Shibboleth access management: a replacement for Athens and more?

Shibboleth access management: a replacement for Athens and more?

Mark Norman and Christian Fernau

OUCS

21 June 2007

IT Support Staff Converence 21 June 2007

2

This presentation

• What is Shibboleth?– What it isn’t

• A quick run through of a common example• The UK Federation• Privacy and the 4 attributes• Shibboleth in Oxford: the architecture• Questions


3

What is Shibboleth?

• “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation”

• Why is it called Shibboleth?– Because it is access control where it matters what you

are, rather than who you are– Judges 12:5-6 (the Gileadites seized the passages of the

Jordan before the Ephraimites, who couldn’t pronounce “ear of wheat”)


4

It’s easier to say what it isn’t!

• It ISN’T about authentication management!– (Authentication=The act of verifying that an electronic identity is being

employed by the entity, person or process to whom it was issued.)

– Shibboleth thinks that institutions should run their own authentication systems and others should trust those processes

• It ISN’T about authorisation management!– (Authorisation=Associating rights or capabilities with a subject/person)

– Other information about individuals (groups, status etc.) should be managed by the institution too!


5

OK, in plain English…

• It’s all about how to transmit the authorisation and role information from your home institution to outside service providers

• And how those service providers can ask for that information

• Access management and the communication of authorisation credentials

• Aims: separate authentication from authorisation– Devolve authentication to the ‘home’ organisation

– Devolve the management of authorisation information as well


6

Replacing Athens?

• In phases:– Mid 2007 Shibboleth enabled at Oxford (possibly

without publicity)

– Athens continues (free) until July 2008

– Between mid 2007 and July 2008, Oxford users should be able to use Shibboleth or Athens to access on-line resources

– After 2008 Athens may still be available but will require a subscription from Oxford


7

Replacing Athens – the user's perspective

• Now:– Users connect to a resource and type in their Athens

username and password to gain access

• Mid 2007– Users can do the same thing for many (most?) resources

using their Webauth username and password (actually the Webauth screens too)

– Users can still use their Athens username and password

• August 2008– Athens may be unavailable


8

Some definitions

• Identity Provider (IdP)

• Service Provider (SP)

• WAYF (where are you from? service) [a type of IdP Discovery Service]

Your home institution (where you usually have a username/login)

Organisation/body providing a service (e.g. e-Journal)

Application/service that determines which IdP to send the user to


9

Technically simple (SAML)*

• Shibboleth involves two types of exchanges:1. AuthnRequest << >> AuthnAssertion

“Was authentication successful?”

2. AttributeRequest << >> AttributeAssertion“I need to know... ...about this user.”“This user has the following attributes...”

* Security Assertion Markup Language


10

What the user should see

• The user goes to a resource

• They are presented with log in options

• They select the “UK Federation” or “Institutional sign on” etc. option


11


• The resource sends them to the “Where are You From” service

• They say they are from Oxford


12


• They then see their familiar Webauth screen


13


• Then the usual Oxford confirmation...


14


• Possibly a holding screen for 2-3 seconds before the user sees...


15


• the resource they were trying to reach a few seconds ago

• The next time they try to get to a resource...


16


• The next time they try to get to a resource...

• They're almost straight in (no need to authenticate again) as there's a cookie kept in the browser.


17

Trusting the SP, IdP etc.

• All of these bodies trust each other (implicitly) as they all belong to the same Federation– A federation has a set of rules that everyone obeys

• e.g. security policy for IdPs, privacy policies for SPs

– A service provider (SP) can provide services for multiple federations

– An institution such as Oxford (or its IdP) could belong to multiple federations too.


18

The UK Federation

• A group of member organisations who sign up to a set of rules (see next slides)

• Is an independent body funded by Becta and JISC• Manages the trust relationships between members


19

The UK Federation Rules for IdPs

• Provide data that is accurate and up-to-date

• Comply to technical specifications• Observe good practice for

– configuration, operation, and security of service, exchange of data, private keys, ...

• Must hold all licences and permissions required• Must not damage reputation of Federation• Give 'reasonable assistance' to investigate misuse


20

The UK Federation Rules for SPs

• Must not disclose attributes to 3rd parties

• Use attributes only for access control or presentation decisions (and only for the service that the user requested)...

• ...or for generating aggregated anonymised usage statistics

• SP is responsible for management of access rights: federation has no liability


21

Chris: Privacy and the 4 attributes

• Chris to add slides


22

Chris: Shib architecture at Oxford

• Chris to add slides


23

Chris: DEMO????

• Christian – check out this page for other resources– http://ukfederation.org/content/Documents/AvailableSer

vices

– (But I got• “Shibboleth Identity Provider Failure

• The inter-institutional access system experienced a technical failure.

• Please email root@localhost and include the following error message:

• Identity Provider failure at (/shibboleth-idp/SSO)

• org.opensaml.SAMLException: Invalid assertion consumer service URL.”)


24

Questions?

Shibboleth access management: a replacement for Athens and more?

Documents

Transcript of Shibboleth access management: a replacement for Athens and more?