Shibboleth: How It Relates to SAML
description
Transcript of Shibboleth: How It Relates to SAML
![Page 1: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/1.jpg)
Shibboleth: How It Relates to SAML
Marlena Erdos
Aug 27, 2001
![Page 2: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/2.jpg)
Outline
• What is Shibboleth?
• Why Shibboleth? (Shortened)
• High Level Architecture
• Artifact Creation & Use
• Connects & Disconnects with SAML
![Page 3: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/3.jpg)
What is Shibboleth?(meta-information)
• A joint project of Internet2/MACE and IBM– Internet2: a consortium of 200+ higher-ed
institutions (e.g. MIT, Brown, Ohio State)
• A system with an emphasis on higher-ed
• A system very applicable to the B2B space
![Page 4: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/4.jpg)
What is Shibboleth?(Really!)
• “A system for the secure exchange of interoperable authorization information which can be used in access control decisions ”
• AuthZ info– name– attributes e.g. group, role, course membership
![Page 5: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/5.jpg)
What is Shibboleth?(Yet More)
A system ...
• with an emphasis on privacy– users control release of their attributes
• partially based on the emerging SAML std– both narrower and broader
• an example of “federated administration”
![Page 6: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/6.jpg)
Outline
• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation & Use
• Connects & Disconnects with SAML
![Page 7: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/7.jpg)
Why Shibboleth?
• [Slides about the benefits of Federated Admin removed.]
• Higher Ed has privacy obligations– “FERPA” demands permission for PII release
• General interest and concern in privacy• Shibboleth has privacy provisions “built in”
![Page 8: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/8.jpg)
Outline
• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation & Use
• Connects & Disconnects with SAML
![Page 9: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/9.jpg)
High Level Arch Outline
• Simplified Arch -- Getting Attributes
• More Full Arch -- Getting Handles
• Attributes
• Attribute Release Policies
![Page 10: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/10.jpg)
Simplified Arch/FlowGetting Attributes
1. Browser User tries to access web resource
2. “Shibbolized” web server has no user context
3. “SHAR” part of server gets attrs from an AA– SHAR = SHibboleth Attribute Requestor– AA : Attribute Authority
![Page 11: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/11.jpg)
Simplified Flow
Joe surfs the web
Joe: Student; English Major
Mary: Faculty; BioChem;...
Sue: staff; IT dept.;...……
UniversityResource Provider
HTTP serverhttp:www.coolResource.com
SHARAttribute Query
(AQM)
Attribute Res ponse(ARM)
Shared Resource
Attribute Authority
Other Shibboleth Stuff
![Page 12: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/12.jpg)
More Full Arch/FlowGetting an artifact aka “handle package”
• Privacy aspect of Shibb creates burdens
• No (zero) identifying info on user initially
• No “home site” info either
• Shibbolized server must get a user handle– The “SHIRE” does this work
Note: The following describes “first contact” rather than “local portal”. Both work.
![Page 13: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/13.jpg)
SHIRE
• The part of the server that gets artifacts is
“Shibboleth Indexical Reference Establisher”
• “Indexical Reference” -> point at user– No identity– No description
![Page 14: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/14.jpg)
SHIRE (cont)
• SHIRE uses http connection to point at user
• SHIRE acquires artifacts securely
• SHIRE passes the some of the artifact contents to SHAR– “handle” to use in a query– AA address info
![Page 15: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/15.jpg)
SHIRE Flow
The SHIRE interacts with1. WAYF to get user’s home institution info
2. Home institution’s “Handle Server”
![Page 16: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/16.jpg)
SHIRE/WAYF
• WAYF = Where Are You From
• WAYF – asks user for their home institution– retrieves handle server info of the home site– Handle server info:
• IP address
• PKI certificate or equivalent
![Page 17: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/17.jpg)
SHIRE/Handle Server
• SHIRE asks handle server for a handle– “Point” to user via http redirect
• Handle server interacts with– authentication system and user if necessary– AA (potentially)
![Page 18: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/18.jpg)
Acquiring a handle
Joe surfs the web
UniversityResource Provider
HTTP server
http:www.coolResource.com
SHAR
Attribute Authority
SHIRE
Handle Service
WAYF
#1
#2#3a
AuthenticationSystem
#3b
#3
![Page 19: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/19.jpg)
The Whole Flow
Joe surfs the web
UniversityResource Provider
HTTP server
http:www.coolResource.com
SHAR
SHIRE
Handle Service
WAYF
#1
#2Attribute Authority
#3
#4
Handle
Attributes
![Page 20: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/20.jpg)
High Level Arch Outline
• Simplified Arch -- Getting Attributes
• More Full Arch -- Getting Handles
• Attributes
• Attribute Release Policies
• AQMs, ARPs, & Assertions
![Page 21: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/21.jpg)
Attributes
• EPPN EduPerson Principal Name– From the EduPerson schema– e.g. [email protected]
• Affiliation– Faculty, Staff, Student
• MemberOfCommunity• GroupMembershipExt
– allow for extension of attribute space
![Page 22: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/22.jpg)
Attribute Release Policies (ARPs)
An ARP at an AA consists of• The destination SHAR's name
• The attributes to be released to the SHAR
• And optionally a URL (called a “target”)– Target refers to entire subtree of resources
![Page 23: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/23.jpg)
ARPs (cont)
• User can have as many ARPs as needed
• AA finds set of ARPs– Initial set based on SHAR making AQM– AA finds “best match”
• AQM contains user’s requested destination URL
• Requested URL compared with targets in ARPs
![Page 24: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/24.jpg)
ARPs, AQM, & Assertions
• When AQM comes in ...• AA finds best fit ARP ...• ... creates or finds an assertion that fits the
ARP!
• Finds ARP based on user and SHAR• Finds user from handle!!!
-> Handle is in the AQM
![Page 25: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/25.jpg)
Outline
• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation & Use
• Connects & Disconnects with SAML
![Page 26: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/26.jpg)
Artifact Creation and Use
• Handle Server
• SHIRE
![Page 27: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/27.jpg)
Handle Server
• Answers attribute query handle request
• AQHR contains– SHIRE Name (FQDN)– URL that user typed (for the redirect)
![Page 28: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/28.jpg)
Handle Server (cont)
• The AQHR is redirect thru the browser
• HS must– figure out who the user is
• can interact with user and authN system
– create a handle that identifies the user to the AA (but to no one else)
• Could encrypt principal id with AA’s public key
![Page 29: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/29.jpg)
Handle Server
The response to the AQHR• version number of response• opaque user handle• FQDN of the requesting SHIRE• IP address of browser process• issue time of this response• AA contact information• FQDN of Handle Server• Signature (w/o certificate) (XSIG)
![Page 30: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/30.jpg)
SHIRE
• Performs inpersonation checks
• Possible threats include– malicious user pretends to be real user– malicious SHIRE pretends to be real user
![Page 31: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/31.jpg)
SHIRE (cont)
• Malicious user counter-measure– IP address and issue time
• Malicious SHIRE counter-measure– Intended SHIRE name
• SHIRE checks counter-measure info against reality.
![Page 32: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/32.jpg)
Outline
• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation & Use
• Connects & Disconnects with SAML
![Page 33: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/33.jpg)
Connects
• Query & Assertion & Artifact formats– We want to use SAML query & assn format!– We want to be artifact framework compliant!
Summary: Differences from current spec seem workable.
![Page 34: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/34.jpg)
Disconnects with SAML
• Disconnects:– Semantics of the artifact– Where impersonation countermeasure info
belongs• In the assertion or in packaging?
– Requirement for an AuthN assertion– How to represent an anonymous browser user
in the assertion
![Page 35: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/35.jpg)
DisconnectsSemantics of the artifact:– Shibb: A handle that refers to a user plus
counter-measure packaging.– Bindings doc: “A ‘small’, bounded-size [item],
which unambiguously identifies an assertion”
– Possible resolution: “The thing can be used to retrieve an assertion about the related browser user.”
![Page 36: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/36.jpg)
Connect within the Disconnect• Out of Band trust info for the source:
– Bindings: “<PartnerID> is a four byte value used by the destination site to determine source site identity as well as the URL (or address) for the ‘assertion lookup service’. ”
– Shib: Destination keeps lists of trusted Handle Services. But, “Assertion Lookup Service” addr info is carried in the handle package.
![Page 37: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/37.jpg)
Artifact Structure
Framework for Artifacts:
B64 rep of <TypeCode> <artifact contents>
![Page 38: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/38.jpg)
Artifact vs “Handle Package”
• Bindings Instantiation of an Artifact
<TypeCode> := 0x0001 <PartnerID>
<AssertionHandle>
• Handle Package
[No type code -- yet!!] Name & Signature of Handle Service
Opaque user handle plus Countermeasure Info AA contact information
![Page 39: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/39.jpg)
Disconnects• CounterMeasure Protection Placement
– Shibb: Countermeasures are “in” the artifact and “package” the handle.
– Bindings: Countermeasures are in the assertion
& the assertion must be an AuthN assertion!!
-e.g “Audience Restriction”
• What about “Post-ed” assertions?– Marlena: Package the assertion just like the handle!
![Page 40: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/40.jpg)
Disconnect
• Web Browser profiles currently *requires* an AuthN assn
• Mar claims:– not really necessary for the “framework”– rather tied to the “001” type artifact
• A Shib-like artifact is possible: ‘002’– Different specifics to meet overall goals!
![Page 41: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/41.jpg)
Disconnects
• Representation of anonymous browser user– In the query and in the assertion
• Shibb hope: Query by handle
• Shibb hope: Assertion Subject indicates ‘handle” (in some way)
• Core doc says ...
![Page 42: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/42.jpg)
Disconnects (?)
• Core Doc: Subject • Name• SubjectConfirmation• Assertion Specifier.
• SubjectConfirmation– Confirmation Method -> Artifact (4.1.1)
• Marlena: Which part of the artifact? What about new “types” of artifacts?
![Page 43: Shibboleth: How It Relates to SAML](https://reader033.fdocuments.in/reader033/viewer/2022050820/5681584e550346895dc5ab71/html5/thumbnails/43.jpg)
THE END
Shibboleth Acknowledgements:Design Team: David Wasley U of C; RL Bob
Morgan U of Washington; Keith Hazelton U of Wisconsin (Madison);Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott
Cantor Ohio StateImportant Contributions from: Ken
Klingenstein (I2); Michael Gettes Georgeton, Scott Fullerton (Madison)