Shibboleth: Open Source Distributed Authentication and Authorization
1 like1,604 views
This document provides an overview of Shibboleth, an open source system for distributed authentication and authorization. It discusses how Shibboleth addresses issues related to resource users accessing resources across domains, such as single sign-on and increased privacy. It also compares Shibboleth to competing systems like Liberty Alliance and Microsoft Passport. Key points are that Shibboleth is based on attribute sharing between organizations in a federated model, while maintaining user privacy. It has been implemented by many universities and research organizations.
Shibboleth: Open Source Distributed Authentication and Authorization
- 1. Shibboleth: Open Source Distributed Authentication and Authorization Glen Newton Head, Research [email protected] GTEC: Open Source Security Strategy Ottawa Oct 20 2004
- 2. Outline • Introduction and Preliminaries – Authentication and Authorization – Authentication models – Identity and Privacy • Shibboleth • Other closed alternatives – Liberty Alliance – Others (MSPassport) 2
- 3. Resource Owners and Resource Users • Resource Owner: the owner, producer or distributor of resource. The (or one of the) legal holders and gatekeepers of the resource. • Resource user: an entity which accesses a resource. Can be an individual, a group, a company, an agent, a system etc. 3
- 4. Authentication and Authorization • Authentication: verifying who you are & associated attributes. • Authorization: verifying that you are allowed access to a resource (room, web page, file, equipment, etc); assumes authentication. • Traditionally in the library world, the distinctions between these two concepts are conflated. 4
- 5. Authorization Models • Identitybased – The identity is passed to the resource owner who decides whether to grant access: Privacy issues • Attributebased – Enough attributes are passed to the resource owner to allow access: no or limited Privacy issues. 5
- 6. Identity and Privacy: Identity • Identity management: in the physical world: passports; birth certificates; driver’s licenses; national identity cards; SIN; etc. • Used by others (government, police, banks, etc.) to verify ID • In the Internet age, much more difficult problem “Like nailing jello to a wall…” • For individuals: – proliferation of userids and passwords – some digital certificates – security smart cards 6
- 7. Identity and Privacy: Identity (cont.) • For organizations – Costly management of userids – Costly and complex management of relationships with resource owners – Security issues – Poor general solutions (i.e. access by organizations IP address ranges; etc) 7
- 8. Identity and Privacy: Privacy • Privacy has different dimensions: – “privacy of the person:… integrity of the individuals body” – “privacy of personal behaviour sexual preferences and habits, political activities and religious practices” – “privacy of personal communications:... able to … without routine monitoring of their communications… ” – “privacy of personal data” From Clarke, 1999 8
- 9. Identity and Privacy: Privacy (cont.) • Electronic records, networks, electronic transactions: not just telephone anymore • A range of expectations: some people are willing to give up more rights in Cyberspace; others expect similar to “real world” • Canadian legislation: Personal Information Protection and Electronic Documents Act (PIPEDA) 9
- 10. Shibboleth • Intro to Shibboleth – What is Shibboleth? – What issues does Shibboleth address? – Shibboleth architecture – How does it work? – Who is using it? • Shibboleth at CISTI 10
- 11. What is Shibboleth? • “Interrealm attributebased authorization for Web Services” – Shibboleth web page – Architecture and technology to support interinstitutional sharing of resources (middleware) – Based on a federated administration trust framework – Controlled dissemination of attribute information, based on administration defaults and user preferences 11
- 12. What is Shibboleth? • Internet2/MACE Project; NSF Middleware initiative component • Players: IBM, Brown U, Ohio State, MIT, CMU, Stanford 12
- 13. What is Shibboleth? (cont.) • Founding assumptions: – Federated administration – Lightweight mechanisms: disturb as little as possible of existing infrastructure as possible – Leverage vendor and standards activity wherever possible 13
- 14. What is Shibboleth? (cont.) • Key concepts: – Federated Administration – Access Control Based On Attributes – Active Management of Privacy – Standards Based – A Framework for Multiple, Scaleable Trust and Policy Sets (Federations) 14
- 15. What is Shibboleth? (cont.) • What issues does Shibboleth address? – Resource user: • Access from oncampus • Access from offcampus • User account proliferation • Increased privacy • Single signon/signoff across domains!! 15
- 16. What is Shibboleth? (cont.) • What issues does Shibboleth address? (cont.) – Resource user’s organization: • Single authentication database • No IP management • If previously using IP access, better reporting 16
- 17. What is Shibboleth? (cont.) • What issues does Shibboleth address? (cont.): – Resource owner: • Ends management of either userid/password or IP address ranges • Security • Reporting granularity 17
- 18. Shib: How does it work? 1. User requests resource from resource owner 2. User is asked to selfidentify their organization 3. User is redirected to her organizations Shib origin instance + authenticates 4. User attributes are transferred to resource owners instance of Shib target 5. Resource owner compares attributes to Policy associated with user’s organization 6. User gets access to resource 18
- 19. Shib: How does it work? 19
- 20. Shibboleth is: • “NOT an authentication scheme (relies on home site infrastructure to do this)” • “NOT an authorisation scheme (leaves this to the resource owner)”. • “BUT an open, standards based protocol for securely transferring attributes between home site and resource site”. • “Also provided as an OpenSource reference software implementation”. After Paschoud, 2004 20
- 21. Shibboleth • Who is using it? – JISC (UK Joint Information Systems Committee), EBSCO, Elsevier, OCLC, Sfx (Ex libris), JSTOR, McGraw Hill , Books, Innovative, WebCT, Blackboard, Swiss Education and Research Network (SWITCH), National Science Digital Library (NSDL), more… – Carnegie Mellon, Columbia, Dartmouth, Georgetown, London School of Economics, NYU, Ohio State, more… 21
- 22. Shibboleth at CISTI • Prototyped the user owner end of Shibboleth (Target) for 3 NRC Research Press Journals • Evaluated use within NRC Virtual Library • Developed code for MySQL db lookup; submitted code to Shibboleth project • Next steps dependent on adoption by resource producers (for VL) and resource users (for NRC Research Press) 22
- 24. Alternatives: Liberty Alliance • Intro to the Liberty Alliance – What is the Liberty Alliance? – How is the Liberty Alliance different from Shibboleth? – Players – Future 24
- 25. Liberty Alliance • What is the Liberty Alliance? – More commercially oriented than Shib – Members include: Sun, Sony, Ericson, GM, Novell, NEC, Oracle, SAP, NTT, Entrust, HP, AmEx. – However, Microsoft and IBM have refused to join! 25
- 26. Liberty Alliance • Architecture – Very similar to Shibboleth, but more commercially oriented, with special features oriented around mobile device, etc. – Less focus on user mediated privacy – More reporting 26
- 27. Liberty Alliance 27
- 28. Other Technologies • Microsoft Passport – Centralized database (not Federated) – Not standardsbased • Others: Sesame, PAPI, PERMIS 28
- 29. What to Adopt? • Likely adoption of Shibboleth features in Liberty v2, with SAML 2.0 • Interoperability discussions ongoing • Either or both: Liberty more commercial, Shibboleth more library/academic/publisher oriented 29
- 30. Questions? • Glen Newton, CISTI glen.newton@nrccnrc.gc.ca 30
- 31. References • Blum, D. 2003. Federating Identity Management: Standards, T . • Blum, D. 2004. Federated Identity: Extending Authentication an . • Clarke, R. 1999. Introduction to Dataveillance and Information Privacy, and Definitions of Ter • Lacey, D. 2003. Current Privacy Research and Frameworks . SecureWorld Expo. 31
- 32. References (cont.) • Liberty Alliance Web Site. • Paschoud. J. 2004. The (now… then…) next of Authentication:Shib ALPSP Effective Customer Authentication • Rapoza, J. 2003. Liberty Alliance Has Missed the Point. eWeek November 24. • Shibboleth Project. • Weil, N. 2004. NSF middleware initiative goes beyond science . InfoWorld May. 32