Shibboleth, a potential security framework for the TDWG architecture

1. Shibboleth, a potential security framework for the TDWG architecture 09/18/2007 Bratislava, TDWG 2007 Conference

2. What is Shibboleth ? • Internet2 Middleware Project which • Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner • is developed by a group leading campus middleware architects (since 2000) • Inter-organisational single sign-on(SSO) service for web services • Uses several widely-implemented standards such as • Security Assertion Markup Language (SAML), XML, XML Signature • Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL) • SOAP, Lightweight Directory Access Protocol (LDAP) • Relies on or extends existing Identity Management solutions in organisations • Supported by a range of mostly academic networks (libraries in particular) • e.g. JSTOR, OCLC, VASCODA • Open Source (Apache Software License 2.0) 18/09/2007 TDWG 2007 Conference, Bratislava

3. Why using Shibboleth ? • Highly distributed organisational (infra-)structure • Cross-national conglomerate of • Universities, Institutes, Botanical Museums, (private) Collections, others • Service Providers, Databases, Hosts, Applications, … • Users, System Administrators • Members have individual security or organisational requirements • Problem: Identity Management • Current situation is error-prone and ressource consuming: • Users have to authenticate multiple times to access different services • Problems to remember the individual authentication ids (e.g. user/pass) for services • System administrators have to manage access control for these services • Individual maintenance of user account and access control for each service or ressource • Need for a comfortable Single Sign-On(SSO) solution considering • Security and organisational requirements of providers • Security and privacy aspects of users (EU data protection and privacy directive) • Easy to integrate with existing web environments • supports e.g. Apache, IIS 18/09/2007 TDWG 2007 Conference, Bratislava

4. Shibboleth Key Concepts • Federations • a framework for multiple, scaleable trust and policy sets • specifies a group of organisations abided by a common set of policies and practices • enables interaction without defining bilateral agreements between federated parties • Attribute Based Access Control • access control decisions are made using attribute assertions • assertions may include identity, but will not require this • access may be granted based on e.g. group membership or origin site • a standard (yet extensible) attribute-value vocabulary • e.g. eduPerson includes widely-used person attributes in higher education • Active Privacy Management • users control what information is released to service providers • individuals can manage attribute release via a web-based user interface • absolves users mercy of the service provider‘s privacy policies 18/09/2007 TDWG 2007 Conference, Bratislava

5. Shibboleth Main Components • Identity Provider (IdP) • maintains user credentials and attributes • provides attribute assertions to relying parties (SP sites) • are responsible to authenticate users (using any reliable means) • single sign-on (SSO) service initiates the authentication process • authentication authority issues authentication statements to others (SPs) • Service Provider (SP) • manages secured resources • access is granted based on assertions requested from an IdP • assertion consumer service processes authentication assertions returned by the IdP‘s SSO service • attribute requester initiates optional attribute requests • establishes a security context at the SP • redirects the client to the desired target resource. • „Where are you from?“ (WAYF) service (optional) • proxy for authentication requests passed from SPs to IdP‘s SSO service • used by SPs to determine the user's preferred IdP (user interaction possible) 18/09/2007 TDWG 2007 Conference, Bratislava

6. Shibboleth Authentication Procedure Source: http://switch.ch/aai/demo/easy.html 18/09/2007 TDWG 2007 Conference, Bratislava

7. Shibboleth Federations Source: http://switch.ch/aai/about/federation/ 18/09/2007 TDWG 2007 Conference, Bratislava

8. Shibboleth benefits Source: http://switch.ch/aai/about/ • IdP benefits • simple integration in existing identity management • no additional efforts establishing new services (user accounts and IP-addresses management) • SP benefits • deliverance of user and account data management • authorisation based on defined properties • User benefits • only a single digital identity for SSO, location independent access • data transparency and data privacy management 18/09/2007 TDWG 2007 Conference, Bratislava

9. IdP LDAP ViTaL CDM Web Services ExpertDB SP SP SP SP Community Sites User Shibboleth Integration in EDIT • protect different services and ressources individually • establish a provisional EDIT federation • Eases and unifies access to ressources • open to other (TDWG) service providers on request • share resources => share charges e.g.: ViTaL (Virtual Library) • unified management of user data & credentials • combining IdP + ExpertDB 18/09/2007 TDWG 2007 Conference, Bratislava

10. EDIT Federation – Attribute Details 18/09/2007 TDWG 2007 Conference, Bratislava

11. Shibboleth Resources • EDIT Developer Wiki • http://dev.e-taxonomy.eu/trac/wiki/Shibboleth • Shibboleth Home Page • http://shibboleth.internet2.edu/ 18/09/2007 TDWG 2007 Conference, Bratislava