Shibboleth Access Management System

Walter Hoehn & David Millman, Columbia University

Introduction

Why the web needs identity? Access Control Customization Collaboration

Challenges Privacy concerns/obligations Hundreds of passwords vs. Passport Protocol limitations

Shibboleth Overview

Federated Identity Management Flexible attribute profiles Privacy controls Works with existing browser technology Standards-based

Shibboleth Overview (cont.)

Origins (Identity Providers) Manages user identity data Authenticates users Administers attribute release policies Provides user attributes

Targets (Resource Providers) Administers access control policies Administers attribute acceptance policies Requests attributes Provides digital resources/services

Demo

NSDL.org

Who is working on Shibboleth?

Internet2 (UCAID) Columbia University Brown University The Ohio State University The University of Washington MIT

Who is using Shibboleth?

17 Identity Providers (15 US Universities, 1UK University, Swiss Education and Research Network)

4 Content vendors (JSTOR, OCLC, EBSCO, ProQuest)

2 course management systems (Blackboard, WebCT)

1 online grading system (WebAssign) 1 inter-library loan vendor (Innovative

Interfaces)

Advances since the last All-Projects meeting

Security PKI-based signature verification SAML 1.1 support

Performance Improved caching mechanisms Target can request specific attributes

Privacy Attribute Release Policy language and engine

Advances since the last All-Projects meeting (cont.)

Integration Attribute Resolution Engine (runtime configuration,

metadirectory functionality) Support for international characters in assertions Stateless handle mechanism, which allows for

fault-tolerant configurations Support for using SSL Client Auth to authN to the

origin Expanded Platform Support

Origin – All JDK 1.4 compatible platforms Target - Linux, Solaris, Windows / apache, IIS

Use Case: Accessibility

A government agency creates a web site containing video footage of historically important NASA space flights The web site’s interface must be adaptable for

users with disabilities- A user with low vision prefers custom colors, font face,

and font size.- A user with hand tremors might prefer bigger links and

buttons.

Use Case: Accessibility (cont.)

Appropriate content can be selected or search priorities can be pre-set for accessible resources- A user who is deaf may want only videos with closed

captioning - A user who is blind may want images with text

descriptions and videos with audio descriptions to be ranked highly in search results

Use Case: Accessibility (cont.)

A Solution Agency installs a Shibboleth-enabled web service The user’s identity provider transmits accessibility

metadata to the web site (IMS Learner Information Profile) via Shibboleth

Web site assigns style sheets based on accessibility metadata

Web site search service uses accessibility metadata in ranking algorithms

Contact: Madeleine_Rothberg@wgbh.org

Use Case: Subscription-based content

An online aggregator of scholarly medical publications sells subscriptions to a university library Eligible users should be able to access the content

regardless of location The aggregator wants the flexibility to offer license

agreements to subsets of a University community The library wants to maintain the privacy of its

patrons and the security of their personal data

Use Case: Subscription-based content (cont.)

A Solution Aggregator installs a Shibboleth-enabled web

service The University’s IT department deploys a

shibboleth origin in conjunction with their central directory service

The University transmits eduPerson entitlement attribute data via Shibboleth

Use Case: Web site contains curriculum aids for middle school science

The site includes curriculum aids; such as photographs, videos, maps, report topics, etc. that are available freely available for students to download

The site also includes lesson plans, discussion questions, and tests that accompany the freely available materials. These materials should only be available to educators.

Use Case: Web site contains curriculum aids for middle school science (cont.)

A Solution Site installs a Shibboleth-enabled web service The user’s identity provider transmits information

related to teacher credentialing

Requirements are different Not a user settable preference (as in accessibility

use case) Not provided by existing university infrastructure

(as in subscription use case)

Target Installation

Prerequisites SSL-enabled web server Supported platform Relationship with an identity provider or federation

Install pluggable Shibboleth module Configure site metadata Configure attribute acceptance policies Configure access control rules

Target Installation (cont.)

Current required skill set Service platform competency (OS, web server,

application environment) SSL XML X509/PKI Shibboleth federation model

Closing the gap Identify appropriate staff Better software packaging/streamlined installation

Research/Directions for the future

Access Management for N-tier applications Attribute Release Policies

Interfaces Resource Description Metadata

Authorization services (XACML) Integration with other SAML-based identity

services (Liberty)