1 / 11

Shibboleth, a potential security framework for the TDWG architecture

Shibboleth, a potential security framework for the TDWG architecture. 09/18/2007 Bratislava, TDWG 2007 Conference. What is Shibboleth ?. Internet2 Middleware Project which

carter
Télécharger la présentation

Shibboleth, a potential security framework for the TDWG architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shibboleth, a potential security framework for the TDWG architecture 09/18/2007 Bratislava, TDWG 2007 Conference

  2. What is Shibboleth ? • Internet2 Middleware Project which • Aims to develop a standards-based solution enabling organizations to exchange users information in a secure, and privacy-preserving manner • is developed by a group leading campus middleware architects (since 2000) • Inter-organisational single sign-on(SSO) service for web services • Uses several widely-implemented standards such as • Security Assertion Markup Language (SAML), XML, XML Signature • Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL) • SOAP, Lightweight Directory Access Protocol (LDAP) • Relies on or extends existing Identity Management solutions in organisations • Supported by a range of mostly academic networks (libraries in particular) • e.g. JSTOR, OCLC, VASCODA • Open Source (Apache Software License 2.0) 18/09/2007 TDWG 2007 Conference, Bratislava

  3. Why using Shibboleth ? • Highly distributed organisational (infra-)structure • Cross-national conglomerate of • Universities, Institutes, Botanical Museums, (private) Collections, others • Service Providers, Databases, Hosts, Applications, … • Users, System Administrators • Members have individual security or organisational requirements • Problem: Identity Management • Current situation is error-prone and ressource consuming: • Users have to authenticate multiple times to access different services • Problems to remember the individual authentication ids (e.g. user/pass) for services • System administrators have to manage access control for these services • Individual maintenance of user account and access control for each service or ressource • Need for a comfortable Single Sign-On(SSO) solution considering • Security and organisational requirements of providers • Security and privacy aspects of users (EU data protection and privacy directive) • Easy to integrate with existing web environments • supports e.g. Apache, IIS 18/09/2007 TDWG 2007 Conference, Bratislava

  4. Shibboleth Key Concepts • Federations • a framework for multiple, scaleable trust and policy sets • specifies a group of organisations abided by a common set of policies and practices • enables interaction without defining bilateral agreements between federated parties • Attribute Based Access Control • access control decisions are made using attribute assertions • assertions may include identity, but will not require this • access may be granted based on e.g. group membership or origin site • a standard (yet extensible) attribute-value vocabulary • e.g. eduPerson includes widely-used person attributes in higher education • Active Privacy Management • users control what information is released to service providers • individuals can manage attribute release via a web-based user interface • absolves users mercy of the service provider‘s privacy policies 18/09/2007 TDWG 2007 Conference, Bratislava

  5. Shibboleth Main Components • Identity Provider (IdP) • maintains user credentials and attributes • provides attribute assertions to relying parties (SP sites) • are responsible to authenticate users (using any reliable means) • single sign-on (SSO) service initiates the authentication process • authentication authority issues authentication statements to others (SPs) • Service Provider (SP) • manages secured resources • access is granted based on assertions requested from an IdP • assertion consumer service processes authentication assertions returned by the IdP‘s SSO service • attribute requester initiates optional attribute requests • establishes a security context at the SP • redirects the client to the desired target resource. • „Where are you from?“ (WAYF) service (optional) • proxy for authentication requests passed from SPs to IdP‘s SSO service • used by SPs to determine the user's preferred IdP (user interaction possible) 18/09/2007 TDWG 2007 Conference, Bratislava

  6. Shibboleth Authentication Procedure Source: http://switch.ch/aai/demo/easy.html 18/09/2007 TDWG 2007 Conference, Bratislava

  7. Shibboleth Federations Source: http://switch.ch/aai/about/federation/ 18/09/2007 TDWG 2007 Conference, Bratislava

  8. Shibboleth benefits Source: http://switch.ch/aai/about/ • IdP benefits • simple integration in existing identity management • no additional efforts establishing new services (user accounts and IP-addresses management) • SP benefits • deliverance of user and account data management • authorisation based on defined properties • User benefits • only a single digital identity for SSO, location independent access • data transparency and data privacy management 18/09/2007 TDWG 2007 Conference, Bratislava

  9. IdP LDAP ViTaL CDM Web Services ExpertDB SP SP SP SP Community Sites User Shibboleth Integration in EDIT • protect different services and ressources individually • establish a provisional EDIT federation • Eases and unifies access to ressources • open to other (TDWG) service providers on request • share resources => share charges e.g.: ViTaL (Virtual Library) • unified management of user data & credentials • combining IdP + ExpertDB 18/09/2007 TDWG 2007 Conference, Bratislava

  10. EDIT Federation – Attribute Details 18/09/2007 TDWG 2007 Conference, Bratislava

  11. Shibboleth Resources • EDIT Developer Wiki • http://dev.e-taxonomy.eu/trac/wiki/Shibboleth • Shibboleth Home Page • http://shibboleth.internet2.edu/ 18/09/2007 TDWG 2007 Conference, Bratislava

More Related