1 / 14

Federated Identity and Shibboleth Concepts

Federated Identity and Shibboleth Concepts. Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein ndk@internet2.edu and John Krienke a2jcwk@gmail.com Internet2. Circle University joe@circle.edu Dr. Joe Oval Psych Prof.

tamal
Download Presentation

Federated Identity and Shibboleth Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Identity and Shibboleth Concepts • Rick Summerhill • Chief Technology Officer • Internet2 • GEC3 • October 29, 2008 • Slides by Nate Klingenstein • ndk@internet2.edu • and • John Krienke • a2jcwk@gmail.com • Internet2

  2. Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Home Service Providers Grant Admin Service ID #2 Joval Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #2 The Challenging Way No coordination Proprietary code Grading Service ID #3 Jo456 Dr. Joe Oval Psych Prof. Password #3 ???? Batch uploads Music Service ID #4 j.o.123 Joe Oval Psych Prof. DOB: 4/4/1955 Password #4

  3. Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Home The Federated Way Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 ! Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org controls privacy Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN 456.78.910

  4. How Federated Identity Works • A user tries to access a protected application • The user tells the application where it’s from • The user logs in at home • Home tells the application about the user • The user is rejected or accepted

  5. 1. I’d like access Service Provider Identity Provider User 2. What is your home? 4. I’d like to login for SP. 3. Please login at home. 5. Login 6. Here is data about you for SP. Send it. 7. Here is my data. 8a. See the page! 8b. Access Denied Directory Database

  6. Shibboleth IdP • Written in Java, runs in any Servlet 2.4 container • Supports multiple protocols • Does not contain attributes or logins • Relies on external LDAP/Kerberos/SQL/etc. • Extensive controls for the release of attributes

  7. Tomcat Web Browser Shibboleth IdP Authentication Shibboleth SP Application Directory / Database

  8. Shibboleth SP • Written in C++ for Apache, IIS, or NSAPI • Apache often used to front-end other web servers: Java containers, Zope, etc. • Extensive clustering support • No API: attributes & data available through headers & env. variables • Keeps identity management external to app

  9. Tomcat Apache or IIS Web Browser Shibboleth SP Shibboleth IdP shibd Person Information Directory / Database

  10. Words • SAML: Security Assertion Markup Language • Attribute: A name/value pair that describes a user: uid/rrsum • Scope: The domain within which an attribute is valid: staff@example.com • Assertion: User authentication & attribute information wrapped as SAML for transport • Name Identifier: Any attribute elevated to identifier (primary key) status

  11. More words • entityID: The name of a provider • Identity Provider (IdP): Supplies assertions • Attribute Authority (AA): Acquires user attributes and encodes them for transport • Service Provider (SP): Receives assertions and protects resources • Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along

  12. Last words • Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake • Not necessary for federated identity • Metadata: A file that describes how to talk to and trust a provider

  13. An Example:

  14. Basic Architecture - IDC

More Related