420 likes | 598 Vues
An introduction to Shibboleth and MATU. James Mulhern support@matu.ac.uk 6 th April 2005. Eduserv. About Eduserv Eduserv Athens Eduserv CHEST Eduserv Internet Eduserv Foundation Awarded contract to operate the MATU service About me Research and Development:
E N D
An introduction to Shibboleth and MATU James Mulhern support@matu.ac.uk 6th April 2005
Eduserv • About Eduserv • Eduserv Athens • Eduserv CHEST • Eduserv Internet • Eduserv Foundation • Awarded contract to operate the MATU service • About me • Research and Development: • Access and Identity Management • Mobility • Content Management
Topics • What is Access Management? • What is MATU? • What is Shibboleth, and what it isn't? • What can it do for you? • How do you go about using it? • What are the pitfalls? • How we can help and what can you expect from us?
Access Management Explained • Access and Identity Management is all around you • Especially needed in the online world • Two core processes: • Authentication verifying your identity • Authorisation establishing your privileges The opte project: The Internet Nov’03
Common Problems with Access Management Systems • Proliferation of Credentials • One pair of credentials per resource • Forgotten passwords • Security & Integrity compromised • “abc123” issue • Passwords sent in the clear and shared • Lack of granularity to individual and their attributes • Proprietary Systems – Locked in • No organisational control centre
Access Management Goals • Security and Integrity • Scalable: Straightforward access to a growing number of diverse resources • Reduced numbers of credentials • Make it straightforward to manage identities • UK ahead of the game with Athens • However many internal Institutional credentials • The solution: • Single Sign On to resources through a Federated Access Management System. • JISC have identified Shibboleth
Local web resources External web resources Local authentication System usernames & passwords Database Portal SSO VLE User attributes Names, email, role Journals OPAC Directory Shibboleth/SAML What does Institutional Single sign-on help you achieve?
What is Shibboleth? • Shibboleth forms a part of an organisation's Single Sign On environment for access to protected web resources by facilitating the exchange of authorisation and authentication information between organisations and service providers. • Shibboleth works in conjunction with an organisation's authentication system and user information databases and allows a service provider to make authorisation decisions based on that information.
But what is it? • “Shibboleth is the architecture, protocol and the software” • Bob Morgan, Internet2 • A Project sponsored by Internet2 • Defined the Shibboleth Architecture • An open source implementation • Supports Shibboleth in US HE • In essence: • An architecture and policy framework supporting the sharing of secured web resources. • Software and a set of profiles based on the OASIS SAML 1.1 standard
So what is SAML • Security Assertion Markup Language • An XML language for the exchange of authentication and attribute assertions. • SAML profiles extend capability • e.g Shibboleth • Rapidly adopted by many • Standard ratified by OASIS (Organisation for the Advancement of Standards)
Local web resources External web resources Local authentication System usernames & passwords Database Portal SSO VLE User attributes Names, email, role Journals OPAC Directory Shibboleth/SAML Organisational Single sign-on
But what about Athens? • Athens has a significant take up • Solves many of the problem described • Shibboleth is a natural evolution • Convergence on SAML2 • Athens working on interoperability with Shibboleth • Shibboleth to Athens Gateway – available now • Athens to Shibboleth Gateway – available later this year
What’s special or unique about Shibboleth? • Open - standard and source • Free to install • Aligned to international initiatives • Designed with Education in mind • Mechanisms to preserve privacy • (anonymity) • Attribute based authorisation
What can Shibboleth do for you • Greater Control • Greater Flexibility • Greater Capability • International Alignment • Going with the flow • Granularity of authorisation • Targeted/locked down access • Cost saving
Shibboleth and E-learning • Commercial vendors coming onboard • Blackboard • WebCT • Working examples: Iamsect • Some Open source projects demonstrated capability: • Core Middleware project: • Guanxi – Bodington • KC-ROLO
What is MATU? • The Middleware Assisted Take-Up Service • New service to support Shibboleth in HE/FE • JISC funded pilot project • Official launch: 12th April 2005
MATU: Our Objectives • To provide a central repository of information, advice, training and support to JISC Shibboleth Early Adopters • To scope the future service requirements of HE and FE institutions wishing to adopt Shibboleth for institutional access management.
MATU & You • Growing community of people using and developing expertise • Access to people who can really help you make the most of Shibboleth • A Focal point to bring together resources and expertise • Long term relationship • Partnership • Mutual support • Impartial advice and assistance
What does the service offer? • A Comprehensive Website • FAQS, Guidance, Installation guides, business cases • Servicedesk • Telephone and Email support • Access to some of the leading experts on Access Management and Shibboleth • Test infrastructure • Training • Class room training • Seminars • Annual Conference • Software download • Internet2 software • Eduserv software
Basic Shibboleth Terminology • Federation – A group/club of “organisations” • Identity Provider – Responsible for verifying the identity of an individual. Typically an institution • Service Provider – An organisation providing a resource e.g A publisher • Attributes – Information describing things typically a person. e.g • John Smith is a member of Fulchester Uni • John Smith is a student • Assertion – A statement specifying a fact. Used to confirm an authentication. Usually digitally signed to limit risk of fraud. • Credentials – Data supplied by a user to identify themselves e.g username and password
Federations Explained • A federation is a group of organisations • Defines a set of agreed policies and rules for access to online resources • Enable members to establish trust • Enables members to share common understanding • Simplifies relationships • Typically provides a WAYF – “Where Are You From?” service • You may like to think of Athens as a proto Federation
What Federations are there? • Internet2 • Inqueue – A Test Federation • Incommon – A Production Federation (primarily US centric) • Eduserv • Eduserv Test Federation • Eduserv InAthens Production Federation • SDSS Federation • A Development Federation for Core Middleware Projects • JISC expect there to be a national federation in the future.
Choosing a federation • Institution choice … • Main differentiators: • Resources available • Membership requirements • Can be a member of multiple Federations • Think about the usability issues… • Some will set up own Federations • Mini-federations – akin to MANS? • No robust methods yet for inter federation bridging etc … • Set a federation shelf life – avoid YASC
Attribute Schemas • A mechanism for standardising Attributes • EduPerson – another US initiative • LDAP object class for Education • Specifies the keys but not the permitted values • LSE proposed UKEduPerson • Can extend to “local” attributes • A Federation may prescribe mandatory attributes and permissible values
Example Attributes • eduPersonPrincipalName • eduPersonScopedAffiliation • eduPersonTargetedID • Given name • Surname • Common name • eduPersonEntitlement
The components Where Are You From? service WAYF Identity Provider Service Provider Handle Service Assertion Consumer Service HS ACS User DB Resource Resource Manager AA AR Attribute Authority Attribute Requester
The Process 2: Redirect to WAYF 5: Redirect to Handle Service 4 3: Query User 6: Auth Challenge 1: Make Request Credentials 7 HS Handle ACS User DB 8: Pass Handle Handle 9: Request Attributes Resource Manager Handle AA AR Attributes Attributes 10: Return Attributes Authorise access WAYF Identity Provider Service Provider Resource
How do I get started? • Visit our website, read our documents • Talk to us • Think carefully about how you are going to use Shibboleth • Who are your users • Where are your users • What are you looking to access/share/protect • Make sure you know who you and your stakeholders are! • Identity Provider • Service Provider • Both! • Align your Access Management Env to you IT strategy – and adapt • Align your Attribute Release Policy with Institutional DP and Privacy. • Ensure you have all the necessary building blocks • A populated Information Store • A Web SSO system • Plan how you are going to deliver and resource your new service • Decide what Federation is best for you • Decide what software is best for you
What do I need? • Users Id and credentials • Database • Directory • A web-based Single Sign On System • E.g Pubcookie • Yale CAS • Bespoke • Information about your Users • Database • Directory • Flat files • NTP Infrastructure • Skilled People
What Technical Skills are required? • Depends on what you want to do • Depends on what systems you do it on • But assuming an Open source approach: • Familiarity with unix/linux • Experience in installing and using Apache and SSL • Familiarilty with Java and experience in using a servlet engine • Some familiarity with Directories and Schemas
Are there books on this stuff? • No, but there is lots of documentation online • Some of it’s good… • A good pair of guides are the following by Iamsect: • “Installing Pubcookie on Redhat AS 3.0 and authenticating against Windows Active Directory” • “Installing Shibboleth on Redhat AS 3.0 and using pubcookie” • http://iamsect.ncl.ac.uk/deliverables
What software will I require to be Identity Provider • Java - Sun J2SE JDK • A webserver with SSL • Apache, IIS • A Java servlet engine or application server • Tomcat or Jetty • Websphere, BEAweblogic, Coldfusion • A User Information store • Directory, Database, flat file • A Web SSO • Pubcookie • Yale CAS • Shibboleth Identity Provider Bundle
Identity Provider: What am I going to do? • Join a federation • Make sure that your User-Ids can map to your user attributes • Install and configure software and schemas • Integrate Shibboleth Handle Service with your SSO system – may already be a connector • Define an Attribute Release Policy
What Software do I need to be a Service Provider? • C and C++ compiler – unless using binaries • An Apache or IIS web server with SSL • OpenSSL • OpenSAML • SunRPC • Shibboleth Service Provider Bundle • Shibboleth Apache module or IIS ISAPI filter • Shibboleth Attribute Request software
Service Provider: What am I going to do? How do I protect my resources? • Join a federation • Install and configure software • Produce an Attribute Acceptance Policy • Configure Protection in Web Server or Application • e.g Apache Location container
What hardware will I require? • Much of your Shibboleth architecture may already exist. • New bits may well reside on your existing infrastructure • Production service – have you somewhere safe to develop and test? • Production service – have you reduced Single points of failure – to acceptable levels?
What should I remember • Plan • Keeping it simple – limit your use of attributes • Play, test, prototype – but avoid live kit • Put the necessary prerequisites in place • Weigh up privacy vs personalisation • Avoid involving the lawyers too much • Do not go it alone
Where do we go from here? • Remember - MATU is here to support you in using Shibboleth • We want to talk to you • We want to understand your requirements • You need to plan • Forthcoming Early adopters meeting
How do I get in contact? • Email: • support@matu.ac.uk • Telephone: • 01225 474373 • Post: • Matu Support • Eduserv • Queen Anne House • 11 Charlotte Street • BATH BA1 2NE
Where can I find out more? • About MATU: • - www.matu.ac.uk • Other resources about Shibboleth: • - shibboleth.internet2.edu • - www.switch.ch