Shibboleth Update

1. Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005

2. Topics • Shibboleth v1.3 – • Shibboleth Futures -- the Roadmap after 1.3 • Shibboleth and e-Authn

3. Shibboleth v1.3 • Planned Availability -- June, 2005 • Currently in beta • Major New Functionality • Full SAML v1.1 support -- BrowserArtifact Profile and AttributePush • Support for SAML-2 metadata schema • Improved Multi-Federation Support • Support for the Federal Gov’t’s E-authn Profile • Native Java SP Implementation • Improved build process

4. Restructuring of Federations • The Transition to InCommon • InCommon is now “Real” • Campuses and Vendors are Transitioning… • May soon see negative incentives for long term membership in InQueue • “Negative Trust” Federation • Available for software development, testing • Self-service application to register • Expect to see many relatives of Donald Duck as members • International Federation Peering • Moving forward… • Vendors moving toward supporting multi-federation world

5. Shibboleth and Grids • • Shib/SAML is currently web-browser centric • so doesn't apply to more general protocols • yet can easily apply to Grid portals • SAML could carry certs/keys as attributes • • Grid-Shib project • NSF-funded • focus on access to campus Attribute Authority to provide attributes for Grid service authz decisions

6. WS* Interop -- Status • Agreements to build WS-Fed interoperability into Shib • Contracts signed; work to begin AFTER Shib v1.3 • WS-Federation + Passive Requestor Profile + Passive Requestor Interoperability Profile • Discussions broached, by Microsoft, in building Shib interoperabilty into WS-Fed; no further discussions • Devils in the details • Can WS-Fed-based SPs work in InCommon without having to muck up federation metadata with WS-Fed-specifics? • All the stuff besides WS-Fed in the WS-* stack

7. WS* Interop -- High Level Goals • Establish interoperability of the ADFS Identity Provider and Service Provider implementations (and any other WS-F/PRP/PRIP Provider conformant implementations), with the Internet2 Shibboleth System Identity Provider and Service Provider implementations. • Establish ADFS as a supported option for use for Identity Provider and Service Provider deployments in the Internet2-operated InCommon Federation of US higher-education and partner sites. • Build a strategic relationship with a fully deployed and leading edge federation (InCommon) and the higher ed academic community.

8. Shibboleth -- Future Releases • “Interim” Release • Target Date -- within Calendar 2005 • Include some SAML-2 Functionality • Rely on feedback from user community to identify SAML-2 features which are HIGH priority • Lots of potential partners interested in helping….

9. Shibboleth 2.0 • SAML 2.0 specification approved March 2005 • Shibboleth 2.0 • Expect to provide support for ALL REQUIRED SAML-2 functionality • Target Date -- mid-year 2006 • Who wants to help?

10. Federal eAuthentication • Key driver for e-government, operating under the auspices of GSA • Leveraging key NIST guidelines • Setting the standard for a variety of federated identity requirements • Identity proofing • SAML bindings • Credential assessment • Risk assessment • Technical components driven through the InterOp Lab • http://www.cio.gov/eAuthentication/

11. eAuthentication Key Concepts • Approved technologies • The Federal “e-Authentication Federation” • Credential assessment framework • Trusted Credential Service providers • Agency Applications (outward facing…)

12. Shibboleth E-Authn Certification • V1.3 has already successfully navigated interoperability testing • Scheduled for Certification Testing the week of June 20 • Campuses could then • Join the E-authn Federation • Use the Shibboleth software to access e-authn enabled federal gov’t web sites • More E-authn info available at http://www.cio.gov/eauthentication/