Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
-
Upload
alice-chandler -
Category
Documents
-
view
213 -
download
1
Transcript of Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
![Page 1: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/1.jpg)
Shibboleth Access Management System
Walter Hoehn & David Millman, Columbia University
![Page 2: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/2.jpg)
Introduction
Why the web needs identity? Access Control Customization Collaboration
Challenges Privacy concerns/obligations Hundreds of passwords vs. Passport Protocol limitations
![Page 3: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/3.jpg)
Shibboleth Overview
Federated Identity Management Flexible attribute profiles Privacy controls Works with existing browser technology Standards-based
![Page 4: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/4.jpg)
Shibboleth Overview (cont.)
Origins (Identity Providers) Manages user identity data Authenticates users Administers attribute release policies Provides user attributes
Targets (Resource Providers) Administers access control policies Administers attribute acceptance policies Requests attributes Provides digital resources/services
![Page 5: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/5.jpg)
![Page 7: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/7.jpg)
Who is working on Shibboleth?
Internet2 (UCAID) Columbia University Brown University The Ohio State University The University of Washington MIT
![Page 8: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/8.jpg)
Who is using Shibboleth?
17 Identity Providers (15 US Universities, 1UK University, Swiss Education and Research Network)
4 Content vendors (JSTOR, OCLC, EBSCO, ProQuest)
2 course management systems (Blackboard, WebCT)
1 online grading system (WebAssign) 1 inter-library loan vendor (Innovative
Interfaces)
![Page 9: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/9.jpg)
Advances since the last All-Projects meeting
Security PKI-based signature verification SAML 1.1 support
Performance Improved caching mechanisms Target can request specific attributes
Privacy Attribute Release Policy language and engine
![Page 10: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/10.jpg)
Advances since the last All-Projects meeting (cont.)
Integration Attribute Resolution Engine (runtime configuration,
metadirectory functionality) Support for international characters in assertions Stateless handle mechanism, which allows for
fault-tolerant configurations Support for using SSL Client Auth to authN to the
origin Expanded Platform Support
Origin – All JDK 1.4 compatible platforms Target - Linux, Solaris, Windows / apache, IIS
![Page 11: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/11.jpg)
Use Case: Accessibility
A government agency creates a web site containing video footage of historically important NASA space flights The web site’s interface must be adaptable for
users with disabilities- A user with low vision prefers custom colors, font face,
and font size.- A user with hand tremors might prefer bigger links and
buttons.
![Page 12: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/12.jpg)
Use Case: Accessibility (cont.)
Appropriate content can be selected or search priorities can be pre-set for accessible resources- A user who is deaf may want only videos with closed
captioning - A user who is blind may want images with text
descriptions and videos with audio descriptions to be ranked highly in search results
![Page 13: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/13.jpg)
Use Case: Accessibility (cont.)
A Solution Agency installs a Shibboleth-enabled web service The user’s identity provider transmits accessibility
metadata to the web site (IMS Learner Information Profile) via Shibboleth
Web site assigns style sheets based on accessibility metadata
Web site search service uses accessibility metadata in ranking algorithms
Contact: [email protected]
![Page 14: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/14.jpg)
Use Case: Subscription-based content
An online aggregator of scholarly medical publications sells subscriptions to a university library Eligible users should be able to access the content
regardless of location The aggregator wants the flexibility to offer license
agreements to subsets of a University community The library wants to maintain the privacy of its
patrons and the security of their personal data
![Page 15: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/15.jpg)
Use Case: Subscription-based content (cont.)
A Solution Aggregator installs a Shibboleth-enabled web
service The University’s IT department deploys a
shibboleth origin in conjunction with their central directory service
The University transmits eduPerson entitlement attribute data via Shibboleth
![Page 16: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/16.jpg)
Use Case: Web site contains curriculum aids for middle school science
The site includes curriculum aids; such as photographs, videos, maps, report topics, etc. that are available freely available for students to download
The site also includes lesson plans, discussion questions, and tests that accompany the freely available materials. These materials should only be available to educators.
![Page 17: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/17.jpg)
Use Case: Web site contains curriculum aids for middle school science (cont.)
A Solution Site installs a Shibboleth-enabled web service The user’s identity provider transmits information
related to teacher credentialing
Requirements are different Not a user settable preference (as in accessibility
use case) Not provided by existing university infrastructure
(as in subscription use case)
![Page 18: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/18.jpg)
Target Installation
Prerequisites SSL-enabled web server Supported platform Relationship with an identity provider or federation
Install pluggable Shibboleth module Configure site metadata Configure attribute acceptance policies Configure access control rules
![Page 19: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/19.jpg)
Target Installation (cont.)
Current required skill set Service platform competency (OS, web server,
application environment) SSL XML X509/PKI Shibboleth federation model
Closing the gap Identify appropriate staff Better software packaging/streamlined installation
![Page 20: Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.](https://reader036.fdocuments.in/reader036/viewer/2022080917/56649f0d5503460f94c20955/html5/thumbnails/20.jpg)
Research/Directions for the future
Access Management for N-tier applications Attribute Release Policies
Interfaces Resource Description Metadata
Authorization services (XACML) Integration with other SAML-based identity
services (Liberty)