Shibboleth: An Introduction
description
Transcript of Shibboleth: An Introduction
Shibboleth:An Introduction
University of Pennsylvania SUG13 October 2008
Agenda
• Web Authentication at Penn• What is Shibboleth?• Benefits• How It Works• Shibboleth Flow• Next Steps
Page 2
Web Authentication @ Penn
• Web Authentication services are in transition to a more secure and cost effective architecture
• Websec is targeted for decommissioning in June 2009 due to maintenance costs and security vulnerabilities
• CoSign is being implemented; it provides numerous benefits, from efficiencies in cost and security to positioning Penn for future strategic enhancements
• Shibboleth is a logical extension of the CoSign web authentication implementation and supports single sign on capabilities
Page 3
What is Shibboleth?• Authentication/Attribute query protocol • Built upon Security Assertion Markup Language (SAML) – xml based standard• Open source and standards based (Internet2 Middleware initiative)• Increased use in the education community• Shibboleth “solution” is comprised of:
– Central Identity Provider (CoSign)• Performs authentication• Responds to attribute queries from the service provider(s)• Issues authentication assertion to the service provider(s)• Issues attribute assertion to the service provider(s)
– Service Providers, which protect web content• Apache Module or IIS ISAPI filter plus daemon• Places returned attributes in HTTP header
• Federation is not a component of the initial Shibboleth deployment– University School and Center applications– 3rd party vendor applications hosted at the University or external vendor site
Page 4
Benefits• Shibboleth provides an alternative web authentication service for Penn
applications – CoSign as authentication service for internal University applications and as identity provider
for Shibboleth– It supports integrated authentication with academic and business applications from 3rd party
vendors requiring PennKey authentication (e.g. Blackboard)• Authentication services between trusted components based on common
attributes• Authenticating users’ privacy and identity are not compromised when accessing
Shibboleth protected services, resources and applications• Supports Web Single Sign On (SSO) for University services and applications
– Single Sign On (SSO) is a method of access control that provides the end user the ability to authenticate with their credentials and access resources in a secure realm without having to re-authenticate with each resource being accessed
– Applications within a realm share the logon credential• Shibboleth will support federated authentication service (future initiative);
interoperability between disparate identity management systems across systems, organizations and security domains
Page 5
How It Works
Page 6
• The user attempts to access a protected resource
• The Shibboleth service provider intercepts the request and redirects the user to the identity provider
• The user enters their PennKey and Password and authenticates via CoSign
• The identity provider collects a set of attributes for the user through the attribute resolver through backend sources
How It Works
Page 7
• The Identity Provider releases the attributes in response to the service provider’s request
• The assertion is placed into a message and the user is redirected to the servicer provider
• The user ends up at an assertion consumer service at the service provider which unpacks the message, decrypts the assertion, and performs required security checks; it extracts attributes and other information from the message
• The service provider enforces the rules itself or passes the attributes to the application
• The Shibboleth service provider places authentication and attribute information in the web environment as HTTP headers or environment variables
Shibboleth Flow
Page 8
WebApplication
ShibbolethIdentity Provider
CoSign Kerberos
ShibbolethAttributeAuthority
Grouper
ShibbolethService
Provider
Next Steps• CoSign - Shibboleth• Early 2009 pilot implementation and
development of strategic implementation goals• Mid-2009 available for supporting Penn
authentication• Early Adopter Support• Shibboleth Internet2 Site for documentation,
configuration and installation– https://spaces.internet2.edu/display/SHIB2/Home
Page 9