1 / 121

Web based single sign on

Caleb Racey, Web development officer, Webteam, customer services, ISS IAMSECT project officer, http://iamsect.ncl.ac.uk Systems admin (focusing on SSO). Web based single sign on. Agenda. The need for SSO Shibboleth Theory Technology overview How it works Practicalities

cili
Download Presentation

Web based single sign on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Caleb Racey, Web development officer, Webteam, customer services, ISS IAMSECT project officer, http://iamsect.ncl.ac.uk Systems admin (focusing on SSO) Web based single sign on

  2. Agenda • The need for SSO • Shibboleth Theory • Technology overview • How it works Practicalities • How to install it • What to do afterwards

  3. Shibboleth Theory • The need for single sign on (SSO) • User perspectives • Admin perspectives • The future of SSO • Shibboleth • What it is • How it works

  4. The need for web SSO Proliferation of web based systems VLEs (Blackboard, Zope, webCt, Moodle) Library cataloguesWebmailePortfolios eJournals and eResources Grid etc etc

  5. The need for web SSO Proliferation of password stores in an institute: Campus login Library login Medical school login Comp Sci Login Athens Lack of integration even when one username and password still many logins Users and administrators overburdened

  6. User Survey Quantify burden on Users 200+ participants iPod shuffle prize 1 winner =

  7. Users overload, Survey says:

  8. Users overload, Survey says:

  9. Users overload, Survey says:

  10. Users overload, Survey says:

  11. Users overload, Survey says:

  12. Summary of survey Users overloaded with different passwords and overloaded with login prompts Half are using best practise with passwords Half are not! Current web username and password provision needs improvement.

  13. Administering a password system Easy to setup, the pain comes later once people use it: Technical pain • Securing the system • Backing up the system • Clustering the system • Administering the system

  14. Administering a password system • Management pain • Adding new users • Expiring old users • Changing passwords • Distributing passwords • Ensuring “proper” passwords used

  15. Real world example

  16. Real World example

  17. Real World example

  18. Summary • User are overloaded with authentication tokens already • There is explosive growth in the use of username and passwords • Administering usernames and passwords is painful and expensive.

  19. The Solution One university password store: • One password to remember • One set of admins • One set of infrastructure • One education effort In Ncl: pre-existing Campus username and password - stable, robust well resourced For the Web Web Sign On and Shibboleth

  20. Shibboleth Why the daft name? Shibboleth: And the Gileadites seized the passages of the Jordan before the Ephraimites; and it was so, that when those Ephraimites who had escaped said, "Let me go over," that the men of Gilead said unto him, "Art thou an Ephraimite?" If he said, "Nay," then said they unto him, "Say now 'Shibboleth.'" And he said "Sibboleth," for he could not frame to pronounce it right. Then they took him and slew him at the passages of the Jordan; and there fell at that time of the Ephraimites forty and two thousand. (Judges 12:5-6, King James Version of the Bible) i.e. The first recorded use of a password

  21. Shibboleth Federated Single Sign on standard from American Unis via Internet2 Based on SAML (Security Assertion Markup Language) Summary: Athens and Microsoft passport functionality combined with added privacy

  22. What you need to know about shibboleth • How it works • What attributes are • What federations are • Your Identity stays at home • Privacy sensitive by default Terminology Identity provider (IdP): The password store e.g. ncl Service provider (SP): The application owner e.g. ejournal

  23. The core concepts of shib • Usable for on and off campus resources • A user is authenticated at “home” • Home knows who and what a user is • Service providers make access decision based on what a user is • Service providers should only know the minimum about a user Builds on top of pre-existing sign on (pubcookie)

  24. Core concepts of shib (technical) • User redirected to home to authenticate and redirected back once authenticated. • Authorisation is based on attribute description of a user sent between the two servers in the background • Federations are used to group together service providers and institutes who can agree to the same rules

  25. What the user sees

  26. User attempts to access Service

  27. User redirected to ‘WAYF’

  28. https://wayf.sdss.ac.uk/shibboleth-wayf/...

  29. User selects their Identity Provider

  30. https://weblogin.ncl.ac.uk/cgi-bin/index.cgi

  31. IdP authenticates User Active Directory

  32. User redirected back to Service Active Directory

  33. https://shib.ncl.ac.uk/shibboleth/HS?...

  34. User accesses Service Active Directory

  35. http://bruno.dur.ac.uk/

  36. Shib for unfederated apps WAYF is transparent and optional Active Directory

  37. Shibboleth “Shibboleth, is a bit like the duck which moves serenely through the water, but is paddling furiously beneath the surface.” - Derek Morrison, the Auricle

  38. 1 User accesses protected resource... ...user is redirected to their home institution for authentication... 2 3 ...credentials and agreed information passed back to service provider. Shibboleth Process Simplified

  39. Benefits of shib • Federated access control ! • Allows access control based on attributes i.e. enhanced authorisation • Allows “secure” access control over http and https • Prevents application developer from having to worry about login process

  40. Demonstration (live) • EDINA EMOL • SDSS federation WAYF

  41. Attributes Attributes are what shib uses to authorise. • Descriptive information about a user • Can technically be any descriptive text e.g. has green eyes Privacy sensitivities mean external attributes limited Internal attributes not so limited

  42. How to identify useful attributes (theory) • the attributes that are required by the web application; • your institutes privacy policy; • which attributes you can collect in a timely and scalable manner;

  43. Identifying attribute (reality) • Type and format will be decided by the federation you join • Different Federations still likely to use the same standards • You are not limited by federation, it is just there for convenience

  44. Attribute identification (detail) For external consumption current attribute use is limited to a dull but useful core One major attribute standard in real use at present: EduPerson One current seriously used attribute: edupersonScopedAffiliation

  45. eduPersonScopedAffiliation • MACE-Dir eduPerson attribute • Example: member@ed.ac.uk • Gives subject’s relationship to an institute • At present can be one of:member, student, employee, faculty, staff, alum, affiliate. • Many resources licensed on these terms • “member” is all providers want to know for now

  46. Attribute identification (detail) Several more contemplated: • eduPersonPrincipalName • eduPersonTargetedID • Given name • Surname • Common name • eduPersonEntitlement

  47. eduPersonPrincipalName MACE-Dir eduPerson attribute Examples: • ncr18@ncl.ac.uk, caleb.racey@ncl.ac.uk • Equivalent to username • Must be long lived and non recycled • Must be unique

  48. eduPersonEntitlement • MACE-Dir eduPerson attribute • Examples: • http://provider.co.uk/resource/contract.html • urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted • states user’s entitlement to a particular resource • Service provider must trust identity provider to issue entitlement • Good fine grained fall-back approach.

  49. eduPersonTargetedID • MACE-Dir eduPerson attributeExample: sObw8cK@ncl.ac.uk • A persistent user pseudonym, specific to a given service, intended to enable personal customisation • Value is an uninformative but constant • Allows personalisation and saved state without compromising privacy…much • Issues about stored vs. generated forms In flux at the moment

  50. Attribute use in the Real world SDSS usage for Edina resources: eduPersonScopedAffiliation: Biosis, EMOL, Times archive, EIG, Zetoc Alert, Zetoc Search, Hairdressing eduPersonTargetId Zetoc search eduPersonPrincipalName: LandMap

More Related