shibboleth-intro-dec05
Download
Report
Transcript shibboleth-intro-dec05
Shibboleth
A Technical Overview
Tom Scavo
[email protected]
NCSA
shibboleth-intro-dec05
1
What is Shibboleth?
•
•
Shibboleth provides cross-domain
single sign-on and attribute-based
authorization while preserving user
privacy
Shibboleth is simultaneously:
1. A project
2. A specification
3. An implementation
shibboleth-intro-dec05
2
Shibboleth Project
• Shibboleth, a project of Internet2-MACE:
– Advocates a federated identity management
policy framework focused on user privacy
– Develops middleware architectures to
facilitate inter-institutional attribute sharing
– Manages an open source reference
implementation of the Shibboleth spec
• Shibboleth has made significant
contributions to the SAML-based identity
management space
shibboleth-intro-dec05
3
Collaborations
Internet2
OASIS
E-Auth
Shibboleth
Educause
Liberty
Vendors
shibboleth-intro-dec05
4
Shibboleth Specification
• Shibboleth is an extension of the SAML
1.1 browser profiles:
– Shibboleth Browser/POST Profile
– Shibboleth Browser/Artifact Profile
– Shibboleth Attribute Exchange Profile
• See the Shibboleth spec for details:
S. Cantor et al., Shibboleth Architecture:
Protocols and Profiles. Internet2-MACE,
10 September 2005.
shibboleth-intro-dec05
5
Shibboleth Implementation
•
The Shibboleth implementation consists
of two components:
1. Shibboleth Identity Provider
2. Shibboleth Service Provider
•
•
The Identity Provider is a J2EE webapp
The Service Provider is a C++ Apache
module
– A pure Java Service Provider is in beta
shibboleth-intro-dec05
6
The Shibboleth Experience
shibboleth-intro-dec05
7
The Shibboleth Wiki
• For example, the Shibboleth wiki (hosted at
ohio-state.edu) is “shibbolized”:
https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/WebHome
• To edit wiki pages, a user must be known to
the wiki
• Users have wikiNames but do not have wiki
passwords
• Users log into their home institution, which
asserts user identity to the wiki
shibboleth-intro-dec05
8
shibboleth-intro-dec05
9
Shib Browser Profile
• The user clicks
the link “Login
via InQueue
IdP”
• This initiates a
sequence of
steps known as
the Shibboleth
Browser Profile
shibboleth-intro-dec05
3
UIUC
4
1
InQueue
2
C
L
I
E
N
T
6
7
5
OSU
8
10
shibboleth-intro-dec05
11
Shib Browser Profile
• InQueue
provides a
“Where Are You
From?” service
• The user
chooses their
preferred
identity provider
from a menu
shibboleth-intro-dec05
3
UIUC
4
1
InQueue
2
C
L
I
E
N
T
6
7
5
OSU
8
12
shibboleth-intro-dec05
13
Shib Browser Profile
• The user is
redirected to
UIUC login
page
• After login, the
user is issued a
SAML assertion
and redirected
back to the wiki
shibboleth-intro-dec05
3
UIUC
4
1
InQueue
2
C
L
I
E
N
T
6
7
5
OSU
8
14
shibboleth-intro-dec05
15
Shib Browser Profile
• After validating
the assertion,
the wiki@OSU
retrieves user
attributes via
back-channel
Shib attribute
exchange
shibboleth-intro-dec05
3
UIUC
4
1
InQueue
2
C
L
I
E
N
T
6
7
5
OSU
8
16
Asserting Identity
• Initially, the user is unknown to the wiki
• After querying the home institution, the
wiki knows the user’s identity
• “trscavo-uiuc.edu” is wiki-speak for
[email protected]
• The latter is eduPersonPrincipalName,
an identity attribute asserted by the
user’s home institution
shibboleth-intro-dec05
17
OpenIdP.org
• By design, a user with an account at an
institution belonging to InCommon,
InQueue, or SDSS can log into the wiki:
https://authdev.it.ohiostate.edu/twiki/bin/view/GridShib/WebHome
• Other users can register at openidp.org,
which is a zero-admin Shibboleth IdP
• The openidp asserts an alternate form of
identity (email addresses as opposed to
eduPersonPrincipalName)
shibboleth-intro-dec05
18
Shibboleth SSO Profiles
shibboleth-intro-dec05
19
The Actors
• Identity Provider
– The Identity Provider (IdP)
creates, maintains, and
manages user identity
– A Shibboleth IdP produces
SAML assertions
Identity Provider
Authentication
Authority
Attribute
Authority
SSO
Service
Artifact
Resolution
Service
Assertion
Consumer
Service
Attribute
Requester
• Service Provider
– The Service Provider (SP)
controls access to services
and resources
– A Shibboleth SP consumes
SAML assertions
shibboleth-intro-dec05
Resource
Service Provider
20
Shib SSO Profiles
• Shibboleth SSO profiles are SP-first
• Shibboleth specifies an Authentication
Request Profile
• Shibboleth Browser/POST Profile =
Shib Authn Request Profile +
SAML Browser/POST Profile
• Shibboleth Browser/Artifact Profile =
Shib Authn Request Profile +
SAML Browser/Artifact Profile
shibboleth-intro-dec05
21
Shib AuthN Request Profile
• A Shibboleth authentication request is an
ordinary GET request:
https://idp.org/shibboleth/SSO?
providerId=https://sp.org/shibboleth/&
shire=https://sp.org/shibboleth/SSO&
target=https://sp.org/myresource&
time=1102260120
• The client is redirected to this location
after requesting a protected resource at
the SP without a security context
shibboleth-intro-dec05
22
Shib Browser/POST Profile
• Browser/POST is
an SP-first profile
• The IdP
produces an
assertion at step
4, which the SP
consumes at
step 5
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
6
5
SSO
Service
Attribute
Authority
Assertion
Consumer
Service
8
7
2
1
Resource
Service Provider
shibboleth-intro-dec05
23
Attributes
shibboleth-intro-dec05
24
Shib Attribute Exchange
• A Shibboleth SP often queries an IdP for
attributes after validating an authN
assertion
• An opaque, transient identifier called a
handle is embedded in the authN
assertion
• The SP sends a SAML AttributeQuery
message with handle attached
shibboleth-intro-dec05
25
Browser/POST Profile
• The first 5 steps of
this profile are
identical to ordinary
Browser/POST
• Before redirecting
the Client to the
Resource Manager,
the SP queries for
attributes via a
back-channel
exchange
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
7
8
5
Assertion
Consumer
Service
Attribute
Requester
10
9
2
1
Resource
Service Provider
shibboleth-intro-dec05
6
26
Browser/POST Step 1
• The Client
requests a target
resource at the
SP
Identity Provider
Authentication
Authority
SSO
Service
C
L
I
E
N
T
Attribute
Authority
Assertion
Consumer
Service
Resource
1
Service Provider
shibboleth-intro-dec05
27
Browser/POST Step 2
• The SP performs a
security check on
behalf of the target
resource
• If a valid security
context at the SP
does not exist, the
SP redirects the
Client to the single
sign-on (SSO)
service at the IdP
Identity Provider
Authentication
Authority
SSO
Service
C
L
I
E
N
T
Attribute
Authority
Assertion
Consumer
Service
2
1
Resource
Service Provider
shibboleth-intro-dec05
28
Browser/POST Step 3
• The Client
requests the
SSO service at
the IdP
Identity Provider
Authentication
Authority
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
Assertion
Consumer
Service
2
1
Resource
Service Provider
shibboleth-intro-dec05
29
Browser/POST Step 4
• The SSO service
processes the authN
request and performs a
security check
• If the user does not
have a valid security
context, the IdP
identifies the principal
(details omitted)
• The SSO service
produces an
authentication assertion
and returns it to the
Client
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
Assertion
Consumer
Service
2
1
Resource
Service Provider
shibboleth-intro-dec05
30
Browser/POST Step 5
• The Client issues
a POST request
to the assertion
consumer
service at the SP
• The authN
assertion is
included with the
request
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
5
2
1
SSO
Service
Attribute
Authority
Assertion
Consumer
Service
Resource
Service Provider
shibboleth-intro-dec05
31
Browser/POST Step 6
• The assertion
consumer service
validates the
request, creates a
security context at
the SP
• The attribute
requester sends a
(mutually
authenticated)
attribute query to
the AA
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
6
5
2
1
Assertion
Consumer
Service
Attribute
Requester
Resource
Service Provider
shibboleth-intro-dec05
32
Browser/POST Step 7
• The IdP returns an
attribute assertion
subject to attribute
release policy
• The SP filters the
attributes according
to attribute
acceptance policy
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
7
5
2
1
Assertion
Consumer
Service
Attribute
Requester
Resource
Service Provider
shibboleth-intro-dec05
6
33
Browser/POST Step 8
• The assertion
consumer
service updates
the security
context and
redirects the
Client to the
target resource
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
7
8
5
2
1
Assertion
Consumer
Service
Attribute
Requester
Resource
Service Provider
shibboleth-intro-dec05
6
34
Browser/POST Step 9
• The Client
requests the
target resource
at the SP (again)
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
7
8
5
Assertion
Consumer
Service
Attribute
Requester
9
2
1
Resource
Service Provider
shibboleth-intro-dec05
6
35
Browser/POST Step 10
• Since a security
context exists,
the SP returns
the resource to
the Client
Identity Provider
Authentication
Authority
4
C
L
I
E
N
T
3
SSO
Service
Attribute
Authority
7
8
5
Assertion
Consumer
Service
Attribute
Requester
10
9
2
1
Resource
Service Provider
shibboleth-intro-dec05
6
36
Directory Schema
• Neither Shibboleth nor SAML define any
attributes per se
• It is left to individual deployments to
define their own attributes
• A standard approach to user attributes
is crucial
• Without such standards, interoperability
is impossible
shibboleth-intro-dec05
37
eduPerson
• Internet2 and EDUCAUSE have jointly
developed a set of attributes and
associated bindings called eduPerson
• The LDAP binding of eduPerson is
derived from the standard LDAP object
class called inetOrgPerson [RFC 2798]
• Approximately 40 attributes have been
defined by InCommon as common
identity attributes
shibboleth-intro-dec05
38
InCommon Attributes
• InCommon’s 6 “highly recommended” attributes:
Attribute Name
givenName
sn (surname)
Attribute Value
Mary
Smith
cn (common name)
eduPersonScopedAffiliation
eduPersonPrincipalName
eduPersonTargetedID
Mary Smith
[email protected]
[email protected]
?
(eduPersonTargetedID does not have a precise value syntax)
shibboleth-intro-dec05
39