Shibboleth and TAGPMA

Download Report

Transcript Shibboleth and TAGPMA 

Shibboleth and TAGPMA
Michael Helm
DOEGRids/ESnet
27 Mar 2006
What is Shibboleth?
• Standard Internet2 description:
– Architecture
– Project
– Codebase
– http://shibboleth.internet2.edu
• Offshoots
– InCommon – Federation (one of many)
– GridShib – Grid & Shibboleth Integration
– SAML - transport
TAGPMA
27 Mar 2006 Shibboleth
2
What is Shibboleth?
Judges 12:6 (KJV)
Then said they unto him, Say now Shibboleth: and he said
Sibboleth: for he could not frame to pronounce it right.
Then they took him, and slew him at the passages of
Jordan: and there fell at that time of the Ephraimites forty
and two thousand.
Jueces 12
Entonces, le decían: Di, pues, la palabra Shibolet; pero él
decía Sibolet, porque no podía pronunciarla
correctamente. Entonces le echaban mano y lo mataban
junto a los vados del Jordán. Y cayeron en aquella
ocasión cuarenta y dos mil de los de Efraín.
TAGPMA
27 Mar 2006 Shibboleth
3
Why is Shibboleth Important?
• US: Internet2’s “long bet” on Authentication
and Authorization
– Note: Internet2 is the largest US NREN, 200+
Universities, multiple layers of projects, optical
networking &c
– Relationship with ESnet, NASA &c
• US Higher Education federation
• Other NREN
– There are other AAA projects
• Other - US Government
– Whether all these federations can interoperate
TAGPMA
27 Mar 2006 Shibboleth
4
Shibboleth Architecture
• Next set of slides from I2 (Michael Gedes
et al) – used for illustration
• Illustration probably from SWTCH
TAGPMA
27 Mar 2006 Shibboleth
5
Shibboleth Architecture
• Handle Service
– Yields a “Handle token” – SAML authentication assertion –
bearer credential
– Neutral – (eg LDAP)
• Attribute Authority
– The AA is presented with a Handle Token, returns appropriate
attributes for this user.
• Target Resource
– (Service Provider)
– Find user’s institution, and understand appropriate attributes
• WAYF
– External service used to find home institution
TAGPMA
27 Mar 2006 Shibboleth
6
Shibboleth Architecture
• Next set of slides from I2 (Michael Gedes
et al) – used for illustration
• Illustration probably from SWTCH
TAGPMA
27 Mar 2006 Shibboleth
7
Shibboleth
AA Process
OK, I redirect your
request now to
the Handle Service
of your home org.
I don’t know you.
Please authenticate
Using WEBLOGIN
Please tell me
where are you from?
I don’t know you.
Not even which home
org you are from.
I redirect your request
to the WAYF
WAYF
2
4 3
5
6
Identity Provider
1
Service Provider
Web Site
7
Credentials
HS
8
9
TAGPMA
Handle
AA
Attributes
AR
Resource
Handle
User DB
OK, I know you now.
I redirect your request
to the target, together
with a handle
ACS
Resource
Manager
Handle
10
Attributes
I don’t know the
Let’s pass over the
attributes of this user.
attributes the user
Let’s ask the Attribute
has allowed me to
Authority
release27 Mar 2006 Shibboleth
OK, based on the
attributes, I grant
access to the
resource 8
From Shibboleth Arch doc
Origin
Target
University
HTTP Server
Resource P rovider
Authentication System
Enterprise
Directory
TAGPMA
27 Mar 2006 Shibboleth
9
From Shibboleth Arch doc
Origin
Target
University
HTTP Server
Resource P rovider
Authentication System
Enterprise
Directory
TAGPMA
27 Mar 2006 Shibboleth
10
Shibboleth Limitations
• Limited IDP
– Identity Provider does all the work
– What about distributed authorization???
– Attribute Authority, Authentication, Authorization
often linked together – requires strong trust of IdP
• Limited deployment (web)
• Grid Incompatibility
• Focused on enterprises
– Marketing limitation
• Many of these issues are being addressed….
TAGPMA
27 Mar 2006 Shibboleth
11
Shibboleth Strengths
• Privacy
– Chaotic story in Grids, but mostly, none
• Standardization
– Relatively open development process
• Marketing
–
–
–
–
TAGPMA
US Higher Ed
Non-US: Higher Ed & NRENs
US Government
Well supported and development continues
27 Mar 2006 Shibboleth
12
GridShib (NCSA)
• NSF funded, development centered at NCSA
– Argonne National Lab (ANL), Globus, University
of Chicago
• Really, Shibboleth->Grid
– Enable use of some Shibboleth attributes in a
Grid context
• Replace Shibboleth “Handle token” with PKI
credential
• Using XACML
• Next 3 slides – from NCSA GridShib overview
TAGPMA
27 Mar 2006 Shibboleth
13
The GridShib picture
User
(1) Grid Authentication
Grid
Service
(0) Attribute Release Policy
Campus
(2) Shib Attribute Request
(3) Attributes
(4) Attribute-based
authorization
Shibboleth
TAGPMA
27 Mar 2006 Shibboleth
14
GridShib Integration Principles
• No modification to typical grid client
applications
• Leverage Shibboleth’s attribute
administration and end-user maintenance
of attribute release policies
• Leverage high-quality Campus Identity
Provider operations
• Leverage high-quality Shib and Grid
software
TAGPMA
27 Mar 2006 Shibboleth
15
GridShib Challenges
• Use of an identifier in X.509 certificate as a subject
handle for use by the Shib Attribute Authority (SAA)
– Shibboleth v1.3 should handle this
– Name mapping has proved challenging
– Focusing on MyProxy to solve? IdP function?
• Allowing VOs to define attributes meaningful to them
• Attribute Authority identification
– “Where Are You From” problem
• Plumbing interconnect
• Translating requirements into meaningful authorization
policy
• Support pseudonymity (Shibboleth requirement)
TAGPMA
27 Mar 2006 Shibboleth
16
Shibboleth and Grid
Authentication/Authorization
• Grid – community driven?
• Grid – distributed authorization
• Shibboleth – fundamentally based on site
(or VO?)
– That is assumes a strong site open to working
in this area – not always true
• Grid->Shibboleth?
– Projects exist in this area
TAGPMA
27 Mar 2006 Shibboleth
17
US DOE Lab/ESnet Shibboleth
• Something new – DOE Lab CIO’s have
commissioned a pilot Shibboleth test bed and
policy development activity
• US DOE research labs are heavily influenced by
trends and needs in US academic research
(NSF, EDUCAUSE, and other US Gov’t funding
sources)
• US DOE labs have limited resources for
development in this area
– Shibboleth &al is both good news & bad news here:
– Standard development platform
– Limited resources to make changes
TAGPMA
27 Mar 2006 Shibboleth
18
Shibboleth Federation
• Shibboleth makes no sense w/o a federation
component – why bother.
• InCommon (http://www.incommonfederation.org)
• Internet2 – US Higher Ed example of Shibboleth
federation
– There are some others: SWTCH, UK
• US Legal System
– More complex bylaws, legal membership & status &c
• Good Example or Bad Example?
– Some market inhibition
– International legal context
– Are our member organizations interested in federating
for this purpose? TAGPMA?
TAGPMA
27 Mar 2006 Shibboleth
19
E-Authentication (separate)
•
•
•
•
Summary
Overlapping communities
Overlapping interests
What interest in this?
TAGPMA
27 Mar 2006 Shibboleth
20
Acknowledgements
• Technical content in most slides drawn
from Michael Geddes &al from I2; from
Von Welch &al from NCSA; a bit from
David Chadwick, and others.
TAGPMA
27 Mar 2006 Shibboleth
21
Summary
• Overlapping communities
• Overlapping interests
• What interest do we have in this?
TAGPMA
27 Mar 2006 Shibboleth
22