Shibboleth and UKAMF-FEARnot as scary as it sounds!

Rhys SmithCardiff University

outline

federated access management? shibboleth? JISC UK Access Management Federation for Education and Research

some key terms

user / user attributes e.g. rhys (scmros) / ou: INSRV

resource / service provider web based e-journals, websites, etc.

users / identity provider Cardiff University – 30,000 ish identities

authentication vs authorisation: who you are / what you are allowed to do

SAML

a bit of background: athens

athens: an Access Management System for

controlling secure access to web based services.

offers single sign-on access to multiple web-based services

usernames and password held at Athens but administered at a local level

“ a big database table with about 4.5 million rows and 300 columns”

classic athens

Service ProviderIdentity Provider

Athens

User on Browser

1: Upload account info

2: I want to accessyour resource

3: I don't knowwho you are,please login

through Athens

4: User sent to Athens login page

5: Credentials

6: This person is X, andthey're allowed tosee your resource

7: There you go!

what's the problem?

users work in increasingly global environment, demand increased mobility;

desire for increased security, privacy; more resources – more credentials:

for user: lots of usernames/passwords! for resource: manage own AMS (account

administration overhead, forgotten passwords, etc), or a central AMS (e.g. Athens)

for both: security & integrity compromised (e.g. “abc123”), Proprietary authentication systems

the solution?

federated (devolved) access management: role based (not identity based)

i.e. (staff @ cardiff university) not (rhys @ CU) still allow personalisation

1 way hash of user id (@ resource - further priv') single sign-on to resources

organisations responsible for identity management;

trust between resource providers and identity providers

what is shibboleth?

shibboleth: enables FAM an access management system for

controlling secure access to web based (and beyond?) services;

offers single sign-on access usernames and password at organisation

end – standard network username/password

what isn't shibboleth?

shibboleth is not: an identity management solution

it's a component of one an authentication or full SSO system

we need to plug into one (e.g. pubcookie) an attribute store

we need to plug into one (e.g. LDAP)

why use shib for FAM?

highly flexible highly extensible open source, open software community driven growing global acceptance (usa, uk,

australia, switzerland, netherlands, spain, france and more)

“It Just Works”

high level architecture

WAYF (Where Are You From?)

User on Browser

Service ProviderIdentity Provider

components - SP

WAYF (Where Are You From?)

Res

ou

rce

ACS

AR

Res

ou

rce

Man

ag

er

Assertion Consumer

Service

Attribute Requester

User on Browser

Service ProviderIdentity Provider

components - IdP

WAYF (Where Are You From?)

Service ProviderIdentity Provider

AA

User DB AA

SSO

Authentication Authority SSO

Service

Attribute Authority

User on Browser

components – WAYF / federations

federations group of organisations sharing a set of agreed

policies (legal), rules for access, etc. basically, a trust framework has a...

WAYF all IdPs in the federation will appear on a list allows the determination of the user’s home

IdP at run-time

shibboleth and federationsFederation

... WAYF

how does shibboleth work?

WAYF

AA

User DB AA

SSO

Res

ou

rce

ACS

AR

Res

ou

rce

Man

ag

er

I don’t know who you are or where you are

from… redirecting you to the home locator

1

2

So, where are you from?

34

CFU

5

Ok, redirecting you to your organisation

6

Don’t know who you are: please login

7Credentials

9Handle

I need to know attributes... Ask AA

8Handle

Ok, I know you! Redirecting you to the resource, with a handle

Handle

Service ProviderIdentity Provider

Attributes 10

These are the attributes you’re allowed to see:

11

11

Ok, you’re allowed to see this. Here

you go!

Athens

JISC UK access management

previously (well, currently) – centralised e.g. athens – central repository of

accounts/cred's funding for athens ends july 2008. 50p per

user (or thereabouts) after that... next generation:

federated, devolved authentication (DA) UK Access Management Federation for

Education and Research for he, fe and Schools (JISC and BECTA)

went live November 30th 2006. (became self aware 2:14am EDT August 29th

20... (!))

UKFed

how to connect: HE - likely run their own IdP FE – run their own IdP / outsource Schools – IdP via RBC/LEA/ outsource

instructions on http://www.ukfederation.org.uk/

Options

1) Become a full member of UKFed, using community tools

total control vs effort 2) Become a full member of UKFed, using

paid-for support control vs cost

3) Subscribe to outsourced IdP to work through UKFed on your behalf

nice and easy vs cost and lack of control

Gateways

some resources not FAM compliant yet some instutions don't have money/effort to

implement FAM so...

shibboleth-athens gateway athens-shibboleth gateway (not at all confusing!)

shibboleth-athens

AthensResources

Shib-Athens

Federation

...WAYF

athens-shibboleth AthensResources

Shib-Athens

Federation

...WAYF

Athens-Shib

IdP-lessUsers

FAM beyond athens

can be used as an AMS for any web-based application (and beyond?!)

no need for proprietary AMS intra-campus – probably not worth it; hook

directly into LDAP Inter-untrusted-organisations – need trust Inter-trusted-organisations - Perfect!

project progress and future

whole of Cardiff University shib enabled now,

all new staff/students using it existing athens users migrating easter+

conclusions

FAM is here today for the UK academic community

Joining UKFed enables cross-institutional collaboration and virtual organisations

the end for:

more info a copy of these slides clarification of any points meaningful discussion about shib meaningless discussion about

stanley cup final... email: [email protected]