Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,

Shibboleth Update

Advanced CAMP7/31/02

RL “Bob” Morgan, WashingtonSteven Carmody, BrownScott Cantor, Ohio StateMarlena Erdos, IBM/TivoliMichael Gettes, GeorgetownKeith Hazelton, WisconsinDavid Wasley, UCOPThe CMU programming team

Ken Klingenstein, DirectorInternet2 Middleware Initiative

http://middleware.internet2.edu/shibboleth/

Discussion outline

Quick Definition/Architecture Refresh/ Review

Current Status - Development

Current Status - Rollout

Demo

Next Steps

What Does it Take for a Campus to Install Shib?

Installation and plumbing

Joining the Club

Here's how you can get involved!

Questions/ Discussion.

Discussion outline


Current Status

Demo

Next Steps



Joining the Club




Background, Motivation

High Level Architecture

Policy and Trust

What is Shibboleth?

What is Shibboleth?

An initiative to develop an architecture and policy framework supporting the sharing – between domains -- of secured web resources and services

A project delivering an open source implementation of the architecture and framework

What is Shibboleth?

A system...

…with an emphasis on privacy• users control release of their attributes

…based on open standards (SAML) and available in open source form

…built on “federated administration”

Example Scenarios

1. A member of the campus community accessing a licensed library resource

2. Students enrolled in a course across multiple universities accessing class materials and Learning Mgmt Systems

3. Research workgroups sharing controlled resources (the original web)

4. Intra-university information access

Why Shibboleth?

Growing interest in collaboration and resource sharing among institutions

Better security tools will make collaboration more “painless” and more secure

Current "solutions" are primitive; we can do better today and without local overhaul

Why Shibboleth?Federated Administration

Users registered only at their “home” or “origin” institution

Flexibly partitions responsibility, policy, technology, and trust

Authorization information sent, instead of authentication information

• when possible, use groups instead of people on ACLs• identity information still available for auditing and for applications that

require it

Why Shibboleth?Privacy

Higher Ed has privacy obligations• In US, “FERPA” requires permission for release of most personal identification information; encourages least privilege in information access

General interest and concern for privacy is growing

Shibboleth has active (vs. passive) privacy provisions “built in”

What is Shibboleth?Deliverables

A partially-complete open-source implementation of SAML (OpenSAML)

An open-source implementation of the Shibboleth architecture on top of OpenSAML

Policies, trust infrastructure, and supporting material to enable deployment within interested communities, leveraging existing work when possible (e.g. eduPerson)




Policy and Trust


Destination and origin site collaborate to provide a privacy-preserving “context” for Shibboleth users

Origin site authenticates user

Destination site requests attributes about user directly from origin site

Users (and organizations) can control what attributes are released

Technical Components

Origin Site• Handle Server • Attribute Authority

Target Site• SHIRE• SHAR• WAYF• Resource Manager

Existing assumed components:

for origins - Campus directory or attribute store; Web-ISO

for targets - web servers and resource managers


Attribute Authority -- Management of Attribute Release Policies

The AA provides ARP management tools/interfaces.

• Different ARPs for different targets• Each ARP Specifies which attributes and which values to release• Institutional ARPs (default)

– administrative default policies and default attributes– Site can force include and exclude

• User ARPs managed via “MyAA” web interface• Release set determined by “combining” Default and User ARP for the

specified resource

Authorization Attributes

Typical Attributes in the Higher Ed Community

Affiliation “active member of community” [email protected]

EPPN Identity [email protected]

Entitlement An agreed upon opaque URI urn:mace:vendor:contract1234

OrgUnit Department Economics Department

EnrolledCourse Opaque course identifier urn:mace:osu.edu:Physics201

Shibboleth and PKI

Shibboleth will establish a lightweight PKI between sites and servers to secure itself.

Shibboleth fully supports the use of certificates to authenticate users.

Shibboleth follow-on work will fully support the use of certificates by target sites directly, provided the necessary profile work is undertaken.




Policy and Trust

Policy and Trust

SAML and the Shibboleth architecture leave “tough” questions about policy and trust to implementers and deployers.

Communities of sites that want to interoperate will establish federations with common policies and trust models

Federations (Circles of Trust)

Communities must define (for example):• attribute vocabulary, syntax, and usage• expectations in areas like user identification and

authentication, account policies• a trust model for securing the system

Internet2/MACE is forming one such federation (informally known as “Club Shib”) by creating policy documents and infrastructure for higher education sites and those with which we do business.

Discussion outline

Quick Definition/Architecture Refresh/ ReviewCurrent StatusDemoNext Steps What Does it Take for a Campus to install Shib?

Installation and plumbingJoining the Club

Here's how you can get involved!Questions/ Discussion.

Current Status

Architecture about to enter final call

Policy documents being drafted

Programming divided among Carnegie Mellon, Ohio State, and additional contractors

OpenSAML Beta-1 available now

Shibboleth Alpha-2 available to selected sites early July, wider distribution soon (10-20 projects)

Current Status

Call for participation went out to campuses in late-June for pilot with commercial content providers (EBSCO, Elsevier, sfx)

Several European Higher Ed systems evaluating Shib for use country-wide

First Shibbolized application has gone production.

Production version of Shibboleth expected by October, with the goal of inclusion in the second NMI release

Currently working with

• NSDL (National Science Digital Library)

• Commercial Content Providers (EBSCO, Elsevier, sfx, OCLC)

• Meteor (Student Loan System)

• WebAssign (Web Based Testing, Physics and Chemistry)

Discussion outline

Quick Definition/Architecture Refresh/ ReviewCurrent StatusDemoNext Steps What Does it Take for a Campus to Install Shib?



Discussion outline

Quick Definition/Architecture Refresh/ ReviewCurrent Status - DevelopmentCurrent Status - RolloutDemoNext Steps What Does it Take for a Campus to install Shib?



Next Steps

Wider alpha Deployment, for verification and testing

Complete v1 implementation

Identify Other key applications

Gain experience with federation

What does it mean to “manage attribute release”?

Shibbolizing other applications?

Discussion outline

Quick Definition/Architecture Refresh/ ReviewCurrent StatusDemoNext Steps What Does it Take for a Campus to Install Shib?



Discussion outline


Current Status

Demo

Next Steps



Joining the Club



Policy and Trust:“Club Shib”

A foundation on which to build:• an initial set of attributes based on eduPerson but fully

supporting bilateral arrangements• a simple PKI suitable for “collaborative trust”• a central registry of information about participating sites

and their local account practices• basic rules governing membership, usage of attributes,

and layering of additional policies

A low barrier to entry for both schools and information providers

Campus Account Practices of Interest to Club Members

• Initial identification/password assignment process for accounts

•Authentication mechanisms for account use

•Policy on the reuse of account names

•Business logic for key attributes like affiliation, as the need surfaces

Current intent is descriptive, not prescriptive.

Discussion outline

Quick Definition/Architecture Refresh/ ReviewCurrent Status - DevelopmentCurrent Status - RolloutDemoNext Steps What Does it Take for a Campus to install Shib?




Let us know you’re interested

Join the email lists

Identify problems in your environment where Shib could provide value

Respond to the CFP

Talk to us this week!

THE END

Acknowledgements:

Design Team: David Wasley U of C; RL ‘Bob’ Morgan U of Washington; Keith Hazelton U of Wisconsin

(Madison);Marlena Erdos IBM/Tivoli; Steven Carmody Brown; Scott Cantor Ohio State

Important Contributions from: Ken Klingenstein (I2); Michael Gettes Georgeton, Scott Fullerton (Madison)

Questions, Discussion….

.

Shibboleth Update Advanced CAMP 7/31/02 RL “Bob” Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio State Marlena Erdos, IBM/Tivoli Michael Gettes,

Documents

shibboleth architecture

itwhy shibboleth

shibboleth usersorigin

open source implementation

local overhaulwhy shibboleth

aclsidentity information

information accessgeneral

trustauthorization information