

  2. Accessing a Web Resource Request Client Server W W W Response • Client user accesses a free resource • Client user is authenticated via a username and password to access a protected resource • Client user is responsible for setting up that account

  3. Web Resources for Education • Educational establishments subscribe to resources on behalf of many users • Parts of a given resource may only be accessible by some of the users in a given educational establishment • The resources to which a given user has access change periodically

  4. Authentication School Resource Available to all Authentication Available to year 3 and above Students Available to year 6 and above Authorisation Directory/Database Directory/Database Student data … … … … Student data … … … …

  5. Authentication • Common Issues • Exposure of personal information • High administrative burden • Lack of traceability • Password leakage • Many passwords problem • Resource accessibility is restricted • Complicated to use

  6. Shibboleth • Aims to: • Ensure no personal information is exposed unless necessary • Minimise the number of passwords a user needs to remember • Minimise the administrative burden • Enable user traceability • Be transparent to the user • Enable access from any location

  7. Shibboleth User Authentication Request LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication Resource(s) User Attributes (LDAP/SQL) Attribute Authority SHAR

  8. Shibboleth User Authentication 1.Request URL LEA/RBC (Origin) Resource (Target) Handle Service 5. Request URL + Handle + AA URL SHIRE 3. Request URL + SHIRE URL 2. Request URL + SHIRE URL WAYF 4. Username + password 6. Request URL + Handle + AA URL Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication 8. Handle returns User ID Resource(s) User Attributes (LDAP/SQL) 11. User Attributes 9. User Attributes 7. Request URL + Handle Attribute Authority SHAR 10. Request URL + User Attributes

  9. Shibboleth User Authentication 1.Subsequent Request URL (Same Domain) LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF SHIRE has Cached Session & Handle = OK Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication Resource(s) User Attributes (LDAP/SQL) Attribute Authority SHAR SHAR has Cached Attributes = OK

  10. Shibboleth User Authentication 1.Subsequent Request URL (Different Domain) LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF SHIRE has Cached Session & Handle = OK Bash Street St Trinians Hogwarts LGfL Oxford … User Authentication Handle returns User ID Resource(s) User Attributes (LDAP/SQL) Request New Domain Attributes Attribute Authority SHAR Return New Domain Attributes SHAR has no Cached Attributes for the new Domain so ask AA

  11. Shibboleth User Authentication LEA/RBC (Origin) Resource (Target) Handle Service SHIRE Portal User Authentication Resource(s) User Attributes (LDAP/SQL) Attribute Authority SHAR

  12. Pros Low administrative burden Exposure of personal information under user’s control Same identity for all resources User traceability Resources can be accessed from any location Cons (Possible) multi-stage authentication Shibboleth User Authentication

  13. Shibboleth Demonstration 1 Shibboleth Target Windows 2003 Server IIS 6.0 7 Browser 2 6 4 3 5 LDAP Directory (Active Directory) Windows 2003 Server WAYF Service Windows 2003 Server IIS 6.0 Shibboleth Origin Windows XP Pro Apache Server 2.0.49

  14. Shibboleth Demonstration Shibboleth Target Windows 2003 Server IIS 6.0 1 2 7 WAYF Service Browser 6 3 4 5 Shibboleth Origin Windows 2003 Server Apache Server 2.0.49 LDAP Directory (Active Directory)

  15. Shibboleth http://shibboleth.internet2.edu “Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.” Judges 12:6

More Related