Top Banner

Click here to load reader

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University

Mar 26, 2015



  • Slide 1

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University Slide 2 outline federated access management? shibboleth? JISC UK Access Management Federation for Education and Research Slide 3 some key terms user / user attributes e.g. rhys (scmros) / ou: INSRV resource / service provider web based e-journals, websites, etc. users / identity provider Cardiff University 30,000 ish identities authentication vs authorisation: who you are / what you are allowed to do SAML Slide 4 a bit of background: athens athens: an Access Management System for controlling secure access to web based services. offers single sign-on access to multiple web-based services usernames and password held at Athens but administered at a local level a big database table with about 4.5 million rows and 300 columns Slide 5 classic athens Service Provider Identity Provider Athens User on Browser 1: Upload account info 2: I want to access your resource 3: I don't know who you are, please login through Athens 4: User sent to Athens login page 5: Credentials 6: This person is X, and they're allowed to see your resource 7: There you go! Slide 6 what's the problem? users work in increasingly global environment, demand increased mobility; desire for increased security, privacy; more resources more credentials: for user: lots of usernames/passwords! for resource: manage own AMS (account administration overhead, forgotten passwords, etc), or a central AMS (e.g. Athens) for both: security & integrity compromised (e.g. abc123), Proprietary authentication systems Slide 7 the solution? federated (devolved) access management: role based (not identity based) i.e. (staff @ cardiff university) not (rhys @ CU) still allow personalisation 1 way hash of user id (@ resource - further priv') single sign-on to resources organisations responsible for identity management; trust between resource providers and identity providers Slide 8 what is shibboleth? shibboleth: enables FAM an access management system for controlling secure access to web based (and beyond?) services; offers single sign-on access usernames and password at organisation end standard network username/password Slide 9 what isn't shibboleth? shibboleth is not: an identity management solution it's a component of one an authentication or full SSO system we need to plug into one (e.g. pubcookie) an attribute store we need to plug into one (e.g. LDAP) Slide 10 why use shib for FAM? highly flexible highly extensible open source, open software community driven growing global acceptance (usa, uk, australia, switzerland, netherlands, spain, france and more) It Just Works Slide 11 high level architecture WAYF (Where Are You From?) User on Browser Service Provider Identity Provider Slide 12 components - SP WAYF (Where Are You From?) Resource ACS AR Resource Manager Assertion Consumer Service Attribute Requester User on Browser Service Provider Identity Provider Slide 13 components - IdP WAYF (Where Are You From?) Service Provider Identity Provider AA User DB AA SSO Authentication Authority SSO Service Attribute Authority User on Browser Slide 14 components WAYF / federations federations group of organisations sharing a set of agreed policies (legal), rules for access, etc. basically, a trust framework has a... WAYF all IdPs in the federation will appear on a list allows the determination of the users home IdP at run-time Slide 15 shibboleth and federations Federation... WAYF Slide 16 how does shibboleth work? WAYF AA User DB AA SSO Resource ACS AR Resource Manager I dont know who you are or where you are from redirecting you to the home locator 1 2 So, where are you from? 3 4 CFU 5 Ok, redirecting you to your organisation 6 Dont know who you are: please login 7 Credentials 9 Handle I need to know attributes... Ask AA 8 Handle Ok, I know you! Redirecting you to the resource, with a handle Handle Service Provider Identity Provider Attributes 10 These are the attributes youre allowed to see: 11 Ok, youre allowed to see this. Here you go! Athens Slide 17 JISC UK access management previously (well, currently) centralised e.g. athens central repository of accounts/cred's funding for athens ends july 2008. 50p per user (or thereabouts) after that... next generation: federated, devolved authentication (DA) UK Access Management Federation for Education and Research for he, fe and Schools (JISC and BECTA) went live November 30 th 2006. (became self aware 2:14am EDT August 29 th 20... (!)) Slide 18 UKFed how to connect: HE - likely run their own IdP FE run their own IdP / outsource Schools IdP via RBC/LEA/ outsource instructions on Slide 19 Options 1) Become a full member of UKFed, using community tools total control vs effort 2) Become a full member of UKFed, using paid- for support control vs cost 3) Subscribe to outsourced IdP to work through UKFed on your behalf nice and easy vs cost and lack of control Slide 20 Gateways some resources not FAM compliant yet some instutions don't have money/effort to implement FAM so... shibboleth-athens gateway athens-shibboleth gateway (not at all confusing!) Slide 21 shibboleth-athens Athens Resources Shib- Athens Federation... WAYF Slide 22 athens-shibboleth Athens Resources Shib- Athens Federation... WAYF Athens- Shib IdP-less Users Slide 23 FAM beyond athens can be used as an AMS for any web-based application (and beyond?!) no need for proprietary AMS intra-campus probably not worth it; hook directly into LDAP Inter-untrusted-organisations need trust Inter-trusted-organisations - Perfect! Slide 24 project progress and future whole of Cardiff University shib enabled now, all new staff/students using it existing athens users migrating easter+ Slide 25 conclusions FAM is here today for the UK academic community Joining UKFed enables cross-institutional collaboration and virtual organisations Slide 26 the end for: more info a copy of these slides clarification of any points meaningful discussion about shib meaningless discussion about stanley cup final... email: [email protected]