Transcript Slide 1
Shibboleth: An Introduction University of Pennsylvania SUG 13 October 2008 Agenda • • • • • • Web Authentication at Penn What is Shibboleth? Benefits How It Works Shibboleth Flow Next Steps Page 2 Web Authentication @ Penn • Web Authentication services are in transition to a more secure and cost effective architecture • Websec is targeted for decommissioning in June 2009 due to maintenance costs and security vulnerabilities • CoSign is being implemented; it provides numerous benefits, from efficiencies in cost and security to positioning Penn for future strategic enhancements • Shibboleth is a logical extension of the CoSign web authentication implementation and supports single sign on capabilities Page 3 What is Shibboleth? • • • • • Authentication/Attribute query protocol Built upon Security Assertion Markup Language (SAML) – xml based standard Open source and standards based (Internet2 Middleware initiative) Increased use in the education community Shibboleth “solution” is comprised of: – Central Identity Provider (CoSign) • • • • Performs authentication Responds to attribute queries from the service provider(s) Issues authentication assertion to the service provider(s) Issues attribute assertion to the service provider(s) – Service Providers, which protect web content • • • Apache Module or IIS ISAPI filter plus daemon Places returned attributes in HTTP header Federation is not a component of the initial Shibboleth deployment – University School and Center applications – 3rd party vendor applications hosted at the University or external vendor site Page 4 Benefits • Shibboleth provides an alternative web authentication service for Penn applications – CoSign as authentication service for internal University applications and as identity provider for Shibboleth – It supports integrated authentication with academic and business applications from 3rd party vendors requiring PennKey authentication (e.g. Blackboard) • • • Authentication services between trusted components based on common attributes Authenticating users’ privacy and identity are not compromised when accessing Shibboleth protected services, resources and applications Supports Web Single Sign On (SSO) for University services and applications – Single Sign On (SSO) is a method of access control that provides the end user the ability to authenticate with their credentials and access resources in a secure realm without having to re-authenticate with each resource being accessed – Applications within a realm share the logon credential • Shibboleth will support federated authentication service (future initiative); interoperability between disparate identity management systems across systems, organizations and security domains Page 5 How It Works • The user attempts to access a protected resource • The Shibboleth service provider intercepts the request and redirects the user to the identity provider • The user enters their PennKey and Password and authenticates via CoSign • The identity provider collects a set of attributes for the user through the attribute resolver through backend sources Page 6 How It Works • The Identity Provider releases the attributes in response to the service provider’s request • The assertion is placed into a message and the user is redirected to the servicer provider • The user ends up at an assertion consumer service at the service provider which unpacks the message, decrypts the assertion, and performs required security checks; it extracts attributes and other information from the message • The service provider enforces the rules itself or passes the attributes to the application • The Shibboleth service provider places authentication and attribute information in the web environment as HTTP headers or environment variables Page 7 Shibboleth Flow Web Application Shibboleth Service Provider Shibboleth Identity Provider Shibboleth Attribute Authority CoSign Kerberos Grouper Page 8 Next Steps • CoSign - Shibboleth • Early 2009 pilot implementation and development of strategic implementation goals • Mid-2009 available for supporting Penn authentication • Early Adopter Support • Shibboleth Internet2 Site for documentation, configuration and installation – https://spaces.internet2.edu/display/SHIB2/Home Page 9