Shibboleth:An Introduction

University of Pennsylvania SUG13 October 2008

Agenda

• Web Authentication at Penn• What is Shibboleth?• Benefits• How It Works• Shibboleth Flow• Next Steps

Page 2

Web Authentication @ Penn

• Web Authentication services are in transition to a more secure and cost effective architecture

• Websec is targeted for decommissioning in June 2009 due to maintenance costs and security vulnerabilities

• CoSign is being implemented; it provides numerous benefits, from efficiencies in cost and security to positioning Penn for future strategic enhancements

• Shibboleth is a logical extension of the CoSign web authentication implementation and supports single sign on capabilities

Page 3

What is Shibboleth?• Authentication/Attribute query protocol • Built upon Security Assertion Markup Language (SAML) – xml based standard• Open source and standards based (Internet2 Middleware initiative)• Increased use in the education community• Shibboleth “solution” is comprised of:

– Central Identity Provider (CoSign)• Performs authentication• Responds to attribute queries from the service provider(s)• Issues authentication assertion to the service provider(s)• Issues attribute assertion to the service provider(s)

– Service Providers, which protect web content• Apache Module or IIS ISAPI filter plus daemon• Places returned attributes in HTTP header

• Federation is not a component of the initial Shibboleth deployment– University School and Center applications– 3rd party vendor applications hosted at the University or external vendor site

Page 4

Benefits• Shibboleth provides an alternative web authentication service for Penn

applications – CoSign as authentication service for internal University applications and as identity provider

for Shibboleth– It supports integrated authentication with academic and business applications from 3rd party

vendors requiring PennKey authentication (e.g. Blackboard)• Authentication services between trusted components based on common

attributes• Authenticating users’ privacy and identity are not compromised when accessing

Shibboleth protected services, resources and applications• Supports Web Single Sign On (SSO) for University services and applications

– Single Sign On (SSO) is a method of access control that provides the end user the ability to authenticate with their credentials and access resources in a secure realm without having to re-authenticate with each resource being accessed

– Applications within a realm share the logon credential• Shibboleth will support federated authentication service (future initiative);

interoperability between disparate identity management systems across systems, organizations and security domains

Page 5

How It Works

Page 6

• The user attempts to access a protected resource

• The Shibboleth service provider intercepts the request and redirects the user to the identity provider

• The user enters their PennKey and Password and authenticates via CoSign

• The identity provider collects a set of attributes for the user through the attribute resolver through backend sources

How It Works

Page 7

• The Identity Provider releases the attributes in response to the service provider’s request

• The assertion is placed into a message and the user is redirected to the servicer provider

• The user ends up at an assertion consumer service at the service provider which unpacks the message, decrypts the assertion, and performs required security checks; it extracts attributes and other information from the message

• The service provider enforces the rules itself or passes the attributes to the application

• The Shibboleth service provider places authentication and attribute information in the web environment as HTTP headers or environment variables

Shibboleth Flow

Page 8

WebApplication

ShibbolethIdentity Provider

CoSign Kerberos

ShibbolethAttributeAuthority

Grouper

ShibbolethService

Provider

Next Steps• CoSign - Shibboleth• Early 2009 pilot implementation and

development of strategic implementation goals• Mid-2009 available for supporting Penn

authentication• Early Adopter Support• Shibboleth Internet2 Site for documentation,

configuration and installation– https://spaces.internet2.edu/display/SHIB2/Home

Page 9