1 / 20

Shibboleth Access Management System

Shibboleth Access Management System. Walter Hoehn & David Millman, Columbia University. Introduction. Why the web needs identity? Access Control Customization Collaboration Challenges Privacy concerns/obligations Hundreds of passwords vs. Passport Protocol limitations.

dianneo
Download Presentation

Shibboleth Access Management System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University

  2. Introduction • Why the web needs identity? • Access Control • Customization • Collaboration • Challenges • Privacy concerns/obligations • Hundreds of passwords vs. Passport • Protocol limitations

  3. Shibboleth Overview • Federated Identity Management • Flexible attribute profiles • Privacy controls • Works with existing browser technology • Standards-based

  4. Shibboleth Overview (cont.) • Origins (Identity Providers) • Manages user identity data • Authenticates users • Administers attribute release policies • Provides user attributes • Targets (Resource Providers) • Administers access control policies • Administers attribute acceptance policies • Requests attributes • Provides digital resources/services

  5. Demo NSDL.org

  6. Who is working on Shibboleth? • Internet2 (UCAID) • Columbia University • Brown University • The Ohio State University • The University of Washington • MIT

  7. Who is using Shibboleth? • 17 Identity Providers (15 US Universities, 1UK University, Swiss Education and Research Network) • 4 Content vendors (JSTOR, OCLC, EBSCO, ProQuest) • 2 course management systems (Blackboard, WebCT) • 1 online grading system (WebAssign) • 1 inter-library loan vendor (Innovative Interfaces)

  8. Advances since the last All-Projects meeting • Security • PKI-based signature verification • SAML 1.1 support • Performance • Improved caching mechanisms • Target can request specific attributes • Privacy • Attribute Release Policy language and engine

  9. Advances since the last All-Projects meeting (cont.) • Integration • Attribute Resolution Engine (runtime configuration, metadirectory functionality) • Support for international characters in assertions • Stateless handle mechanism, which allows for fault-tolerant configurations • Support for using SSL Client Auth to authN to the origin • Expanded Platform Support • Origin – All JDK 1.4 compatible platforms • Target - Linux, Solaris, Windows / apache, IIS

  10. Use Case: Accessibility • A government agency creates a web site containing video footage of historically important NASA space flights • The web site’s interface must be adaptable for users with disabilities • A user with low vision prefers custom colors, font face, and font size. • A user with hand tremors might prefer bigger links and buttons.

  11. Use Case: Accessibility (cont.) • Appropriate content can be selected or search priorities can be pre-set for accessible resources • A user who is deaf may want only videos with closed captioning • A user who is blind may want images with text descriptions and videos with audio descriptions to be ranked highly in search results

  12. Use Case: Accessibility (cont.) • A Solution • Agency installs a Shibboleth-enabled web service • The user’s identity provider transmits accessibility metadata to the web site (IMS Learner Information Profile) via Shibboleth • Web site assigns style sheets based on accessibility metadata • Web site search service uses accessibility metadata in ranking algorithms Contact: Madeleine_Rothberg@wgbh.org

  13. Use Case: Subscription-based content • An online aggregator of scholarly medical publications sells subscriptions to a university library • Eligible users should be able to access the content regardless of location • The aggregator wants the flexibility to offer license agreements to subsets of a University community • The library wants to maintain the privacy of its patrons and the security of their personal data

  14. Use Case: Subscription-based content (cont.) • A Solution • Aggregator installs a Shibboleth-enabled web service • The University’s IT department deploys a shibboleth origin in conjunction with their central directory service • The University transmits eduPerson entitlement attribute data via Shibboleth

  15. Use Case: Web site contains curriculum aids for middle school science • The site includes curriculum aids; such as photographs, videos, maps, report topics, etc. that are available freely available for students to download • The site also includes lesson plans, discussion questions, and tests that accompany the freely available materials. These materials should only be available to educators.

  16. Use Case: Web site contains curriculum aids for middle school science (cont.) • A Solution • Site installs a Shibboleth-enabled web service • The user’s identity provider transmits information related to teacher credentialing • Requirements are different • Not a user settable preference (as in accessibility use case) • Not provided by existing university infrastructure (as in subscription use case)

  17. Target Installation • Prerequisites • SSL-enabled web server • Supported platform • Relationship with an identity provider or federation • Install pluggable Shibboleth module • Configure site metadata • Configure attribute acceptance policies • Configure access control rules

  18. Target Installation (cont.) • Current required skill set • Service platform competency (OS, web server, application environment) • SSL • XML • X509/PKI • Shibboleth federation model • Closing the gap • Identify appropriate staff • Better software packaging/streamlined installation

  19. Research/Directions for the future • Access Management for N-tier applications • Attribute Release Policies • Interfaces • Resource Description Metadata • Authorization services (XACML) • Integration with other SAML-based identity services (Liberty)

More Related