shibboleth a potential security framework for the tdwg architecture n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Shibboleth, a potential security framework for the TDWG architecture PowerPoint Presentation
Download Presentation
Shibboleth, a potential security framework for the TDWG architecture

Loading in 2 Seconds...

play fullscreen
1 / 11

Shibboleth, a potential security framework for the TDWG architecture - PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on

Shibboleth, a potential security framework for the TDWG architecture. 09/18/2007 Bratislava, TDWG 2007 Conference. What is Shibboleth ?. Internet2 Middleware Project which

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Shibboleth, a potential security framework for the TDWG architecture' - carter


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
shibboleth a potential security framework for the tdwg architecture

Shibboleth, a potential security framework for the TDWG architecture

09/18/2007 Bratislava, TDWG 2007 Conference

what is shibboleth
What is Shibboleth ?
  • Internet2 Middleware Project which
    • Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner
    • is developed by a group leading campus middleware architects (since 2000)
  • Inter-organisational single sign-on(SSO) service for web services
    • Uses several widely-implemented standards such as
      • Security Assertion Markup Language (SAML), XML, XML Signature
      • Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL)
      • SOAP, Lightweight Directory Access Protocol (LDAP)
    • Relies on or extends existing Identity Management solutions in organisations
  • Supported by a range of mostly academic networks (libraries in particular)
    • e.g. JSTOR, OCLC, VASCODA
  • Open Source (Apache Software License 2.0)

18/09/2007 TDWG 2007 Conference, Bratislava

why using shibboleth
Why using Shibboleth ?
  • Highly distributed organisational (infra-)structure
    • Cross-national conglomerate of
      • Universities, Institutes, Botanical Museums, (private) Collections, others
      • Service Providers, Databases, Hosts, Applications, …
      • Users, System Administrators
    • Members have individual security or organisational requirements
  • Problem: Identity Management
    • Current situation is error-prone and ressource consuming:
    • Users have to authenticate multiple times to access different services
      • Problems to remember the individual authentication ids (e.g. user/pass) for services
    • System administrators have to manage access control for these services
      • Individual maintenance of user account and access control for each service or ressource
    • Need for a comfortable Single Sign-On(SSO) solution considering
      • Security and organisational requirements of providers
      • Security and privacy aspects of users (EU data protection and privacy directive)
  • Easy to integrate with existing web environments
    • supports e.g. Apache, IIS

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth key concepts
Shibboleth Key Concepts
  • Federations
    • a framework for multiple, scaleable trust and policy sets
    • specifies a group of organisations abided by a common set of policies and practices
    • enables interaction without defining bilateral agreements between federated parties
  • Attribute Based Access Control
    • access control decisions are made using attribute assertions
    • assertions may include identity, but will not require this
      • access may be granted based on e.g. group membership or origin site
    • a standard (yet extensible) attribute-value vocabulary
      • e.g. eduPerson includes widely-used person attributes in higher education
  • Active Privacy Management
    • users control what information is released to service providers
    • individuals can manage attribute release via a web-based user interface
      • absolves users mercy of the service provider‘s privacy policies

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth main components
Shibboleth Main Components
  • Identity Provider (IdP)
    • maintains user credentials and attributes
    • provides attribute assertions to relying parties (SP sites)
    • are responsible to authenticate users (using any reliable means)
      • single sign-on (SSO) service initiates the authentication process
      • authentication authority issues authentication statements to others (SPs)
  • Service Provider (SP)
    • manages secured resources
    • access is granted based on assertions requested from an IdP
      • assertion consumer service processes authentication assertions returned by the IdP‘s SSO service
      • attribute requester initiates optional attribute requests
      • establishes a security context at the SP
    • redirects the client to the desired target resource.
  • „Where are you from?“ (WAYF) service (optional)
    • proxy for authentication requests passed from SPs to IdP‘s SSO service
    • used by SPs to determine the user's preferred IdP (user interaction possible)

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth authentication procedure
Shibboleth Authentication Procedure

Source: http://switch.ch/aai/demo/easy.html

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth federations
Shibboleth Federations

Source: http://switch.ch/aai/about/federation/

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth benefits
Shibboleth benefits

Source: http://switch.ch/aai/about/

  • IdP benefits
    • simple integration in existing identity management
    • no additional efforts establishing new services (user accounts and IP-addresses management)
  • SP benefits
    • deliverance of user and account data management
    • authorisation based on defined properties
  • User benefits
    • only a single digital identity for SSO, location independent access
    • data transparency and data privacy management

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth integration in edit

IdP

LDAP

ViTaL

CDM Web Services

ExpertDB

SP

SP

SP

SP

Community Sites

User

Shibboleth Integration in EDIT
  • protect different services and ressources individually
  • establish a provisional EDIT federation
    • Eases and unifies access to ressources
    • open to other (TDWG) service providers on request
  • share resources => share charges e.g.: ViTaL (Virtual Library)
  • unified management of user data & credentials
    • combining IdP + ExpertDB

18/09/2007 TDWG 2007 Conference, Bratislava

edit federation attribute details
EDIT Federation – Attribute Details

18/09/2007 TDWG 2007 Conference, Bratislava

shibboleth resources
Shibboleth Resources
  • EDIT Developer Wiki
    • http://dev.e-taxonomy.eu/trac/wiki/Shibboleth
  • Shibboleth Home Page
    • http://shibboleth.internet2.edu/

18/09/2007 TDWG 2007 Conference, Bratislava