Shibboleth: Open Source Distributed Authentication and Authorization
-
Upload
glen-newton -
Category
Technology
-
view
1.915 -
download
9
description
Transcript of Shibboleth: Open Source Distributed Authentication and Authorization
Glen NewtonHead, [email protected]
GTEC: Open Source Security Strategy
Ottawa Oct 20 2004
Shibboleth: Open Source Distributed Authentication and Authorization
2
Outline
• Introduction and Preliminaries– Authentication and Authorization– Authentication models– Identity and Privacy
• Shibboleth• Other closed alternatives
– Liberty Alliance– Others (MSPassport)
3
Resource Owners and Resource Users
• Resource Owner: the owner, producer or distributor of resource. The (or one of the) legal holders and gatekeepers of the resource.
• Resource user: an entity which accesses a resource. Can be an individual, a group, a company, an agent, a system etc.
4
Authentication and Authorization
• Authentication: verifying who you are & associated attributes.
• Authorization: verifying that you are allowed access to a resource (room, web page, file, equipment, etc); assumes authentication.
• Traditionally in the library world, the distinctions between these two concepts are conflated.
5
Authorization Models
• Identitybased– The identity is passed to the resource
owner who decides whether to grant access: Privacy issues
• Attributebased– Enough attributes are passed to the
resource owner to allow access: no or limited Privacy issues.
6
Identity and Privacy: Identity
• Identity management: in the physical world: passports; birth certificates; driver’s licenses; national identity cards; SIN; etc.
• Used by others (government, police, banks, etc.) to verify ID
• In the Internet age, much more difficult problem “Like nailing jello to a wall…”
• For individuals: – proliferation of userids and passwords– some digital certificates– security smart cards
7
Identity and Privacy: Identity (cont.)
• For organizations– Costly management of userids– Costly and complex management of
relationships with resource owners– Security issues– Poor general solutions (i.e. access by
organizations IP address ranges; etc)
8
Identity and Privacy: Privacy
• Privacy has different dimensions:– “privacy of the person:… integrity of the
individuals body”– “privacy of personal behaviour sexual
preferences and habits, political activities and religious practices”
– “privacy of personal communications:... able to … without routine monitoring of their communications… ”
– “privacy of personal data”From Clarke, 1999
9
Identity and Privacy: Privacy (cont.)
• Electronic records, networks, electronic transactions: not just telephone anymore
• A range of expectations: some people are willing to give up more rights in Cyberspace; others expect similar to “real world”
• Canadian legislation: Personal Information Protection and Electronic Documents Act (PIPEDA)
10
Shibboleth
• Intro to Shibboleth– What is Shibboleth?– What issues does Shibboleth address?– Shibboleth architecture– How does it work?– Who is using it?
• Shibboleth at CISTI
11
What is Shibboleth?
• “Interrealm attributebased authorization for Web Services” – Shibboleth web page– Architecture and technology to support
interinstitutional sharing of resources (middleware)
– Based on a federated administration trust framework
– Controlled dissemination of attribute information, based on administration defaults and user preferences
12
What is Shibboleth?
• Internet2/MACE Project; NSF Middleware initiative component
• Players: IBM, Brown U, Ohio State, MIT, CMU, Stanford
13
What is Shibboleth? (cont.)
• Founding assumptions:– Federated administration– Lightweight mechanisms: disturb as
little as possible of existing infrastructure as possible
– Leverage vendor and standards activity wherever possible
14
What is Shibboleth? (cont.)
• Key concepts:– Federated Administration – Access Control Based On Attributes – Active Management of Privacy – Standards Based – A Framework for Multiple, Scaleable
Trust and Policy Sets (Federations)
15
What is Shibboleth? (cont.)
• What issues does Shibboleth address?– Resource user:
• Access from oncampus• Access from offcampus• User account proliferation• Increased privacy• Single signon/signoff across
domains!!
16
What is Shibboleth? (cont.)
• What issues does Shibboleth address? (cont.)– Resource user’s organization:
• Single authentication database• No IP management• If previously using IP access, better
reporting
17
What is Shibboleth? (cont.)
• What issues does Shibboleth address? (cont.):– Resource owner:
• Ends management of either userid/password or IP address ranges
• Security• Reporting granularity
18
Shib: How does it work?
1. User requests resource from resource owner
2. User is asked to selfidentify their organization
3. User is redirected to her organizations Shib origin instance + authenticates
4. User attributes are transferred to resource owners instance of Shib target
5. Resource owner compares attributes to Policy associated with user’s organization
6. User gets access to resource
19
Shib: How does it work?
20
Shibboleth is:
• “NOT an authentication scheme (relies on home site infrastructure to do this)”
• “NOT an authorisation scheme (leaves this to the resource owner)”.
• “BUT an open, standards based protocol for securely transferring attributes between home site and resource site”.
• “Also provided as an OpenSource reference software implementation”.
After Paschoud, 2004
21
Shibboleth
• Who is using it?– JISC (UK Joint Information Systems
Committee), EBSCO, Elsevier, OCLC, Sfx (Ex libris), JSTOR, McGraw Hill , Books, Innovative, WebCT, Blackboard, Swiss Education and Research Network (SWITCH), National Science Digital Library (NSDL), more…
– Carnegie Mellon, Columbia, Dartmouth, Georgetown, London School of Economics, NYU, Ohio State, more…
22
Shibboleth at CISTI
• Prototyped the user owner end of Shibboleth (Target) for 3 NRC Research Press Journals
• Evaluated use within NRC Virtual Library
• Developed code for MySQL db lookup; submitted code to Shibboleth project
• Next steps dependent on adoption by resource producers (for VL) and resource users (for NRC Research Press)
23
Competing Federated ID Stacks
From Blum, 2003
24
Alternatives: Liberty Alliance
• Intro to the Liberty Alliance– What is the Liberty Alliance?– How is the Liberty Alliance different
from Shibboleth?– Players– Future
25
Liberty Alliance
• What is the Liberty Alliance?– More commercially oriented than Shib– Members include: Sun, Sony, Ericson,
GM, Novell, NEC, Oracle, SAP, NTT, Entrust, HP, AmEx.
– However, Microsoft and IBM have refused to join!
26
Liberty Alliance
• Architecture– Very similar to Shibboleth, but more
commercially oriented, with special features oriented around mobile device, etc.
– Less focus on user mediated privacy– More reporting
27
Liberty Alliance
28
Other Technologies
• Microsoft Passport– Centralized database (not Federated)– Not standardsbased
• Others: Sesame, PAPI, PERMIS
29
What to Adopt?
• Likely adoption of Shibboleth features in Liberty v2, with SAML 2.0
• Interoperability discussions ongoing• Either or both: Liberty more commercial,
Shibboleth more library/academic/publisher oriented
30
Questions?
• Glen Newton, CISTI glen.newton@nrccnrc.gc.ca
31
References
• Blum, D. 2003. Federating Identity Management: Standards, Technologies and Industry Trends.
• Blum, D. 2004. Federated Identity: Extending Authentication and Authorization to New Applications.
• Clarke, R. 1999. Introduction to Dataveillance and Information Privacy, and Definitions of Terms.
• Lacey, D. 2003. Current Privacy Research and Frameworks. SecureWorld Expo.
32
References (cont.)
• Liberty Alliance Web Site.• Paschoud. J. 2004.
The (now… then…) next of Authentication:Shibboleth. ALPSP Effective Customer Authentication
• Rapoza, J. 2003. Liberty Alliance Has Missed the Point. eWeek November 24.
• Shibboleth Project. • Weil, N. 2004.
NSF middleware initiative goes beyond science. InfoWorld May.