Transcript Shibboleth: Access Management for the Future

Shibboleth
Access Management
for the Future
John Paschoud, LSE Library
October 2005
21-Jul-15
ICOLC 2005, Poznan, Poland
1
What is (a) shibboleth?
ch12, v5-6 (New American Standard)]
(Biblical) [Judges,
The Gileadites captured the fords of the Jordan
• The first recorded historic
use of
a
opposite
Ephraim.
And it happened when {any of}
‘password’
the fugitives of Ephraim said, "Let me cross over,"
– (actually means “earthe
of men
corn”)of Gilead would say to him, "Are you an
Ephraimite?"
If he said, "No," then they would say to
• A word which was made
the
him, "Say now, 'Shibboleth.' " But he said,
criterion by which to distinguish
the Ephraimites from the
"Sibboleth," for he could not pronounce it correctly.
Gileadites. The Ephraimites,
notseized him and slew him at the fords of
Then they
being able to pronounce
the“sh”,
Jordan. Thus there fell at that time 42,000 of
called the word sibboleth.
See -Ephraim.
Judges xii.
• Hence, the criterion, test, or
watchword of a party; a party cry
or pet phrase.
Webster's Revised Unabridged Dictionary
(1913)
21-Jul-15
ICOLC 2005, Poznan, Poland
2
[contents]
•
•
•
•
•
Why change how we do Access Management?
Why change to Shibboleth?
What Shibboleth is and where it comes from
How Shibboleth works
The UK (JISC) programme to implement
Shibboleth
• Implications for Libraries and Publishers
[Some material in this presentation is based on original material © Internet2, SWITCH, JISC,
Elsevier and original individual authors - with permission and grateful acknowledgement]
[The author/presenter is individually responsible for material presented as either fact or opinion in
this presentation and any accompanying material]
21-Jul-15
ICOLC 2005, Poznan, Poland
3
Why we need to change
• Users demand more mobility
• Education, libraries and publishers operate in an
increasingly globalised environment
– (it’s no good having a Great British solution!)
•
•
•
•
Improved security for resources
Improved privacy for users (DPA, FRPA)
Need for devolved / distributed AM
Need for role-based (not identity-based) AM
21-Jul-15
ICOLC 2005, Poznan, Poland
4
Devolved / Distributed
Access Management
• The separate functions of AM are
undertaken by the most appropriate
parties
• Registration & Authentication
– The Library or University
• Authorisation & Accounting
– The Resource-owner
21-Jul-15
ICOLC 2005, Poznan, Poland
5
Role-based vs Identity-based
Access Management
• The license between LSE and Elsevier, that enables me
to use ScienceDirect, is based on my role
– ([email protected])
• …not on my identity
– ([email protected])
• (…nor on my location - e.g. 158.143.162.28)
• Even if I want to use personalisation features of a
service, I could do so anonymously
– ([email protected])
• Or even with an anonymous identifier that’s repeatable,
but unique to my use of just one service
– (eduPersonTargettedID)
– (so different services can’t compare notes with each other)
21-Jul-15
ICOLC 2005, Poznan, Poland
6
Why use Shibboleth?
• Meets the ‘Lynch principles’
– (Digital Library Federation / Coalition for Networked Information, 1996)
• Highly scaleable
– 13 million UK ‘lifelong learners’?
• Highly flexible
• Fits into the JISC / Common
Information Environment architecture
• Growing global acceptance
– US, Australia, Switzerland, Netherlands, Spain,
France… all have significant Shibboleth projects
• It works™
21-Jul-15
ICOLC 2005, Poznan, Poland
7
Athens AM service
‘free’
Athens
national
authentication
service
“…a big database table
with 3million rows and
300 columns”
££ subscriptions
from commercial
service vendors
Athens
enabled
users
Athens
authenticated
resources
(about 2.5million
users in post-16
education & the
Health Service)
21-Jul-15
about
£0.5m pa
from JISC
ICOLC 2005, Poznan, Poland
(about 250 online services)
8
What is Shibboleth?
• An initiative (of Internet2) to develop an architecture and
policy framework supporting the sharing – between
domains -- of secured web resources and services
• A project delivering an open source implementation of
the architecture and framework
• Deliverables:
–Software for Identity Providers
(universities, libraries)
–Software for Service Providers
(publishers …and universities, libraries)
–Policy models for Federations
(scalable trust)
21-Jul-15
ICOLC 2005, Poznan, Poland
9
So… What is(n’t)
Shibboleth?
• A Web Single-Signon System (SSO)?
• An Access Control Mechanism for Attributes?
• A Standard Interface and Vocabulary for
Attributes?
• A Standard for Adding Authn and Authz to
Applications?
…a mechanism for binding all these things
together!
21-Jul-15
ICOLC 2005, Poznan, Poland
10
What does Shibboleth look
like?
An LSE user follows a link to a DART anthropology
resource hosted at Columbia University (New York)…
•
https://dart.columbia.edu/secure/gandhi-timeline/sect_5
• Some other Shibboleth-enabled resources:
–
–
–
–
http://auth.athensams.net/setsite.php?id=urn:mace:eduserv.org.uk:athens:provider:lse.ac.uk
[Athens-Gateway resources available to LSE users]
http://zetoc.mimas.ac.uk:8000/cgi-bin/wzshib
[Zetoc-search hosted at MIMAS, Manchester]
–
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/ShibOnedotThree
–
[Shibboleth Wiki at Ohio State]
•
•
[annotated screenshots of DART demo]
[screenshots of UCSD – Elsevier ScienceDirect demo]
•
[continue presentation]
21-Jul-15
ICOLC 2005, Poznan, Poland
11
[demo1]
user at LSE
chooses a
shibboleth-enabled
 service, at
Columbia
Note that this illustrates the ‘worst case’ – in which the user has
started a virgin browser session on a shared workstation, and no
mechanism is being used to automatically indicate which
institution the user is from (such as links provided by a library
portal)
21-Jul-15
ICOLC 2005, Poznan, Poland
12
[demo2]
WAYF - in this case of a very simple federation, with just
two member organisations.
This WAYF is hosted at Columbia.edu
21-Jul-15
ICOLC 2005, Poznan, Poland
13
[demo3]
 authentication
(note server is at
LSE.ac.uk, not
Columbia.edu)
21-Jul-15
ICOLC 2005, Poznan, Poland
14
[demo4]
handle request
21-Jul-15
ICOLC 2005, Poznan, Poland
15
[demo5]
21-Jul-15
user reaches secure
resource
ICOLC 2005, Poznan, Poland
16
Anonymised login to ScienceDirect with a local
University of California – San Diego username and
password, and the US InCommon Federation
Captured from live production service!
21-Jul-15
ICOLC 2005, Poznan, Poland
17
21-Jul-15
ICOLC 2005, Poznan, Poland
18
21-Jul-15
ICOLC 2005, Poznan, Poland
19
21-Jul-15
ICOLC 2005, Poznan, Poland
20
21-Jul-15
ICOLC 2005, Poznan, Poland
21
21-Jul-15
ICOLC 2005, Poznan, Poland
22
21-Jul-15
ICOLC 2005, Poznan, Poland
23
How does Shibboleth
work?
1. Explanation for end-users
2. Explanation for chief librarians & IT
directors
3. Explanation for slightly curious library
technologists
4. Explanation for IT support people who
have to keep it working
21-Jul-15
ICOLC 2005, Poznan, Poland
24
How does Shibboleth work?
[end-users]
• Shibboleth? What’s Shibboleth?
– When something asks you for a username &
password, you just enter the username &
password we gave you, when you registered!
– Duh!
– (You don’t want to know how all our network
plumbing works? …do you???)
21-Jul-15
ICOLC 2005, Poznan, Poland
25
How does Shibboleth work?
[chief librarians]
• Shibboleth? Oh, it’s magic.
– (You don’t want to know how all our network
plumbing works? …do you???)
– Oh, and we should have less annoying users
queuing at the Enquiries Desk, because
they’ve lost one of their passwords
21-Jul-15
ICOLC 2005, Poznan, Poland
26
Technical Components
• IdentityProvider (IdP) site – Required Enterprise Infrastructure
– Authentication
– Attribute Repository
• IdentityProvider Site – Shib Components
– Handle Server
– Attribute Authority
• ServiceProvider (SP) site - Required Enterprise Infrastructure
– Web Server (Apache or IIS)
• ServiceProvider Site – Shib Components
– SHIRE
– SHAR
– WAYF
– Resource Manager
21-Jul-15
ICOLC 2005, Poznan, Poland
27
OK, I redirect your
request now to
the Handle Service
of your home org.
SWITCH, 2004
Please tell©me
where are you from?
Shibboleth Architecture
I don’t know you.
Not even which home
org you are from.
I redirect your request
to the WAYF
WAYF
I don’t know you.
Please authenticate
Using WEBLOGIN
2
4 3
5
6
Users Home Org
1
Resource Owner
7
Credentials
HS
8
SHIRE
9
Handle
AA
21-Jul-15
Attributes
SHAR
Resource
Handle
User DB
OK, I know you now.
I redirect your request
to the target, together
with a handle
Resource
Manager
Handle
10
Attributes
I don’t know the
Let’s pass over the
attributes of this user.
attributes the user
Let’s ask the Attribute
has allowed me to
Authority
release
ICOLC 2005, Poznan, Poland
OK, based on the
attributes, I grant
access to the
resource 28
Shibboleth IdP architecture
IdP server
Shibboleth
IdP AA (Attribute
Authority)
Tomcat
MOD_
JK
Certificate
check
MOD_
SSL
8443
Shibboleth
SP
resolver.xml
arp.xml
(various
communications)
Apache
idp.xml
MOD_LDAP_
AUTHZ
HS (Handle
Server)
443
Web
browser
LDAP server
21-Jul-15
ICOLC 2005, Poznan, Poland
29
The JISC AM programme
(2004 – 2007)
(actually the “Core Middleware” programme)
• Approx £7m investment over 3 years
• Technology Development Programme
• Infrastructure-building Programme
21-Jul-15
ICOLC 2005, Poznan, Poland
30
JISC AM: Timescale
Jul-03
Jul-04
Jul-05
Jul-06
Jul-07
Jul-08
Athens Service
Contract Neg
Potential Service
Athens Development
CM: Development
Embedding
CM: Infrastructure
Early Adopters and Assisted Take-up
Potential Service
Timescales of Athens contract,
development and Core Middleware
Development & Infrastructure
21-Jul-15
ICOLC 2005, Poznan, Poland
31
Technology Development
• Filling gaps in the range of AM technologies, in
collaboration with Internet2 & other national
programmes
• April 2004 – March 2007
• 15 projects in UK HE/FE funded:
–
–
–
Some covering specific work (e.g. Shibboleth/PERMIS integration, other
Shibboleth extensions, DRM, etc.)
Others more speculative and open-ended work, e.g. setup and
management of ‘virtual organisations’; life-cycle management of user
credentials and attributes; trust models and delegation.
e.g. PERSEUS at LSE, investigating fine-grain authority management
using Shibboleth, Signet & Grouper in portal environments
21-Jul-15
ICOLC 2005, Poznan, Poland
32
Infrastructure-building
• Establishing a UK Shibboleth infrastructure
• April 2004 to March 2007
• Main work areas:
–
–
–
–
–
Making national data services Shib compliant
Creating a service to assist early adopters
Technical solutions for the transition from Athens
Establishing a national UK federation
Liaising with suppliers:
• publishers, subscription agents, library systems vendors etc
– Funding for organisations willing to be early Shibboleth adopters
• 11 institutional projects underway, plus ShibboLEAP consortium of 7
institutions in London
• Another 18 proposals just received for second Call
21-Jul-15
ICOLC 2005, Poznan, Poland
33
Service suppliers
• Some publishers (etc) already testing or implementing
Shibboleth
– e.g. EBSCOhost, Elsevier ScienceDirect, Ex-Libris SFX, JSTOR,
ProQuest, WebCT
• Others keeping active watching brief
– e.g. Gale, Ovid, IoPP
• List of involved vendors maintained on Internet2 website
• Implementing Shibboleth requires installation of plugin
(like Athens)
– Also need to sign up to terms and conditions
• Federations and suppliers
– Suppliers will need to join the (a) federation to which their
customers belong
21-Jul-15
ICOLC 2005, Poznan, Poland
34
Federations
• Organisations with a common purpose (e.g. education and
research) who trust each other
• Not a subscription-purchasing consortium!
– but could be related to one or more consortia
• Federation members…
– sign up to a set of rules, incl. minimum standards for management
of passwords etc
– may have legal status
– need the trust of suppliers
• Production federations
– USA - InCommon
– Switzerland - SWITCHaai
– Finland - HAKA
• UK test federations
– SDSS (Edina), Touchstone (Athens)
• UK HE production federation: Sparta
21-Jul-15
ICOLC 2005, Poznan, Poland
35
Shibboleth-Athens Gateway
• Aims for full 2-way interoperability:
– Users at a (registered) Shib IdP –enabled institution
can access any Athens-protected resource
– Users with Athens credentials can access any Shibprotected resource
• Lists of fully-compliant (& problematic)
resources maintained on Athens website
• One active user (Leeds) by 15-Jun-05,
others in course of registration
21-Jul-15
ICOLC 2005, Poznan, Poland
36
Shibboleth-Athens Gateway
Athens
national
authentication
service
‘free’???
Athens
enabled
users
Athens
Shib
Shib
authenticated
resources
Shib
Athens
Athens
authenticated
resources
Shib
enabled
users
University
Shib-IdP
Shib
enabled
users
21-Jul-15
University
Shib-IdP
Shib
enabled
users
University
Shib-IdP
ICOLC 2005, Poznan, Poland
37
Middleware Assisted
Take-Up Service
• Providing support to the JISC-funded early adopters
• Scoping future requirements for institutions adopting
Shibboleth
• Support services include:
–
–
–
–
–
–
Comprehensive website
Documentation
Help desk
Onsite support
Training events
Links to and information about software
• Channel for lots of guidebook material, being produced
by funded UK projects and other national effort
21-Jul-15
ICOLC 2005, Poznan, Poland
38
Implications for Publishers
• Similar front-end implementation requirement as for
Athens target
• No license fee
• No license fee
• No maintenance of campus IP address ranges
• OSS means customisations are possible (e.g. for
personalisation, pass-thru of vendor portal to item-level
links, etc)
• Need for agreement on role attributes (eduPerson) for
‘fine-grain’ access decisions
• Need for understanding of the basis of trust in IdP to
whom user authentication is devolved
21-Jul-15
ICOLC 2005, Poznan, Poland
39
Implications for Libraries
• Less duplicated end-user admin than with
Athens (similar to AthensDA)
• Location-independent access for users
• No maintenance of campus IP address ranges
• Need for agreement on role attributes
(eduPerson) for end-user description
• Many don’t yet have standards-based
supporting services (SSO, enterprise directories)
– (but new costs would largely replace & improve,
rather than add-to, existing ad-hoc AM mechanisms)
21-Jul-15
ICOLC 2005, Poznan, Poland
40
Implications for UK national
infrastructure
• No more dependency on a VERY LARGE
centralised database
• Need for implementation of a national
WAYF service
– better than current end-user interface model
– (new WAYF options being developed)
• Lower shared costs?
– (but greater costs devolved to institutions)
21-Jul-15
ICOLC 2005, Poznan, Poland
41
Who’s using Shibboleth,
right now?
• Case Western, Cornell,
Dartmouth, Ohio, Penn State,
NY-Buffalo, U.Cal (~300K
users), Rochester, Washington
• US Federal Government
• US Red Cross
• All Swiss HE (18 universities)
in production
• SURF pilots in Netherlands
• HAKA pilots in Finland
• DEST pilots in Australia
• German library pilots
• [What’s the furthest East that
Shibboleth has penetrated?
Poznan?]
21-Jul-15
• LSE, UCL, King’s, Imperial,
Birkbeck, SOAS, Royal
Holloway (~150K users
together)
• Leeds, Nottingham,
Nottingham-Trent, Newcastle,
Bristol, Liverpool, Cardiff,
Exeter
• Staffordshire, Wolverhampton,
Essex
• UK Data Archive, Edina &
MIMAS data services
• Athens (Eduserv) service (!)
• BECTa (UK pre-16 education
support) in London (~400K
users) & Birmingham schools
ICOLC 2005, Poznan, Poland
42
Further Information
• JISC Core Middleware activities
www.jisc.ac.uk/programme_middleware.html
• Internet2 shibboleth.internet2.edu
• Athens www.athensam.net/shibboleth
• Two JISCmail lists:
– JISC-Shibboleth
– JISC-Shibboleth-announce
• LSE Library projects www.angel.ac.uk
[email protected]
21-Jul-15
ICOLC 2005, Poznan, Poland
43
What are shibboleths?
(Political)
The greatest needs of the Collectivist movement in
England appear to me…
…The diffusion of economic and political knowledge of a
real kind - as opposed to Collectivist shibboleths, and
the cant and claptrap of political campaigning.
[Sidney Webb: memorandum to LSE Trustees meeting
on 8th Feb 1894]
21-Jul-15
ICOLC 2005, Poznan, Poland
44