140 likes | 256 Vues
Federated Identity and Shibboleth Concepts. Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein ndk@internet2.edu and John Krienke a2jcwk@gmail.com Internet2. Circle University joe@circle.edu Dr. Joe Oval Psych Prof.
E N D
Federated Identity and Shibboleth Concepts • Rick Summerhill • Chief Technology Officer • Internet2 • GEC3 • October 29, 2008 • Slides by Nate Klingenstein • ndk@internet2.edu • and • John Krienke • a2jcwk@gmail.com • Internet2
Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Home Service Providers Grant Admin Service ID #2 Joval Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #2 The Challenging Way No coordination Proprietary code Grading Service ID #3 Jo456 Dr. Joe Oval Psych Prof. Password #3 ???? Batch uploads Music Service ID #4 j.o.123 Joe Oval Psych Prof. DOB: 4/4/1955 Password #4
Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 Password #1 Home The Federated Way Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 ! Circle University joe@circle.edu Dr. Joe Oval Psych Prof. SSN 456.78.910 1. Single sign on 2. Services no longer manage user accounts & personal data stores 3. Reduced help-desk load 4. Standards-based technology 5. Home org controls privacy Circle University Anonymous ID# Dr. Joe Oval Psych Prof. SSN 456.78.910
How Federated Identity Works • A user tries to access a protected application • The user tells the application where it’s from • The user logs in at home • Home tells the application about the user • The user is rejected or accepted
1. I’d like access Service Provider Identity Provider User 2. What is your home? 4. I’d like to login for SP. 3. Please login at home. 5. Login 6. Here is data about you for SP. Send it. 7. Here is my data. 8a. See the page! 8b. Access Denied Directory Database
Shibboleth IdP • Written in Java, runs in any Servlet 2.4 container • Supports multiple protocols • Does not contain attributes or logins • Relies on external LDAP/Kerberos/SQL/etc. • Extensive controls for the release of attributes
Tomcat Web Browser Shibboleth IdP Authentication Shibboleth SP Application Directory / Database
Shibboleth SP • Written in C++ for Apache, IIS, or NSAPI • Apache often used to front-end other web servers: Java containers, Zope, etc. • Extensive clustering support • No API: attributes & data available through headers & env. variables • Keeps identity management external to app
Tomcat Apache or IIS Web Browser Shibboleth SP Shibboleth IdP shibd Person Information Directory / Database
Words • SAML: Security Assertion Markup Language • Attribute: A name/value pair that describes a user: uid/rrsum • Scope: The domain within which an attribute is valid: staff@example.com • Assertion: User authentication & attribute information wrapped as SAML for transport • Name Identifier: Any attribute elevated to identifier (primary key) status
More words • entityID: The name of a provider • Identity Provider (IdP): Supplies assertions • Attribute Authority (AA): Acquires user attributes and encodes them for transport • Service Provider (SP): Receives assertions and protects resources • Assertion Consumer Service (ACS): Receives assertion, processes it, passes user along
Last words • Federation: A trust structure to help large communities of IdP’s or SP’s interoperate without a MxN handshake • Not necessary for federated identity • Metadata: A file that describes how to talk to and trust a provider