Shibboleth and UKAMF-FEARnot as scary as it sounds!
Rhys SmithCardiff University
outline
federated access management? shibboleth? JISC UK Access Management Federation for Education and Research
some key terms
user / user attributes e.g. rhys (scmros) / ou: INSRV
resource / service provider web based e-journals, websites, etc.
users / identity provider Cardiff University – 30,000 ish identities
authentication vs authorisation: who you are / what you are allowed to do
SAML
a bit of background: athens
athens: an Access Management System for
controlling secure access to web based services.
offers single sign-on access to multiple web-based services
usernames and password held at Athens but administered at a local level
“ a big database table with about 4.5 million rows and 300 columns”
classic athens
Service ProviderIdentity Provider
Athens
User on Browser
1: Upload account info
2: I want to accessyour resource
3: I don't knowwho you are,please login
through Athens
4: User sent to Athens login page
5: Credentials
6: This person is X, andthey're allowed tosee your resource
7: There you go!
what's the problem?
users work in increasingly global environment, demand increased mobility;
desire for increased security, privacy; more resources – more credentials:
for user: lots of usernames/passwords! for resource: manage own AMS (account
administration overhead, forgotten passwords, etc), or a central AMS (e.g. Athens)
for both: security & integrity compromised (e.g. “abc123”), Proprietary authentication systems
the solution?
federated (devolved) access management: role based (not identity based)
i.e. (staff @ cardiff university) not (rhys @ CU) still allow personalisation
1 way hash of user id (@ resource - further priv') single sign-on to resources
organisations responsible for identity management;
trust between resource providers and identity providers
what is shibboleth?
shibboleth: enables FAM an access management system for
controlling secure access to web based (and beyond?) services;
offers single sign-on access usernames and password at organisation
end – standard network username/password
what isn't shibboleth?
shibboleth is not: an identity management solution
it's a component of one an authentication or full SSO system
we need to plug into one (e.g. pubcookie) an attribute store
we need to plug into one (e.g. LDAP)
why use shib for FAM?
highly flexible highly extensible open source, open software community driven growing global acceptance (usa, uk,
australia, switzerland, netherlands, spain, france and more)
“It Just Works”
high level architecture
WAYF (Where Are You From?)
User on Browser
Service ProviderIdentity Provider
components - SP
WAYF (Where Are You From?)
Res
ou
rce
ACS
AR
Res
ou
rce
Man
ag
er
Assertion Consumer
Service
Attribute Requester
User on Browser
Service ProviderIdentity Provider
components - IdP
WAYF (Where Are You From?)
Service ProviderIdentity Provider
AA
User DB AA
SSO
Authentication Authority SSO
Service
Attribute Authority
User on Browser
components – WAYF / federations
federations group of organisations sharing a set of agreed
policies (legal), rules for access, etc. basically, a trust framework has a...
WAYF all IdPs in the federation will appear on a list allows the determination of the user’s home
IdP at run-time
shibboleth and federationsFederation
... WAYF
how does shibboleth work?
WAYF
AA
User DB AA
SSO
Res
ou
rce
ACS
AR
Res
ou
rce
Man
ag
er
I don’t know who you are or where you are
from… redirecting you to the home locator
1
2
So, where are you from?
34
CFU
5
Ok, redirecting you to your organisation
6
Don’t know who you are: please login
7Credentials
9Handle
I need to know attributes... Ask AA
8Handle
Ok, I know you! Redirecting you to the resource, with a handle
Handle
Service ProviderIdentity Provider
Attributes 10
These are the attributes you’re allowed to see:
11
11
Ok, you’re allowed to see this. Here
you go!
Athens
JISC UK access management
previously (well, currently) – centralised e.g. athens – central repository of
accounts/cred's funding for athens ends july 2008. 50p per
user (or thereabouts) after that... next generation:
federated, devolved authentication (DA) UK Access Management Federation for
Education and Research for he, fe and Schools (JISC and BECTA)
went live November 30th 2006. (became self aware 2:14am EDT August 29th
20... (!))
UKFed
how to connect: HE - likely run their own IdP FE – run their own IdP / outsource Schools – IdP via RBC/LEA/ outsource
instructions on http://www.ukfederation.org.uk/
Options
1) Become a full member of UKFed, using community tools
total control vs effort 2) Become a full member of UKFed, using
paid-for support control vs cost
3) Subscribe to outsourced IdP to work through UKFed on your behalf
nice and easy vs cost and lack of control
Gateways
some resources not FAM compliant yet some instutions don't have money/effort to
implement FAM so...
shibboleth-athens gateway athens-shibboleth gateway (not at all confusing!)
shibboleth-athens
AthensResources
Shib-Athens
Federation
...WAYF
athens-shibboleth AthensResources
Shib-Athens
Federation
...WAYF
Athens-Shib
IdP-lessUsers
FAM beyond athens
can be used as an AMS for any web-based application (and beyond?!)
no need for proprietary AMS intra-campus – probably not worth it; hook
directly into LDAP Inter-untrusted-organisations – need trust Inter-trusted-organisations - Perfect!
project progress and future
whole of Cardiff University shib enabled now,
all new staff/students using it existing athens users migrating easter+
conclusions
FAM is here today for the UK academic community
Joining UKFed enables cross-institutional collaboration and virtual organisations
the end for:
more info a copy of these slides clarification of any points meaningful discussion about shib meaningless discussion about
stanley cup final... email: [email protected]