1 / 24

Shibboleth access management: a replacement for Athens and more?

Mark Norman and Christian Fernau OUCS 21 June 2007. Shibboleth access management: a replacement for Athens and more?. This presentation. What is Shibboleth? What it isn’t A quick run through of a common example The UK Federation Privacy and the 4 attributes

beau-woodard
Download Presentation

Shibboleth access management: a replacement for Athens and more?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mark Norman and Christian Fernau OUCS 21 June 2007 Shibboleth access management: a replacement for Athens and more?

  2. This presentation What is Shibboleth? What it isn’t A quick run through of a common example The UK Federation Privacy and the 4 attributes Shibboleth in Oxford: the architecture Questions

  3. What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” Why is it called Shibboleth? Because it is access control where it matters what you are, rather than who you are Judges 12:5-6 (the Gileadites seized the passages of the Jordan before the Ephraimites, who couldn’t pronounce “ear of wheat”)

  4. It’s easier to say what it isn’t! It ISN’T about authentication management! (Authentication=The act of verifying that an electronic identity is being employed by the entity, person or process to whom it was issued.) Shibboleth thinks that institutions should run their own authentication systems and others should trust those processes It ISN’T about authorisation management! (Authorisation=Associating rights or capabilities with a subject/person) Other information about individuals (groups, status etc.) should be managed by the institution too!

  5. OK, in plain English… It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: separate authentication from authorisation Devolve authentication to the ‘home’ organisation Devolve the management of authorisation information as well

  6. Replacing Athens? In phases: Mid 2007 Shibboleth enabled at Oxford (possibly without publicity) Athens continues (free) until July 2008 Between mid 2007 and July 2008, Oxford users should be able to use Shibboleth or Athens to access on-line resources After 2008 Athens may still be available but will require a subscription from Oxford

  7. Replacing Athens – the user's perspective Now: Users connect to a resource and type in their Athens username and password to gain access Mid 2007 Users can do the same thing for many (most?) resources using their Webauth username and password (actually the Webauth screens too) Users can still use their Athens username and password August 2008 Athens may be unavailable

  8. Some definitions Identity Provider (IdP) Service Provider (SP) WAYF (where are you from? service) [a type of IdP Discovery Service] Your home institution (where you usually have a username/login) Organisation/body providing a service (e.g. e-Journal) Application/service that determines which IdP to send the user to

  9. Technically simple (SAML)* Shibboleth involves two types of exchanges: AuthnRequest << >> AuthnAssertion“Was authentication successful?” AttributeRequest << >> AttributeAssertion“I need to know... ...about this user.”“This user has the following attributes...” * Security Assertion Markup Language

  10. What the user should see • The user goes to a resource • They are presented with log in options • They select the “UK Federation” or “Institutional sign on” etc. option

  11. What the user should see • The resource sends them to the “Where are You From” service • They say they are from Oxford

  12. What the user should see • They then see their familiar Webauth screen

  13. What the user should see • Then the usual Oxford confirmation...

  14. What the user should see • Possibly a holding screen for 2-3 seconds before the user sees...

  15. What the user should see • the resource they were trying to reach a few seconds ago • The next time they try to get to a resource...

  16. What the user should see • The next time they try to get to a resource... • They're almost straight in (no need to authenticate again) as there's a cookie kept in the browser.

  17. Trusting the SP, IdP etc. All of these bodies trust each other (implicitly) as they all belong to the same Federation A federation has a set of rules that everyone obeys e.g. security policy for IdPs, privacy policies for SPs A service provider (SP) can provide services for multiple federations An institution such as Oxford (or its IdP) could belong to multiple federations too.

  18. The UK Federation A group of member organisations who sign up to a set of rules (see next slides) Is an independent body funded by Becta and JISC Manages the trust relationships between members

  19. The UK Federation Rules for IdPs Provide data that is accurate and up-to-date Comply to technical specifications Observe good practice for configuration, operation, and security of service, exchange of data, private keys, ... Must hold all licences and permissions required Must not damage reputation of Federation Give 'reasonable assistance' to investigate misuse

  20. The UK Federation Rules for SPs Must not disclose attributes to 3rd parties Use attributes only for access control or presentation decisions (and only for the service that the user requested)... ...or for generating aggregated anonymised usage statistics SP is responsible for management of access rights: federation has no liability

  21. Chris: Privacy and the 4 attributes Chris to add slides

  22. Chris: Shib architecture at Oxford Chris to add slides

  23. Chris: DEMO???? Christian – check out this page for other resources http://ukfederation.org/content/Documents/AvailableServices (But I got “Shibboleth Identity Provider Failure The inter-institutional access system experienced a technical failure. Please email root@localhost and include the following error message: Identity Provider failure at (/shibboleth-idp/SSO) org.opensaml.SAMLException: Invalid assertion consumer service URL.”)

  24. Questions?

More Related