1 / 22

Shibboleth and TAGPMA

Shibboleth and TAGPMA. Michael Helm DOEGRids/ESnet 27 Mar 2006. What is Shibboleth?. Standard Internet2 description: Architecture Project Codebase http://shibboleth.internet2.edu Offshoots InCommon – Federation (one of many) GridShib – Grid & Shibboleth Integration SAML - transport.

Download Presentation

Shibboleth and TAGPMA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006

  2. What is Shibboleth? • Standard Internet2 description: • Architecture • Project • Codebase • http://shibboleth.internet2.edu • Offshoots • InCommon – Federation (one of many) • GridShib – Grid & Shibboleth Integration • SAML - transport 27 Mar 2006 Shibboleth

  3. What is Shibboleth? Judges 12:6 (KJV) Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand.  Jueces 12 Entonces, le decían: Di, pues, la palabra Shibolet; pero él decía Sibolet, porque no podía pronunciarla correctamente. Entonces le echaban mano y lo mataban junto a los vados del Jordán. Y cayeron en aquella ocasión cuarenta y dos mil de los de Efraín. 27 Mar 2006 Shibboleth

  4. Why is Shibboleth Important? • US: Internet2’s “long bet” on Authentication and Authorization • Note: Internet2 is the largest US NREN, 200+ Universities, multiple layers of projects, optical networking &c • Relationship with ESnet, NASA &c • US Higher Education federation • Other NREN • There are other AAA projects • Other - US Government • Whether all these federations can interoperate 27 Mar 2006 Shibboleth

  5. Shibboleth Architecture • Next set of slides from I2 (Michael Gedes et al) – used for illustration • Illustration probably from SWTCH 27 Mar 2006 Shibboleth

  6. Shibboleth Architecture • Handle Service • Yields a “Handle token” – SAML authentication assertion – bearer credential • Neutral – (eg LDAP) • Attribute Authority • The AA is presented with a Handle Token, returns appropriate attributes for this user. • Target Resource • (Service Provider) • Find user’s institution, and understand appropriate attributes • WAYF • External service used to find home institution 27 Mar 2006 Shibboleth

  7. Shibboleth Architecture • Next set of slides from I2 (Michael Gedes et al) – used for illustration • Illustration probably from SWTCH 27 Mar 2006 Shibboleth

  8. OK, I redirect your request now to the Handle Service of your home org. Please tell me where are you from? I don’t know you. Not even which home org you are from. I redirect your request to the WAYF I don’t know you. Please authenticate Using WEBLOGIN 2 3 4 5 6 1 7 Credentials ACS HS 8 Handle User DB Handle Resource Manager Handle 9 AA AR OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Attributes I don’t know the attributes of this user. Let’s ask the Attribute Authority Let’s pass over the attributes the user has allowed me to release OK, based on the attributes, I grant access to the resource Shibboleth AA Process WAYF Identity Provider Service Provider Web Site Resource 27 Mar 2006 Shibboleth

  9. From Shibboleth Arch doc Origin Target 27 Mar 2006 Shibboleth

  10. From Shibboleth Arch doc Origin Target 27 Mar 2006 Shibboleth

  11. Shibboleth Limitations • Limited IDP • Identity Provider does all the work • What about distributed authorization??? • Attribute Authority, Authentication, Authorization often linked together – requires strong trust of IdP • Limited deployment (web) • Grid Incompatibility • Focused on enterprises • Marketing limitation • Many of these issues are being addressed…. 27 Mar 2006 Shibboleth

  12. Shibboleth Strengths • Privacy • Chaotic story in Grids, but mostly, none • Standardization • Relatively open development process • Marketing • US Higher Ed • Non-US: Higher Ed & NRENs • US Government • Well supported and development continues 27 Mar 2006 Shibboleth

  13. GridShib (NCSA) • NSF funded, development centered at NCSA • Argonne National Lab (ANL), Globus, University of Chicago • Really, Shibboleth->Grid • Enable use of some Shibboleth attributes in a Grid context • Replace Shibboleth “Handle token” with PKI credential • Using XACML • Next 3 slides – from NCSA GridShib overview 27 Mar 2006 Shibboleth

  14. The GridShib picture User Grid Service (1) Grid Authentication (0) Attribute Release Policy Campus (2) Shib Attribute Request (4) Attribute-based authorization (3) Attributes Shibboleth 27 Mar 2006 Shibboleth

  15. GridShib Integration Principles • No modification to typical grid client applications • Leverage Shibboleth’s attribute administration and end-user maintenance of attribute release policies • Leverage high-quality Campus Identity Provider operations • Leverage high-quality Shib and Grid software 27 Mar 2006 Shibboleth

  16. GridShib Challenges • Use of an identifier in X.509 certificate as a subject handle for use by the Shib Attribute Authority (SAA) • Shibboleth v1.3 should handle this • Name mapping has proved challenging • Focusing on MyProxy to solve? IdP function? • Allowing VOs to define attributes meaningful to them • Attribute Authority identification • “Where Are You From” problem • Plumbing interconnect • Translating requirements into meaningful authorization policy • Support pseudonymity (Shibboleth requirement) 27 Mar 2006 Shibboleth

  17. Shibboleth and Grid Authentication/Authorization • Grid – community driven? • Grid – distributed authorization • Shibboleth – fundamentally based on site (or VO?) • That is assumes a strong site open to working in this area – not always true • Grid->Shibboleth? • Projects exist in this area 27 Mar 2006 Shibboleth

  18. US DOE Lab/ESnet Shibboleth • Something new – DOE Lab CIO’s have commissioned a pilot Shibboleth test bed and policy development activity • US DOE research labs are heavily influenced by trends and needs in US academic research (NSF, EDUCAUSE, and other US Gov’t funding sources) • US DOE labs have limited resources for development in this area • Shibboleth &al is both good news & bad news here: • Standard development platform • Limited resources to make changes 27 Mar 2006 Shibboleth

  19. Shibboleth Federation • Shibboleth makes no sense w/o a federation component – why bother. • InCommon (http://www.incommonfederation.org) • Internet2 – US Higher Ed example of Shibboleth federation • There are some others: SWTCH, UK • US Legal System • More complex bylaws, legal membership & status &c • Good Example or Bad Example? • Some market inhibition • International legal context • Are our member organizations interested in federating for this purpose? TAGPMA? 27 Mar 2006 Shibboleth

  20. E-Authentication (separate) • Summary • Overlapping communities • Overlapping interests • What interest in this? 27 Mar 2006 Shibboleth

  21. Acknowledgements • Technical content in most slides drawn from Michael Geddes &al from I2; from Von Welch &al from NCSA; a bit from David Chadwick, and others. 27 Mar 2006 Shibboleth

  22. Summary • Overlapping communities • Overlapping interests • What interest do we have in this? 27 Mar 2006 Shibboleth

More Related