1. Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative

2. Shibboleth ArchitectureConcepts - High Level Browser Pass content if user is allowed Target Web Server Authorization Phase Authentication Phase First Access - Unauthenticated Target Site Origin Site

3. Shibboleth ArchitectureConcepts (detail) Browser Target Web Server Authorization Phase Authentication Phase Success! Entitlements Attribute Server Ent Prompt Req Ent Second Access - Authenticated Auth OK Pass entitlements for authz decision Web Login Server Redirect User to Local Web Login Pass content if user is allowed Authentication Ask to Obtain Entitlements First Access - Unauthenticated Target Site Origin Site

4. Shibboleth Architecture

5. Shibboleth Components

6. local authn server - assumed part of the campus environment web sso server - typically works with local authn service to provide web single sign-on resource manager proxy, resource manager - may serve as control points for actual web page access attribute authority - assembles/disassembles/validates signed XML objects using attribute repository and policy tables attribute repository - an LDAP directory, or roles database or…. Where are you from service - one possible way to direct external users to their own local authn service attribute mapper - converts user entitlements into local authorization values PDP - policy decision points - decide if user attributes meet authorization requirements SHAR - Shibboleth Attribute Requestor - used by target to request user attributes Descriptions of services

7. Shibboleth Flows Draft

8. Shibboleth Architecture -- Managing Trust • TRUST Shib engine Attribute Server Target Web Server Browser Target Site Origin Site

9. Personal Privacy • Web Login Server provides a pseudononymous identity • An Attribute Authority releases Personal Information associated with that pseudnonymous identity to site X based on: • Site Defaults • Business Rules • User control • myAA • Filtered by • Contract provisions My AA Site Defaults Contact Provisions Browser User

10. Managing ARPs

11. Middleware Marketing

12. Shibboleth Inter-Realm AuthZ We all get Web SSO for Local Authentication and an Enterprise Authorization Framework with an Integrated Portal that will all work inter-institutionally! Local Web SSO Pressures Drivers of Vapor Convergence eduPerson 1.0 OKI/Web Authentication JA-SIG uPortal Authen

13. Middleware Inputs & Outputs Licensed Resources Embedded App Security Grids OKI JA-SIG & uPortal Inter-realm calendaring futures Shibboleth, eduPerson, Affiliated Dirs, etc. Enterprise authZ Campus Web SSO Enterprise Directory Enterprise Authentication Legacy Systems

14. Errata--ica

15. National Science FoundationNMI program • $12 million over 3 years • www.nsf-middleware.org • Middleware Service Providors, Integrators, Distributors • GRID (Globus) • Internet2 + EDUCAUSE + SURA • May 2002 – first set of deliverables from all parties

16. The Liberty Alliancewww.project-liberty.org • Sun Microsystems, American Express, United Airlines, Nokia, MasterCard, AOL Time Warner, American Airlines, Bank of America, Cisco, France Telecom, Intuit, NTT DoCoMo, Verisign, Schlumberger, Sony … • Initiated in September 2001. • Protect Privacy, Federated Administration, Interoperability, Standards based but requires new technology, hard problems to solve, a Network Identity Service • Funny, doesn’t this stuff sound familiar?