shibboleth a potential security framework for edit n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Shibboleth, a potential security framework for EDIT PowerPoint Presentation
Download Presentation
Shibboleth, a potential security framework for EDIT

Loading in 2 Seconds...

play fullscreen
1 / 11

Shibboleth, a potential security framework for EDIT - PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on

Shibboleth, a potential security framework for EDIT. Lutz Suhrbier (suhrbier@inf.fu-berlin.de) AG Netzbasierte Informationssysteme ( http://www.ag-nbi.de ) FU Berlin, FB Mathematik und Informatik, Institut für Informatik 06/09/2007 Berlin, EDIT Developers Meeting.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Shibboleth, a potential security framework for EDIT' - anais


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
shibboleth a potential security framework for edit

Shibboleth, a potential security framework for EDIT

Lutz Suhrbier (suhrbier@inf.fu-berlin.de)

AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)

FU Berlin, FB Mathematik und Informatik, Institut für Informatik

06/09/2007 Berlin, EDIT Developers Meeting

why using shibboleth in edit
Why using Shibboleth in EDIT ?
  • Highly distributed organisational (infra-)structure
    • Cross-national conglomerate of
      • Universities, Institutes, Botanical Museums, (private) Collections, others
      • Service Providers, Databases, Hosts, Applications, …
      • Users, System Administrators
    • Members have individual security or organisational requirements
  • Identity Management
    • Current situation reflects organisational structure:
    • Users have to authenticate multiple times to access different services
      • Problems to remember the individual authentication ids (e.g. user/pass) for services
    • System administrators have to manage access control for these services
      • Individual maintenance of user account and access control for each service or ressource
  • Problem
    • Current situation is error-prone and ressource consuming
    • Need for a comfortable Single Sign-On(SSO) solution considering
      • Security and organisational requirements of providers
      • Security and privacy aspects of users

06/09/2007 EDIT Developers Meeting, BGBM Berlin

what is shibboleth
What is Shibboleth ?
  • Internet2 Middleware Project which
    • Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner
    • is developed by a group leading campus middleware architects (since 2000)
  • Inter-organisational single sign-on(SSO) service for web services
    • Uses several widely-implemented standards such as
      • Security Assertion Markup Language (SAML), XML, XML Signature
      • Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL)
      • SOAP, Lightweight Directory Access Protocol (LDAP)
    • Relies on or extends existing Identity Management solutions in organisations
  • Open Source (Apache Software License 2.0)

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth key concepts
Shibboleth Key Concepts
  • Federations
    • a framework for multiple, scaleable trust and policy sets
      • Specifies a group of organisations abided by a common set of policies and practices
      • enables interaction without defining bilateral agreements between federated parties
    • IdP sites (user origin) provide attribute assertions to SP sites (target)
    • IdP sites are responsible to authenticate users (using any reliable means)
  • Attribute Based Access Control
    • AC decisions are made using attribute assertions received by SPs from IdPs
    • assertions may include identity, but will not require this
      • access may be granted based on e.g. group membershib or origin site
    • A Standard (yet extensible) AttributeValue Vocabulary
      • eduPerson includes widely-used person attributes in higher education
  • Active Privacy Management
    • IdP sites and their origin users control what information is released to SPs
    • individuals can manage attribute release via a web-based user interface
      • absolves users mercy of the SPs privacy policies

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth federations
Shibboleth Federations

Source: http://switch.ch/aai/about/federation/

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth login procedure
Shibboleth Login Procedure

Source: http://switch.ch/aai/demo/easy.html

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth main components
Shibboleth Main Components
  • Identity Provider (IdP)
    • maintains user credentials and attributes
    • asserts authentication or attribute statements to relying parties (SPs)
    • single sign-on (SSO) service initiates the authentication process
    • authentication authority issues authentication statements to others (SPs)
  • Service Provider (SP)
    • manages secured resources
    • user access is based on assertions requested from an IdP
    • assertion consumer service processes authentication assertions returned by the SSO service
      • initiates an optional attribute requests (via attribute requester)
      • establishes a security context at the SP
      • redirects the client to the desired target resource.
  • „Where are you from?“ (WAYF) service (optional)
    • proxy for authentication requests passed from SPs to IdPs‘ SSO service
    • used by SPs to determine the user's preferred IdP (user interaction possible)

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth benefits
Shibboleth benefits

Source: http://switch.ch/aai/about/

  • IdP benefits
    • simple integration in existing identity management
    • no additional efforts establishing new services (user accounts and IP-addresses management)
  • SP benefits
    • Deliverance of user and account data management
    • authorisation based on defined properties
  • User benefits
    • only a single digital identity for SSO, location independent access
    • data transparency and data privacy management

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth sp integration
Shibboleth SP Integration
  • Web Server
    • Apache
      • mod_shib
      • Assertions assignable to Apache environment variables (e.g. REMOTE_USER)
    • IIS
      • also possible
  • Drupal
    • modified webserver_auth module
      • Uses REMOTE_USER to logon to Drupal automatically
      • „pushes“ actual Shibboleth attributes (e.g. roles, mail, name) into Drupal user module at every login
  • Subversion
    • Currently, usage via web browser possible (work in progress, proxy ?)
  • Trac
    • Work in progress…

06/09/2007 EDIT Developers Meeting, BGBM Berlin

shibboleth tools
Shibboleth Tools
  • ShARPE
    • management of user attributes via web-based interface (WebShARPE)
      • editing of user attributes
      • edit which attributes are released to defined SPs
      • define user roles
    • extends Attribute Release Policy (ARP) with group management facilities
      • users can assign attributes to other users
    • role specific „business card“ definition (Autograph)
      • enables users to edit id card for different uses (e.g. student, work group)

06/09/2007 EDIT Developers Meeting, BGBM Berlin

edit recent and current activities
EDIT Recent and current activities
  • Demo IdP and SP server installed as XEN domains
    • https://idp.e-taxonomy.eu
    • https://sp.e-taxonomy.eu
  • Provisional EDIT federation established
    • https://dev.e-taxonomy.eu will join
    • other sites can join on request
  • Comprehensive setup descriptions available
    • http://dev.e-taxonomy.eu/trac/wiki/Shibboleth
    • IdP and SP on Debian Etch
    • Drupal integration
  • ShARPE will be installed on the IdP site within the next days

06/09/2007 EDIT Developers Meeting, BGBM Berlin