Document 7557180

Download Report

Transcript Document 7557180

Shibboleth Update
Advanced CAMP
7/31/02
http://middleware.internet2.edu/shibboleth/
RL “Bob” Morgan, Washington
Steven Carmody, Brown
Scott Cantor, Ohio State
Marlena Erdos, IBM/Tivoli
Michael Gettes, Georgetown
Keith Hazelton, Wisconsin
David Wasley, UCOP
The CMU programming team
Ken Klingenstein, Director
Internet2 Middleware Initiative
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status - Development
Current Status - Rollout
Demo
Next Steps
What Does it Take for a Campus to Install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status
Demo
Next Steps
What Does it Take for a Campus to Install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Quick Definition/Architecture
Refresh/ Review
Background, Motivation
High Level Architecture
Policy and Trust
What is Shibboleth?
What is Shibboleth?
An initiative to develop an architecture and policy
framework supporting the sharing – between
domains -- of secured web resources and services
A project delivering an open source
implementation of the architecture and framework
What is Shibboleth?
A system...
…with an emphasis on privacy
• users control release of their attributes
…based on open standards (SAML) and available
in open source form
…built on “federated administration”
Example Scenarios
1. A member of the campus community
accessing a licensed library resource
2. Students enrolled in a course across
multiple universities accessing class
materials and Learning Mgmt Systems
3. Research workgroups sharing controlled
resources (the original web)
4. Intra-university information access
Why Shibboleth?
Growing interest in collaboration and
resource sharing among institutions
Better security tools will make
collaboration more “painless” and more
secure
Current "solutions" are primitive; we can
do better today and without local overhaul
Why Shibboleth?
Federated Administration
Users registered only at their “home” or “origin”
institution
Flexibly partitions responsibility, policy, technology,
and trust
Authorization information sent, instead of
authentication information
• when possible, use groups instead of people on ACLs
• identity information still available for auditing and for applications that
require it
Why Shibboleth?
Privacy
Higher Ed has privacy obligations
• In US, “FERPA” requires permission
for release of most personal
identification information; encourages
least privilege in information access
General interest and concern for privacy is
growing
Shibboleth has active (vs. passive) privacy
provisions “built in”
What is Shibboleth?
Deliverables
A partially-complete open-source
implementation of SAML (OpenSAML)
An open-source implementation of the
Shibboleth architecture on top of OpenSAML
Policies, trust infrastructure, and supporting
material to enable deployment within
interested communities, leveraging existing
work when possible (e.g. eduPerson)
Quick Definition/Architecture
Refresh/ Review
Background, Motivation
High Level Architecture
Policy and Trust
High Level Architecture
Destination and origin site collaborate to
provide a privacy-preserving “context” for
Shibboleth users
Origin site authenticates user
Destination site requests attributes about
user directly from origin site
Users (and organizations) can control
what attributes are released
Technical Components
Origin Site
• Handle Server
• Attribute Authority
Target Site
• SHIRE
• SHAR
• WAYF
• Resource Manager
Existing assumed components:
for origins - Campus directory or attribute store; Web-ISO
for targets - web servers and resource managers
High Level Architecture
Attribute Authority -- Management
of Attribute Release Policies
The AA provides ARP management tools/interfaces.
• Different ARPs for different targets
• Each ARP Specifies which attributes and which values to release
• Institutional ARPs (default)
– administrative default policies and default attributes
– Site can force include and exclude
• User ARPs managed via “MyAA” web interface
• Release set determined by “combining” Default and User ARP for the
specified resource
Authorization Attributes
Typical Attributes in the Higher Ed Community
Affiliation
“active member of community” [email protected]
EPPN
Identity
[email protected]
Entitlement
An agreed upon opaque URI
urn:mace:vendor:contract1234
OrgUnit
Department
Economics Department
EnrolledCourse
Opaque course identifier
urn:mace:osu.edu:Physics201
Shibboleth and PKI
Shibboleth will establish a lightweight PKI
between sites and servers to secure itself.
Shibboleth fully supports the use of
certificates to authenticate users.
Shibboleth follow-on work will fully support
the use of certificates by target sites directly,
provided the necessary profile work is
undertaken.
Quick Definition/Architecture
Refresh/ Review
Background, Motivation
High Level Architecture
Policy and Trust
Policy and Trust
SAML and the Shibboleth architecture
leave “tough” questions about policy and
trust to implementers and deployers.
Communities of sites that want to
interoperate will establish federations with
common policies and trust models
Federations (Circles of Trust)
Communities must define (for example):
• attribute vocabulary, syntax, and usage
• expectations in areas like user identification and
authentication, account policies
• a trust model for securing the system
Internet2/MACE is forming one such federation
(informally known as “Club Shib”) by creating
policy documents and infrastructure for higher
education sites and those with which we do
business.
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status
Demo
Next Steps
What Does it Take for a Campus to install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Current Status
Architecture about to enter final call
Policy documents being drafted
Programming divided among Carnegie Mellon,
Ohio State, and additional contractors
OpenSAML Beta-1 available now
Shibboleth Alpha-2 available to selected sites
early July, wider distribution soon (10-20
projects)
Current Status
Call for participation went out to campuses in late-June
for pilot with commercial content providers (EBSCO,
Elsevier, sfx)
Several European Higher Ed systems evaluating Shib for
use country-wide
First Shibbolized application has gone production.
Production version of Shibboleth expected by October,
with the goal of inclusion in the second NMI release
Currently working with
•
NSDL (National Science Digital Library)
•
Commercial Content Providers (EBSCO,
Elsevier, sfx, OCLC)
•
Meteor (Student Loan System)
•
WebAssign (Web Based Testing, Physics
and Chemistry)
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status
Demo
Next Steps
What Does it Take for a Campus to Install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status - Development
Current Status - Rollout
Demo
Next Steps
What Does it Take for a Campus to install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Next Steps
Wider alpha Deployment, for verification and
testing
Complete v1 implementation
Identify Other key applications
Gain experience with federation
What does it mean to “manage attribute
release”?
Shibbolizing other applications?
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status
Demo
Next Steps
What Does it Take for a Campus to Install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status
Demo
Next Steps
What Does it Take for a Campus to Install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Policy and Trust:
“Club Shib”
A foundation on which to build:
• an initial set of attributes based on eduPerson but fully
supporting bilateral arrangements
• a simple PKI suitable for “collaborative trust”
• a central registry of information about participating sites
and their local account practices
• basic rules governing membership, usage of attributes,
and layering of additional policies
A low barrier to entry for both schools and
information providers
Campus Account Practices of Interest
to Club Members
• Initial identification/password assignment
process for accounts
• Authentication mechanisms for account use
• Policy on the reuse of account names
• Business logic for key attributes like affiliation,
as the need surfaces
Current intent is descriptive, not prescriptive.
Discussion outline
Quick Definition/Architecture Refresh/ Review
Current Status - Development
Current Status - Rollout
Demo
Next Steps
What Does it Take for a Campus to install Shib?
Installation and plumbing
Joining the Club
Here's how you can get involved!
Questions/ Discussion.
Here's how you can get involved!
Let us know you’re interested
Join the email lists
Identify problems in your environment
where Shib could provide value
Respond to the CFP
Talk to us this week!
THE END
Acknowledgements:
Design Team: David Wasley U of C; RL ‘Bob’ Morgan
U of Washington; Keith Hazelton U of Wisconsin
(Madison);Marlena Erdos IBM/Tivoli; Steven
Carmody Brown; Scott Cantor Ohio State
Important Contributions from: Ken Klingenstein (I2);
Michael Gettes Georgeton, Scott Fullerton (Madison)
Questions, Discussion….
.