administrative information systems shibboleth: the next generation isis technical information...
TRANSCRIPT
![Page 1: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/1.jpg)
Administrative Information Systems
Shibboleth: The Next Generation ISIS
Technical Information Session for Developers
Datta Mahabalagiri
March 3. 2008
![Page 2: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/2.jpg)
Administrative Information Systems
Today’s Goals
• Demystify Shibboleth
• Provide a technical overview of Shibboleth
• Outline Application considerations when migrating to Shibboleth
• Sketch Migration plan
• Q/A
![Page 3: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/3.jpg)
Administrative Information Systems
Shibboleth Overview
• Shibboleth is a standards-based, open source middleware software designed to provide web Single Sign-On (SSO) solution within or across organization boundaries
• Authentication/Attribute Query protocol
• Standards Based. Built on SAML
• Developed by Internet2
![Page 4: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/4.jpg)
Administrative Information Systems
Shibboleth Overview
• Emphasis on protecting user privacy
• Fine grained Attribute Release control mechanism
• Browser based authentication only
• Quickly gaining momentum in higher education community
• UC is adopting Shibboleth as its standard federated authentication mechanism: UCTrust
![Page 5: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/5.jpg)
Administrative Information Systems
Shibboleth Benefits
• Standards Based, SAML etc.
• Focus on Privacy and Security
• Adapted by lot of Organizations
• Manage Identity for local users only
• Federated
• Open Source Software, supported by Internet2
– Client Modules
– No coding necessary
– Works with static web sites
![Page 6: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/6.jpg)
Administrative Information Systems
What is not
• SSO but not Authentication
• No Authorization
![Page 7: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/7.jpg)
Administrative Information Systems
Shibboleth Vocabulary
• Federation• Identity Provider (IdP)• Service Provider (SP)• Where Are You From Service (WAYF)• Handle Service (HS)• Attribute Authority (AA)• Attribute Requester (AR)• Assertion Consumer Service (ACS)• Attribute Release Policy (ARP)• Attribute Acceptance Policy (AAP)• Bilateral deployment
![Page 8: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/8.jpg)
Administrative Information Systems
Shibboleth: Federation
• Provides standard approach to policies, practices, technologies that members adopt
• Interoperability & trust
• Which Federation to join?
• Not a must to operate Shibboleth
![Page 9: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/9.jpg)
Administrative Information Systems
Shibboleth: Identity Provider (IdP)
• The “server” side of Shibboleth
• Performs authentication
• Issues Authentication Assertion
• Responds to attribute queries
• Issues Attribute Assertion
• Analogous to the ISIS Login Server and Web Service
• One instance per campus
![Page 10: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/10.jpg)
Administrative Information Systems
Shibboleth: Service Provider (SP)
• The “consumer” side of Shibboleth
• Apache Module or IIS ISAPI filter plus daemon
• Handles all communications with WAYF and IdP
• Places returned attributes in HTTP header
• Provided by Internet2
![Page 11: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/11.jpg)
Administrative Information Systems
Shibboleth: Where Are Your From (WAYF) Service
• Part of the Federation services
• A directory service of Identity Providers
• Hosted by the federation operator *
* In Shibboleth 2.0, WAYF function will be part of the Service Provider module
![Page 12: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/12.jpg)
Administrative Information Systems
Shibboleth: IdP Components
• Handle Service (HS)
– Directs the incoming user to the authentication authority (i.e., login page)
– Issues Shibboleth Handle (similar to a session token, ala ISIS ticket)
• Attribute Authority (AA)
– Responds to attribute requests
– Queries data repositories
– Constructs and returns Attribute Assertion (XML document containing requested user data)
![Page 13: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/13.jpg)
Administrative Information Systems
Shibboleth: SP Components
• Attribute Consumer Service (ACS)
– Processes the Shibboleth handled returned by the IdP
– Initiates an optional attribute request
– Establishes a security context at the SP, and redirects the client to the desired target resource.
• Attribute Requester (AR)
– Establishes a direct connection to the Attribute Authority at the IdP
– Exchanges attribute query and attribute response
![Page 14: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/14.jpg)
Administrative Information Systems
Shibboleth: Attribute Release Policy
• Rules for releasing attributes, XML format
• Fine grained control for the release of attributes
• Individual & Organization have control over release of attributes
• Site ARP & User ARP
![Page 15: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/15.jpg)
Administrative Information Systems
ARP Examples
• eduPersonAffiliation release policy
<Rule><Target>
<AnyTarget/></Target>
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"/></Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"><Value release="permit"/>[email protected]</Value></Attribute></Rule>
<Target><Requester>https://myhost.ucla.edu</Requester>
</Target>
![Page 16: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/16.jpg)
Administrative Information Systems
Shibboleth: Attribute Acceptance Policy (AAP)
• Rules for accepting attributes, XML format
• Regular Expression check
• Places attributes in http headers for use by applications
![Page 17: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/17.jpg)
Administrative Information Systems
AAP Examples
• eduPersonAffiliation acceptance rules
<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false" Header="SHIB-AFFILIATION" >
<AnySite>
<Value>FACULTY</Value>
<Value>STUDENT</Value>
</AnySite>
</AttributeRule>
<Value Type="regexp">^[^@]+$</Value> <AnyValue> <SiteRule Name="providerId"> $$$ </SiteRule>
![Page 18: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/18.jpg)
Administrative Information Systems
Shibboleth Architecture R
eso
urc
e
WAYF
Identity ProviderService Provider
Web Site
1
ACS
32
HS
5
6
7
User DB
Credentials
4
AR
Handle
Handle8
Handle9AA
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
© SWITCH
![Page 19: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/19.jpg)
Administrative Information Systems
Res
ou
rce
WAYF
Identity Provider at UCLA
Service ProviderWeb Site
1
ACS
I don’t know you.Not even which home
org you are from.Redirect your request
to the WAYF32
Please tell me where are you from?
HS
5
6
I don’t know you.Please authenticate
Using ISIS 4
OK, I redirect yourrequest now to
the Handle Service of UCLA.
AR
Handle
Handle8
I don’t know theattributes of this user.Let’s ask the Attribute
Authority
Handle9AA
Let’s pass over the attributes the userhas allowed me to
release
Attributes 10
Res
ou
rce
Man
ag
er
Attributes
OK, based on theattributes, I grant
access to the resource
7
User DB
Credentials
OK, I know you now.Redirect your requestto the SP, together
with a handle
![Page 20: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/20.jpg)
Administrative Information Systems
Shibboleth @ UCLA
• Shibboleth IdP already running in production
• Leverages ISIS authentication engine
• Running in parallel with ISIS 5
• Attributes in ED
![Page 21: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/21.jpg)
Administrative Information Systems
Shibboleth @ UCLA
• Will eventually replace the ISIS Web Service API
• Early adopters include CCLE, MyEvents, Plone site
• ARP Administration is still a manual process
• Customized login page
• Supports Bilateral and Federated deployment
![Page 22: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/22.jpg)
Administrative Information Systems
ToDo’s
• ISIS Login Server will continue to serve login form• Integrate Shibboleth SP administration with ISIS
Administration• Incorporate data release approval from data stewards
into the SP set up process• Need more attribute data!• Improve user experience during redirects• More support materials (Confluence)• Helpdesk coordination• Metadata generation• Logout?
![Page 23: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/23.jpg)
Administrative Information Systems
Migrating to Shibboleth
• Migration Philosophy
– Parallel support for ISIS 5 and ISIS/Shib
– Gradual Migration: Move when it’s a good time for your application to move
– … within reason, of course
– Emphasis on user experience
![Page 24: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/24.jpg)
Administrative Information Systems
Migrating to Shibboleth
• 2007
– Early adopters and new applications
– Applications with unique requirements
– Applications could choose between ISIS 5 and Shibboleth
• 2008
– All MI Team supported apps
– All new applications
– Voluntary migration
• 2009
– Mandatory migration
– End ISIS support
![Page 25: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/25.jpg)
Administrative Information Systems
Preparing Your Applicationfor Shibboleth
• Choose your Web Server
– IIS
– Apache
• Separate test and production environments
• Deployment Scenario
– Federated
– Bilateral
![Page 26: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/26.jpg)
Administrative Information Systems
Federated Deployment
• With federated deployment, your application joins a Shibboleth federation (InCommon, UCTrust)
• Need to register and obtain federation issued digital certificate• Application enjoys common standards, but needs to comply
with all federation requirements– Security and audit requirements– Attribute Assertion agreements (more work on IdP side
than SP side)– Coordinated helpdesk support
• Choose federated deployment if:– You plan to accept authentication assertions from multiple
IdP’s– You have business requirements to participate in a
federation
![Page 27: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/27.jpg)
Administrative Information Systems
Bilateral Deployment
• With bilateral deployment, your application exchanges credentials and negotiates attribute exchanges directly with IdP
• No need to obtain federation digital certificates
• Likely a simpler deployment model for UCLA-only applications
• Choose bilateral deployment if:
– You plan to accept authentication assertions only from UCLA’s IdP
• Can always move to a federated deployment mode
![Page 28: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/28.jpg)
Administrative Information Systems
Preparing Your Applicationfor Shibboleth
• Rethink your user access provisioning process
– Shib’s privacy policy may mean that you won’t get all the attributes you want from all the users. You may need to ask for more information
– Especially with federated deployment, you will receive login attempts from unexpected users.
– An on-demand access provisioning model is preferred
– Need to provide much more descriptive help information on screen
![Page 29: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/29.jpg)
Administrative Information Systems
Preparing Your Applicationfor Shibboleth
Login Failed: Access Denied.
The user may be confused if you show him:
![Page 30: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/30.jpg)
Administrative Information Systems
Preparing Your Applicationfor Shibboleth
Thank you for your interest in using the Foobar system.
It appears that you authenticated successfully. However, you have not registered to become a user with Foobar.
Foobar is a restricted system. If you believe you should have access, please click here to complete an access request.
For additional inquires, please contact our helpdesk at [email protected]
This may make it just a bit clearer to the user why he cannot continue, and what he can do to remedy the situation:
![Page 31: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/31.jpg)
Administrative Information Systems
Preparing Your Applicationfor Shibboleth
• Rethink your logging and helpdesk support model
– Especially with federated deployment, the user’s IdP may not be UCLA.
– Helping a user through the troubleshooting process is critical
– Think about your hours of support
– Think about the kind of information you need to keep in your application log
![Page 32: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/32.jpg)
Administrative Information Systems
Preparing Your Applicationfor Shibboleth: Next Steps
• Install Fest?
• Usability Workshops?
• Diagnostic/Testing modules?
• Common Logging format?
• Helpdesk Coordination
– KB: kb.ucla.edu? Something else?
– Shared diagnostics support scripts?
![Page 33: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/33.jpg)
Administrative Information Systems
Resources
• Official Shibboleth Website:http://shibboleth.internet2.edu
• Shibboleth Wiki:https://spaces.internet2.edu/display/SHIB
• InCommon Federation:http://www.incommonfederation.org/
• UCTrust Federation:http://www.ucop.edu/irc/itlc/uctrust/
• 3 cool demos of how Shib works from the Swiss Shibboleth Federation folks:http://www.switch.ch/aai/demo/
• Middleware Infrastructure Group’s Website:http://spaces.ais.ucla.edu
![Page 34: Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649dac5503460f94a9af0c/html5/thumbnails/34.jpg)
Administrative Information Systems
Q & A