1 / 24

Shibboleth - An Introduction

Mia_John
Download Presentation

Shibboleth - An Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Shibboleth - An Introduction UCAR Web Advisory Group Peter Burkholder 6 October 2004

    3. Outline Shibboleth philosophy Use Contexts Architecture Trust model: Federations Technical notes Challenges

    4. Starting From This… Suppose I am: Chris Jones, with these attributes in campus directory: UW student number 62-3407; home phone number 715-555-1234; e-mail chris.jones@uw.edu… Currently enrolled UW student; undergraduate; psychology major; enrolled in Psych 402 senior seminar…

    5. We Want This: Unambiguous mechanism that: Protects your privacy Demonstrates you really a member of an appropriate group (e.g., UW Student, or enrolled in Pysch 402) Works securely

    6. Not This: EXP DATE[p43]=09-30-04 RANK[p44]=v CAMPUS[p45]=a DEPT[p46]=0 P TYPE[p47]=5 TOT CHKOUT[p48]=13 TOT RENWAL[p49]=1 CUR CHKOUT[p50]=0 HOME LIBR[p53]=none PMESSAGE[p54]= MBLOCK[p56]=- REC TYPE[p80]=p RECORD #[p81]=1383699 REC LENG[p82]=252 CREATED[p83]=08-12-99 UPDATED[p84]=01-07-04 REVISIONS[p85]=100 AGENCY[p86]=1 CL RTRND[p95]=0 MONEY OWED[p96]=$0.00 BLK UNTIL[p101]= - - CUR ITEMA[p102]=0 CUR ITEMB[p103]=0 PIUSE[p104]=0 OD PENALTY[p105]=0 ILL REQUES[p122]=0 CIRCACTIVE[p163]=08-14-03 PATRN NAME[pn]=JONES, CHRIS M ADDRESS[pa]=Cheyenne$2455 N STAR RD$SUITE 300$VIA U.S. CARGO ZIP CODE[pz]=CAMPUS TELEPHONE[pt]=614-728-3600 UNIQUE NO[ps]=391****** S/N[pu]=391******

    7. Enter Shibboleth FAQ #1: Why is it called Shibboleth? A: Judges 12:5-6 And the Gileadites took the fords of the Jordan…when any of the fugitives of Ephraim said, “Let me go over,” the men of Gilead said to him, “Then say Shibboleth,” and he said “Sibboleth,” for he could not pronounce it right; then they seized him and slew him at the fords of the Jordan.

    8. Enter Shibboleth Product of Internet2 development “Secure framework for one organization to transmit attributes about a web-browsing individual across security domains to another institution.” Only end-user requirement is a browser that supports cookies, redirection, and SSL Only for web apps Reduces # of passwords, protects privacy (vs. Passport, or Liberty Alliance) Authentication, not security (use TLS/SSL)

    9. Shibboleth Vocabulary Four main structures: Origin: site with user directory information Target: site with restricted resource Where Are You From (WAYF): service to let a target site’s users select an appropriate origin Federations: groups of origins and targets with agreed-upon policies for authentication

    10. Use Contexts - 1 Napster (target) & Cornell (origin) Cornell buys reduced-rate student subscription Napster creates special Cornell login page Student logs in using Napster username Napster redirects user to Cornell origin node Cornell’s Shibboleth Origin Node tells Napster whether or not user is a student Napster isn’t privy to any additional information http://shibboleth.internet2.edu/seas.html

    11. Use Contexts - 2 DLESE An origin authenticating users as Library members or as educators (tricky) to access resources at remote targets A target providing services limited to members of a library federation or educational federation UCAR An origin authenticating users as UCAR staff to access resources at remote targets, e.g Books 24x7 Very difficult for us to be authoritative Very difficult for us to be authoritative

    12. Shibboleth Vocabulary Origin components Attribute Authority (AA): manages attribute release policies (ARPs) for different targets Handle Service (HS): manages temporary references (handles) to identify user sessions Local sign-on system (SSO): performs check against user directory for a valid login User directory with necessary attributes User dir: LDAP AA & HS - provided by Shibboleth Local SSO: User dir: LDAP AA & HS - provided by Shibboleth Local SSO:

    13. Shibboleth Vocabulary Target components Resource Manager (RM): passes unauthenticated requests to SHIRE, grants access to authenticated requests Shib. Indexical Reference Establisher (SHIRE): consults the WAYF to get a handle to query Shib. Attribute Requester (SHAR): contacts origin Attribute Authority for needed attributes

    14. A Shibboleth Login Resource could be Napster, if Uwyoming is subscribed, or Book 24x7 as a Faculty Member The resource Target is protected by an Apache <Location> stanza and mod_shibResource could be Napster, if Uwyoming is subscribed, or Book 24x7 as a Faculty Member The resource Target is protected by an Apache <Location> stanza and mod_shib

    15. A Shibboleth Login Rm could be as simple as # Configure a test directory <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> HS could be <Location /shibboleth/HS> AuthType Basic AuthName "Internet2 Handle Service" AuthUserFile /usr/local/apache/conf/user.db require valid-user </Location> Or could use mod_authser or Kerberos or pubcookieRm could be as simple as # Configure a test directory <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> HS could be <Location /shibboleth/HS> AuthType Basic AuthName "Internet2 Handle Service" AuthUserFile /usr/local/apache/conf/user.db require valid-user </Location> Or could use mod_authser or Kerberos or pubcookie

    16. A Shibboleth Login The HS may not need to re-authenticate The SSO my go against a different User Dir than the AA: e.g. Kerberos The Shar is a stand-alone process, needs to be started before httpdThe HS may not need to re-authenticate The SSO my go against a different User Dir than the AA: e.g. Kerberos The Shar is a stand-alone process, needs to be started before httpd

    17. A Shibboleth Login AA is governed by the site or individual;s Attribute Release Policy (ARP)AA is governed by the site or individual;s Attribute Release Policy (ARP)

    18. A Shibboleth Login

    19. Example https://wayf.internet2.edu/InQueue/sample.jsp

    20. Federations Group of mutually trusting institutions Origins and targets Common policies on attributes to request, certificate authorities to accept, sec. standards Higher Ed federations: InQueue - loose standards, free http://inqueue.internet2.edu/who/ InCommon - production quality, ~$1000/annum http://www.incommonfederation.org/participants.cfm Attributes to request need to meet schema definition standards, such as Attributes to request need to meet schema definition standards, such as

    21. Technical notes - Target Target software written for Apache 1.3/2.0 and IIS C++, compiles under GCC 3.2 OpenSAML required Creates mod_shib and shar ShibConfig /opt/…/shibboleth.xml. <Location /secure> AuthType shibboleth ShibRequireSession On require valid-user </Location> SSL required to provide security 1. The main Applications element's providerId attribute must be changed to reflect the URI this target will use to identify itself to origins by default. This will often be approved or supplied by a federation. 2. The supportContact and error templates for the target found in the Errors element should be changed to ensure that users have a proper support mechanism. 3. Proper credentials for this target signed by an authority that the federation recognizes must be referenced by the Credentials element. The default configuration points at files containing widely-available, insecure keys and certificates. Note that keys are supported in a variety of formats: DER, PEM, encrypted PEM, PKCS8, and encrypted PKCS8. 4. FederationProvider and TrustProvider elements must be added or changed as needed to reflect the arrangements required. This information is often provided by federations to their members. 1. The main Applications element's providerId attribute must be changed to reflect the URI this target will use to identify itself to origins by default. This will often be approved or supplied by a federation. 2. The supportContact and error templates for the target found in the Errors element should be changed to ensure that users have a proper support mechanism. 3. Proper credentials for this target signed by an authority that the federation recognizes must be referenced by the Credentials element. The default configuration points at files containing widely-available, insecure keys and certificates. Note that keys are supported in a variety of formats: DER, PEM, encrypted PEM, PKCS8, and encrypted PKCS8. 4. FederationProvider and TrustProvider elements must be added or changed as needed to reflect the arrangements required. This information is often provided by federations to their members.

    22. Technical notes - Origin Origin software Written in Java for Tomcat 4.1/5.X Suggested run w/ Apache and mod_jk Installing is 1% of the job… Protect Handle Service: auth, provide REMOTE_USER <Location shibboleth/HS> AuthType Kerberos AuthName "Internet2 Handle Service” KrbAuthRealms UCAR.EDU KrbMethodK4Passwd off require valid-user </Location> SSL required the Handle Service

    23. Challenges - Origin Side Authoritative User Directory What UCAR directory? How could DLESE verify anyone’s a teacher? No Personal ARP GUI Single-Sign On Service (pubcookie?) Attribute provision AA does mapping Meeting Federation requirements, e.g eduPersonScopedAffiliation (faculty, alum, student,..)

    24. URLs of Note http://shibboleth.internet2.edu/ http://inqueue.internet2.edu

More Related