Transcript Slide 1

Shibboleth:
An Introduction
University of Pennsylvania SUG
13 October 2008
Agenda
•
•
•
•
•
•
Web Authentication at Penn
What is Shibboleth?
Benefits
How It Works
Shibboleth Flow
Next Steps
Page 2
Web Authentication @ Penn
• Web Authentication services are in transition to a more
secure and cost effective architecture
• Websec is targeted for decommissioning in June 2009
due to maintenance costs and security vulnerabilities
• CoSign is being implemented; it provides numerous
benefits, from efficiencies in cost and security to
positioning Penn for future strategic enhancements
• Shibboleth is a logical extension of the CoSign web
authentication implementation and supports single
sign on capabilities
Page 3
What is Shibboleth?
•
•
•
•
•
Authentication/Attribute query protocol
Built upon Security Assertion Markup Language (SAML) – xml based standard
Open source and standards based (Internet2 Middleware initiative)
Increased use in the education community
Shibboleth “solution” is comprised of:
– Central Identity Provider (CoSign)
•
•
•
•
Performs authentication
Responds to attribute queries from the service provider(s)
Issues authentication assertion to the service provider(s)
Issues attribute assertion to the service provider(s)
– Service Providers, which protect web content
•
•
•
Apache Module or IIS ISAPI filter plus daemon
Places returned attributes in HTTP header
Federation is not a component of the initial Shibboleth deployment
– University School and Center applications
– 3rd party vendor applications hosted at the University or external vendor site
Page 4
Benefits
•
Shibboleth provides an alternative web authentication service for Penn
applications
– CoSign as authentication service for internal University applications and as identity provider
for Shibboleth
– It supports integrated authentication with academic and business applications from 3rd party
vendors requiring PennKey authentication (e.g. Blackboard)
•
•
•
Authentication services between trusted components based on common
attributes
Authenticating users’ privacy and identity are not compromised when accessing
Shibboleth protected services, resources and applications
Supports Web Single Sign On (SSO) for University services and applications
– Single Sign On (SSO) is a method of access control that provides the end user the ability to
authenticate with their credentials and access resources in a secure realm without having to
re-authenticate with each resource being accessed
– Applications within a realm share the logon credential
•
Shibboleth will support federated authentication service (future initiative);
interoperability between disparate identity management systems across systems,
organizations and security domains
Page 5
How It Works
• The user attempts to access a protected
resource
• The Shibboleth service provider intercepts the
request and redirects the user to the identity
provider
• The user enters their PennKey and Password
and authenticates via CoSign
• The identity provider collects a set of attributes
for the user through the attribute resolver
through backend sources
Page 6
How It Works
• The Identity Provider releases the attributes in response to the
service provider’s request
• The assertion is placed into a message and the user is redirected to
the servicer provider
• The user ends up at an assertion consumer service at the service
provider which unpacks the message, decrypts the assertion, and
performs required security checks; it extracts attributes and other
information from the message
• The service provider enforces the rules itself or passes the
attributes to the application
• The Shibboleth service provider places authentication and attribute
information in the web environment as HTTP headers or
environment variables
Page 7
Shibboleth Flow
Web
Application
Shibboleth
Service
Provider
Shibboleth
Identity
Provider
Shibboleth
Attribute
Authority
CoSign
Kerberos
Grouper
Page 8
Next Steps
• CoSign - Shibboleth
• Early 2009 pilot implementation and
development of strategic implementation goals
• Mid-2009 available for supporting Penn
authentication
• Early Adopter Support
• Shibboleth Internet2 Site for documentation,
configuration and installation
– https://spaces.internet2.edu/display/SHIB2/Home
Page 9