administrative information systems shibboleth: the next generation isis technical information...

Administrative Information Systems

Shibboleth: The Next Generation ISIS

Technical Information Session for Developers

Datta Mahabalagiri

March 3. 2008


Today’s Goals

• Demystify Shibboleth

• Provide a technical overview of Shibboleth

• Outline Application considerations when migrating to Shibboleth

• Sketch Migration plan

• Q/A


Shibboleth Overview

• Shibboleth is a standards-based, open source middleware software designed to provide web Single Sign-On (SSO) solution within or across organization boundaries

• Authentication/Attribute Query protocol

• Standards Based. Built on SAML

• Developed by Internet2


Shibboleth Overview

• Emphasis on protecting user privacy

• Fine grained Attribute Release control mechanism

• Browser based authentication only

• Quickly gaining momentum in higher education community

• UC is adopting Shibboleth as its standard federated authentication mechanism: UCTrust


Shibboleth Benefits

• Standards Based, SAML etc.

• Focus on Privacy and Security

• Adapted by lot of Organizations

• Manage Identity for local users only

• Federated

• Open Source Software, supported by Internet2

– Client Modules

– No coding necessary

– Works with static web sites


What is not

• SSO but not Authentication

• No Authorization


Shibboleth Vocabulary

• Federation• Identity Provider (IdP)• Service Provider (SP)• Where Are You From Service (WAYF)• Handle Service (HS)• Attribute Authority (AA)• Attribute Requester (AR)• Assertion Consumer Service (ACS)• Attribute Release Policy (ARP)• Attribute Acceptance Policy (AAP)• Bilateral deployment


Shibboleth: Federation

• Provides standard approach to policies, practices, technologies that members adopt

• Interoperability & trust

• Which Federation to join?

• Not a must to operate Shibboleth


Shibboleth: Identity Provider (IdP)

• The “server” side of Shibboleth

• Performs authentication

• Issues Authentication Assertion

• Responds to attribute queries

• Issues Attribute Assertion

• Analogous to the ISIS Login Server and Web Service

• One instance per campus


Shibboleth: Service Provider (SP)

• The “consumer” side of Shibboleth

• Apache Module or IIS ISAPI filter plus daemon

• Handles all communications with WAYF and IdP

• Places returned attributes in HTTP header

• Provided by Internet2


Shibboleth: Where Are Your From (WAYF) Service

• Part of the Federation services

• A directory service of Identity Providers

• Hosted by the federation operator *

* In Shibboleth 2.0, WAYF function will be part of the Service Provider module


Shibboleth: IdP Components

• Handle Service (HS)

– Directs the incoming user to the authentication authority (i.e., login page)

– Issues Shibboleth Handle (similar to a session token, ala ISIS ticket)

• Attribute Authority (AA)

– Responds to attribute requests

– Queries data repositories

– Constructs and returns Attribute Assertion (XML document containing requested user data)


Shibboleth: SP Components

• Attribute Consumer Service (ACS)

– Processes the Shibboleth handled returned by the IdP

– Initiates an optional attribute request

– Establishes a security context at the SP, and redirects the client to the desired target resource.

• Attribute Requester (AR)

– Establishes a direct connection to the Attribute Authority at the IdP

– Exchanges attribute query and attribute response


Shibboleth: Attribute Release Policy

• Rules for releasing attributes, XML format

• Fine grained control for the release of attributes

• Individual & Organization have control over release of attributes

• Site ARP & User ARP


ARP Examples

• eduPersonAffiliation release policy

<Rule><Target>

<AnyTarget/></Target>

<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName"><AnyValue release="permit"/></Attribute>

<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"><Value release="permit"/>[email protected]</Value></Attribute></Rule>

<Target><Requester>https://myhost.ucla.edu</Requester>

</Target>


Shibboleth: Attribute Acceptance Policy (AAP)

• Rules for accepting attributes, XML format

• Regular Expression check

• Places attributes in http headers for use by applications


AAP Examples

• eduPersonAffiliation acceptance rules

<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false" Header="SHIB-AFFILIATION" >

<AnySite>

<Value>FACULTY</Value>

<Value>STUDENT</Value>

</AnySite>

</AttributeRule>

<Value Type="regexp">^[^@]+$</Value> <AnyValue> <SiteRule Name="providerId"> $$$ </SiteRule>


Shibboleth Architecture R

eso

urc

e

WAYF

Identity ProviderService Provider

Web Site

1

ACS

32

HS

5

6

7

User DB

Credentials

4

AR

Handle

Handle8

Handle9AA

Attributes 10

Res

ou

rce

Man

ag

er

Attributes

© SWITCH


Res

ou

rce

WAYF

Identity Provider at UCLA

Service ProviderWeb Site

1

ACS

I don’t know you.Not even which home

org you are from.Redirect your request

to the WAYF32

Please tell me where are you from?

HS

5

6

I don’t know you.Please authenticate

Using ISIS 4

OK, I redirect yourrequest now to

the Handle Service of UCLA.

AR

Handle

Handle8

I don’t know theattributes of this user.Let’s ask the Attribute

Authority

Handle9AA

Let’s pass over the attributes the userhas allowed me to

release

Attributes 10

Res

ou

rce

Man

ag

er

Attributes

OK, based on theattributes, I grant

access to the resource

7

User DB

Credentials

OK, I know you now.Redirect your requestto the SP, together

with a handle


Shibboleth @ UCLA

• Shibboleth IdP already running in production

• Leverages ISIS authentication engine

• Running in parallel with ISIS 5

• Attributes in ED


Shibboleth @ UCLA

• Will eventually replace the ISIS Web Service API

• Early adopters include CCLE, MyEvents, Plone site

• ARP Administration is still a manual process

• Customized login page

• Supports Bilateral and Federated deployment


ToDo’s

• ISIS Login Server will continue to serve login form• Integrate Shibboleth SP administration with ISIS

Administration• Incorporate data release approval from data stewards

into the SP set up process• Need more attribute data!• Improve user experience during redirects• More support materials (Confluence)• Helpdesk coordination• Metadata generation• Logout?


Migrating to Shibboleth

• Migration Philosophy

– Parallel support for ISIS 5 and ISIS/Shib

– Gradual Migration: Move when it’s a good time for your application to move

– … within reason, of course

– Emphasis on user experience


Migrating to Shibboleth

• 2007

– Early adopters and new applications

– Applications with unique requirements

– Applications could choose between ISIS 5 and Shibboleth

• 2008

– All MI Team supported apps

– All new applications

– Voluntary migration

• 2009

– Mandatory migration

– End ISIS support


Preparing Your Applicationfor Shibboleth

• Choose your Web Server

– IIS

– Apache

• Separate test and production environments

• Deployment Scenario

– Federated

– Bilateral


Federated Deployment

• With federated deployment, your application joins a Shibboleth federation (InCommon, UCTrust)

• Need to register and obtain federation issued digital certificate• Application enjoys common standards, but needs to comply

with all federation requirements– Security and audit requirements– Attribute Assertion agreements (more work on IdP side

than SP side)– Coordinated helpdesk support

• Choose federated deployment if:– You plan to accept authentication assertions from multiple

IdP’s– You have business requirements to participate in a

federation


Bilateral Deployment

• With bilateral deployment, your application exchanges credentials and negotiates attribute exchanges directly with IdP

• No need to obtain federation digital certificates

• Likely a simpler deployment model for UCLA-only applications

• Choose bilateral deployment if:

– You plan to accept authentication assertions only from UCLA’s IdP

• Can always move to a federated deployment mode



• Rethink your user access provisioning process

– Shib’s privacy policy may mean that you won’t get all the attributes you want from all the users. You may need to ask for more information

– Especially with federated deployment, you will receive login attempts from unexpected users.

– An on-demand access provisioning model is preferred

– Need to provide much more descriptive help information on screen



Login Failed: Access Denied.

The user may be confused if you show him:



Thank you for your interest in using the Foobar system.

It appears that you authenticated successfully. However, you have not registered to become a user with Foobar.

Foobar is a restricted system. If you believe you should have access, please click here to complete an access request.

For additional inquires, please contact our helpdesk at [email protected]

This may make it just a bit clearer to the user why he cannot continue, and what he can do to remedy the situation:



• Rethink your logging and helpdesk support model

– Especially with federated deployment, the user’s IdP may not be UCLA.

– Helping a user through the troubleshooting process is critical

– Think about your hours of support

– Think about the kind of information you need to keep in your application log


Preparing Your Applicationfor Shibboleth: Next Steps

• Install Fest?

• Usability Workshops?

• Diagnostic/Testing modules?

• Common Logging format?

• Helpdesk Coordination

– KB: kb.ucla.edu? Something else?

– Shared diagnostics support scripts?


Resources

• Official Shibboleth Website:http://shibboleth.internet2.edu

• Shibboleth Wiki:https://spaces.internet2.edu/display/SHIB

• InCommon Federation:http://www.incommonfederation.org/

• UCTrust Federation:http://www.ucop.edu/irc/itlc/uctrust/

• 3 cool demos of how Shib works from the Swiss Shibboleth Federation folks:http://www.switch.ch/aai/demo/

• Middleware Infrastructure Group’s Website:http://spaces.ais.ucla.edu


Q & A

administrative information systems shibboleth: the next generation isis technical information...

Documents

shibboleth slide

shibboleth apache module

internet2 slide

service provider module

wayf service

login page issues shibboleth

web service

uctrust slide