Shibboleth A Technical Overview - PowerPoint PPT Presentation

About This Presentation
Title:

Shibboleth A Technical Overview

Description:

Title: SAML Overview Subject: Security Assertion Markup Language Author: Tom Scavo Last modified by: Tom Scavo Created Date: 1/7/2001 4:34:18 PM Document presentation ... – PowerPoint PPT presentation

Number of Views:525
Avg rating:3.0/5.0
Slides: 40
Provided by: TomS95
Category:

less

Transcript and Presenter's Notes

Title: Shibboleth A Technical Overview


1
ShibbolethA Technical Overview
  • Tom Scavotrscavo_at_ncsa.uiuc.edu
  • NCSA

2
What is Shibboleth?
  • Shibboleth provides cross-domain single sign-on
    and attribute-based authorization while
    preserving user privacy
  • Shibboleth is simultaneously
  • A project
  • A specification
  • An implementation

3
Shibboleth Project
  • Shibboleth, a project of Internet2-MACE
  • Advocates a federated identity management policy
    framework focused on user privacy
  • Develops middleware architectures to facilitate
    inter-institutional attribute sharing
  • Manages an open source reference implementation
    of the Shibboleth spec
  • Shibboleth has made significant contributions to
    the SAML-based identity management space

4
Collaborations
Internet2
E-Auth
OASIS
Shibboleth
Liberty
Educause
Vendors
5
Shibboleth Specification
  • Shibboleth is an extension of the SAML 1.1
    browser profiles
  • Shibboleth Browser/POST Profile
  • Shibboleth Browser/Artifact Profile
  • Shibboleth Attribute Exchange Profile
  • See the Shibboleth spec for detailsS. Cantor et
    al., Shibboleth Architecture Protocols and
    Profiles. Internet2-MACE, 10 September 2005.

6
Shibboleth Implementation
  • The Shibboleth implementation consists of two
    components
  • Shibboleth Identity Provider
  • Shibboleth Service Provider
  • The Identity Provider is a J2EE webapp
  • The Service Provider is a C Apache module
  • A pure Java Service Provider is in beta

7
The Shibboleth Experience
8
The Shibboleth Wiki
  • For example, the Shibboleth wiki (hosted at
    ohio-state.edu) is shibbolizedhttps//authdev.
    it.ohio-state.edu/twiki/bin/view/GridShib/WebHome
  • To edit wiki pages, a user must be known to the
    wiki
  • Users have wikiNames but do not have wiki
    passwords
  • Users log into their home institution, which
    asserts user identity to the wiki

9
(No Transcript)
10
Shib Browser Profile
  • The user clicks the link Login via InQueue IdP
  • This initiates a sequence of steps known as the
    Shibboleth Browser Profile

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
11
(No Transcript)
12
Shib Browser Profile
  • InQueue provides a Where Are You From? service
  • The user chooses their preferred identity
    provider from a menu

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
13
(No Transcript)
14
Shib Browser Profile
  • The user is redirected to UIUC login page
  • After login, the user is issued a SAML assertion
    and redirected back to the wiki

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
15
(No Transcript)
16
Shib Browser Profile
  • After validating the assertion, the wiki_at_OSU
    retrieves user attributes via back-channel Shib
    attribute exchange

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
17
Asserting Identity
  • Initially, the user is unknown to the wiki
  • After querying the home institution, the wiki
    knows the users identity
  • trscavo-uiuc.edu is wiki-speak for
    trscavo_at_uiuc.edu
  • The latter is eduPersonPrincipalName, an identity
    attribute asserted by the users home institution

18
OpenIdP.org
  • By design, a user with an account at an
    institution belonging to InCommon, InQueue, or
    SDSS can log into the wikihttps//authdev.it.ohi
    o-state.edu/twiki/bin/view/GridShib/WebHome
  • Other users can register at openidp.org, which is
    a zero-admin Shibboleth IdP
  • The openidp asserts an alternate form of identity
    (email addresses as opposed to eduPersonPrincipalN
    ame)

19
Shibboleth SSO Profiles
20
The Actors
Identity Provider
  • Identity Provider
  • The Identity Provider (IdP) creates, maintains,
    and manages user identity
  • A Shibboleth IdP produces SAML assertions
  • Service Provider
  • The Service Provider (SP) controls access to
    services and resources
  • A Shibboleth SP consumes SAML assertions

Authentication Authority
Attribute Authority
SSO Service
Artifact Resolution Service
Assertion Consumer Service
Attribute Requester
Resource
Service Provider
21
Shib SSO Profiles
  • Shibboleth SSO profiles are SP-first
  • Shibboleth specifies an Authentication Request
    Profile
  • Shibboleth Browser/POST Profile Shib Authn
    Request Profile SAML Browser/POST Profile
  • Shibboleth Browser/Artifact Profile Shib
    Authn Request Profile SAML
    Browser/Artifact Profile

22
Shib AuthN Request Profile
  • A Shibboleth authentication request is an
    ordinary GET requesthttps//idp.org/shibboleth/S
    SO? providerIdhttps//sp.org/shibboleth/
    shirehttps//sp.org/shibboleth/SSO
    targethttps//sp.org/myresource
    time1102260120
  • The client is redirected to this location after
    requesting a protected resource at the SP without
    a security context

23
Shib Browser/POST Profile
Identity Provider
  • Browser/POST is an SP-first profile
  • The IdP produces an assertion at step 4, which
    the SP consumes at step 5

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
6
5
8
Resource
7
2
1
Service Provider
24
Attributes
25
Shib Attribute Exchange
  • A Shibboleth SP often queries an IdP for
    attributes after validating an authN assertion
  • An opaque, transient identifier called a handle
    is embedded in the authN assertion
  • The SP sends a SAML AttributeQuery message with
    handle attached

26
Browser/POST Profile
Identity Provider
  • The first 5 steps of this profile are identical
    to ordinary Browser/POST
  • Before redirecting the Client to the Resource
    Manager, the SP queries for attributes via a
    back-channel exchange

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
10
Resource
9
2
1
Service Provider
27
Browser/POST Step 1
Identity Provider
  • The Client requests a target resource at the SP

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
Assertion Consumer Service
Resource
1
Service Provider
28
Browser/POST Step 2
Identity Provider
  • The SP performs a security check on behalf of the
    target resource
  • If a valid security context at the SP does not
    exist, the SP redirects the Client to the single
    sign-on (SSO) service at the IdP

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
Assertion Consumer Service
Resource
2
1
Service Provider
29
Browser/POST Step 3
Identity Provider
  • The Client requests the SSO service at the IdP

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
3
Assertion Consumer Service
Resource
2
1
Service Provider
30
Browser/POST Step 4
Identity Provider
  • The SSO service processes the authN request and
    performs a security check
  • If the user does not have a valid security
    context, the IdP identifies the principal
    (details omitted)
  • The SSO service produces an authentication
    assertion and returns it to the Client

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
Resource
2
1
Service Provider
31
Browser/POST Step 5
Identity Provider
  • The Client issues a POST request to the assertion
    consumer service at the SP
  • The authN assertion is included with the request

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
5
Resource
2
1
Service Provider
32
Browser/POST Step 6
Identity Provider
  • The assertion consumer service validates the
    request, creates a security context at the SP
  • The attribute requester sends a (mutually
    authenticated) attribute query to the AA

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
6
Assertion Consumer Service
Attribute Requester
5
Resource
2
1
Service Provider
33
Browser/POST Step 7
Identity Provider
  • The IdP returns an attribute assertion subject to
    attribute release policy
  • The SP filters the attributes according to
    attribute acceptance policy

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
5
Resource
2
1
Service Provider
34
Browser/POST Step 8
Identity Provider
  • The assertion consumer service updates the
    security context and redirects the Client to the
    target resource

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
Resource
2
1
Service Provider
35
Browser/POST Step 9
Identity Provider
  • The Client requests the target resource at the SP
    (again)

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
Resource
9
2
1
Service Provider
36
Browser/POST Step 10
Identity Provider
  • Since a security context exists, the SP returns
    the resource to the Client

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
10
Resource
9
2
1
Service Provider
37
Directory Schema
  • Neither Shibboleth nor SAML define any attributes
    per se
  • It is left to individual deployments to define
    their own attributes
  • A standard approach to user attributes is crucial
  • Without such standards, interoperability is
    impossible

38
eduPerson
  • Internet2 and EDUCAUSE have jointly developed a
    set of attributes and associated bindings called
    eduPerson
  • The LDAP binding of eduPerson is derived from the
    standard LDAP object class called inetOrgPerson
    RFC 2798
  • Approximately 40 attributes have been defined by
    InCommon as common identity attributes

39
InCommon Attributes
  • InCommons 6 highly recommended attributes

Attribute Name Attribute Value
givenName Mary
sn (surname) Smith
cn (common name) Mary Smith
eduPersonScopedAffiliation student_at_example.org
eduPersonPrincipalName mary.smith_at_example.org
eduPersonTargetedID ?
(eduPersonTargetedID does not have a precise
value syntax)
Write a Comment
User Comments (0)
About PowerShow.com