Shibboleth Guided Tour Webinar

3,317 views

Published on

The Shibboleth® System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

* Get an overview of the technical basics of Shibboleth.
* Learn about the two primary parts to the Shibboleth system.
* Review the numerous services and options of Shibboleth.
* See a live demo of Shibboleth in action.

Published in: Technology, Sports
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,317
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
107
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Experience, Expertise and the trusted mechanic
  • Supporting Open, standards-based architecture IMS Global Learning Consortium, Inc. Leading independent commercial provider of uPortal Sakai and uPortal Commercial Affiliate Zimbra VAR
  • As you can see from this slide, Unicon has been instrumental in the higher education community. We have a great amount of experience helping institutions adopt open-source technologies.
  • Implementation Planning and Assessment Installation/Configuration Branding Training
  • Shibboleth Guided Tour Webinar

    1. 1. Shibboleth Guided Tour John A. Lewis Chief Software Architect Unicon, Inc. 20 November 2008 © Copyright Unicon, Inc., 2008. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial- Share Alike 3.0 United States License. To view a copy of this license, visit: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
    2. 2. <ul><li>Software Consulting Services
    3. 3. Founded in 1993
    4. 4. Privately-Held Company
    5. 5. Located in Chandler, Arizona </li></ul>Unicon Profile Our Vision IT Services for Education Specializing in Open Source
    6. 6. IT Services <ul><li>Software Engineering
    7. 7. Systems Integration
    8. 8. Technology Delivery and Support </li></ul>IT Services For Education Domain Expertise <ul><li>Higher Education
    9. 9. Curriculum & Assessment
    10. 10. Learning Management
    11. 11. Enterprise Portals
    12. 12. Online Campus Services
    13. 13. Publishing
    14. 14. Secure Authentication </li></ul>
    15. 15. Specializing in Open Source <ul><li>Technology Solutions </li><ul><li>Enterprise Portal
    16. 16. Learning Management
    17. 17. Secure Authentication
    18. 18. eMail and Collaboration </li></ul><li>Open Standards </li></ul>
    19. 19. Higher Education Customers A partial list...
    20. 20. Unicon Services for Shibboleth <ul><li>Implementation Planning
    21. 21. Branding and User Experience
    22. 22. Installation and Configuration
    23. 23. Custom Development
    24. 24. Shibbolize uPortal, Sakai, and other applications </li></ul>
    25. 25. Identity Management & SAML
    26. 26. Why Makes Identity Important? <ul><li>Connects </li><ul><li>Users
    27. 27. Applications </li></ul><li>Lots of other things </li><ul><li>security, privacy, spam,
    28. 28. secrecy, trust, authority,
    29. 29. collaboration, convenience,
    30. 30. ... </li></ul></ul>
    31. 31. Evolution of User Identity <ul><li>Application Silos </li><ul><li>Each with their own logins and passwords </li></ul><li>Common Directories / Databases </li><ul><li>Central store for person information </li></ul><li>Single Sign-On </li><ul><li>Central login system for multiple applications </li></ul><li>Federated Identity </li><ul><li>Trusted identity information from others </li></ul></ul>
    32. 32. Why Federated Identity? <ul><li>Authoritative information </li><ul><li>Users, privileges, attributes </li></ul><li>Improved security </li><ul><li>Fewer user accounts in the world </li></ul><li>Privacy when needed </li><ul><li>Fine control over attribute sharing </li></ul><li>Saves time & money </li><ul><li>Less work administrating users </li></ul></ul>
    33. 33. What Is Identity Management? <ul><li>More than account creation, directories, authentication, access controls, ...
    34. 34. Includes policy, process, governance, trust
    35. 35. Need new ways of thinking about controlling access to IT services </li></ul>“ A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” – Burton Group
    36. 37. What Is SAML? <ul><li>Security Assertion Markup Language (SAML)
    37. 38. XML-based Open Standard
    38. 39. Exchange authentication and authorization data between security domains </li><ul><li>Identity Provider (a producer of assertions)
    39. 40. Service Provider (a consumer of assertions) </li></ul><li>Approved by OASIS Security Services </li><ul><li>SAML 1.0 November 2002
    40. 41. SAML 2.0 March 2005 </li></ul></ul>
    41. 42. Major SAML Applications <ul><li>Proquest
    42. 43. Project MUSE
    43. 44. Thomson Gale
    44. 45. Google Apps
    45. 46. ExLibris MetaLib
    46. 47. Sakai
    47. 48. DSpace, Fedora
    48. 49. Ovid </li></ul><ul><li>Microsoft DreamSpark
    49. 50. Moodle, Joomla, Drupal
    50. 51. JSTOR, ArtSTOR, OCLC
    51. 52. Blackboard & WebCT
    52. 53. Webassign
    53. 54. Media Wiki / Confluence
    54. 55. National Institutes of Health </li></ul>
    55. 56. Commercial Support for SAML <ul><li>Sun
    56. 57. IBM
    57. 58. Oracle
    58. 59. Ericsson
    59. 60. SAP
    60. 61. HP </li></ul><ul><li>Google
    61. 62. Ping Identity
    62. 63. CA/Netegrity
    63. 64. RSA
    64. 65. Novell
    65. 66. NTT </li></ul>
    66. 67. How Federated Identity Works <ul><li>A user tries to access a protected application
    67. 68. The user tells the application where it’s from
    68. 69. The user logs in at home
    69. 70. Home tells the application about the user
    70. 71. The user is rejected or accepted </li></ul>
    71. 72. Identity Provider Service Provider User User Directory Application / Database
    72. 73. Shibboleth
    73. 74. Shibboleth <ul><li>Enterprise federated identity software </li><ul><li>Based on standards (principally SAML)
    74. 75. Extensive architectural work to integrate with existing systems
    75. 76. Designed for deployment by communities </li></ul><li>Most widely used in education, government
    76. 77. Broadly adopted in Europe
    77. 78. New 2.0 release implements SAML 2 </li><ul><li>Backward compatible with 1.3 </li></ul></ul>
    78. 79. Shibboleth Project <ul><li>Free & Open Source </li><ul><li>Apache 2.0 license </li></ul><li>Enterprise and Federation oriented
    79. 80. Started 2000 with first released code in 2003
    80. 81. Excellent community support </li><ul><li>http://shibboleth.internet2.edu
    81. 82. [email_address] </li></ul></ul>
    82. 83. Quick Demo Demo Links: <ul><li>https://spaces.internet2.edu/
    83. 84. https://www.internet2.edu/secure/env.php
    84. 85. https://www.protectnetwork.org/ </li></ul>
    85. 86. The Shibboleth IdP <ul><li>Written as a Java web applications </li><ul><li>Runs in any Servlet 2.4 container </li></ul><li>Supports multiple protocols
    86. 87. Does not contain attributes or logins </li><ul><li>Relies on external LDAP / Kerberos / SQL / etc. </li></ul><li>Extensive controls for the release of attributes </li></ul>
    87. 88. Tomcat Shibboleth IdP Directory / Database Web Browser Shibboleth SP Application Authentication
    88. 89. The Shibboleth SP <ul><li>Written in C++ for Apache, IIS, or NSAPI </li><ul><li>Apache often used to front-end other app servers </li><ul><li>Java containers, Zope, etc. </li></ul></ul><li>Extensive clustering support
    89. 90. No API – attributes & data available through headers & environment variables </li><ul><li>Keeps identity management external to app </li></ul></ul>
    90. 91. Application Server Apache or IIS Shibboleth SP Web Browser Shibboleth IdP User Directory shibd
    91. 92. Discovery Service <ul><li>Gives users an interface to select an IdP
    92. 93. Loads metadata files </li><ul><li>From multiple federations
    93. 94. Or non-federations </li></ul><li>Positioned alongside SP, gives customized lists
    94. 95. Positioned by federation, enables SSO across entire federation </li></ul>
    95. 96. Role of a Federation <ul><li>Agreed upon Attribute Definitions </li><ul><li>Group, Role, Unique Identifier, Courses, … </li></ul><li>Criteria for IdM & IdP practices </li><ul><li>user accounts, credentialing, personal information stewardship, interoperability standards, technologies, ... </li></ul><li>Digital Certificates
    96. 97. Trusted “notary” for all members
    97. 98. Not needed for Federated IdM, but does make things even easier </li></ul>
    98. 99. InCommon Federation <ul><li>U.S. Higher Education & Research (and its Partners)
    99. 100. 1.7 Million Users
    100. 101. Self-organizing & Heterogeneous
    101. 102. Policy Entrance bar intentionally set low
    102. 103. Doesn’t impose lots of rules and standards
    103. 104. http://www.incommonfederation.org/ </li></ul>
    104. 105. SAML Metadata <ul><li>Data that describes partners for federated identity </li><ul><li>Trust, protocols, etc. </li></ul><li>Primarily a trusted list of providers </li><ul><li>May be signed
    105. 106. Many distribution methods </li></ul><li>EntityID is the name of a provider </li></ul>
    106. 107. SAML Attributes <ul><li>A lot like LDAP and database attributes </li><ul><li>Tweaked for an inter-realm world; scope </li></ul><li>Name/value pairs to represent pieces of information about an identity
    107. 108. Where do attributes live? Who’s authoritative? </li><ul><li>Identity provider? Application?
    108. 109. Third party? </li></ul></ul>
    109. 110. SAML Identifiers <ul><li>Primary keys for people </li><ul><li>email, login name most common; privacy, secrecy, and security should be considered
    110. 111. The dangers and necessities of recycling </li></ul><li>Where does user data live? How is it connected? Is it in multiple places?
    111. 112. Multiple identifiers per person and per identity possible </li></ul>
    112. 113. Logout Support <ul><li>It’s really hard to do for federated identity </li><ul><li>Especially large-scale </li></ul><li>Lots of applications loosely coupled </li><ul><li>Many with their own cookie-based sessions </li></ul><li>SAML 2.0 has protocol logout support </li></ul>
    113. 114. Resources <ul><li>Internet2 Shibboleth website </li><ul><li>http://shibboleth.internet2.edu/ </li></ul><li>JISC Video on Federated Identity </li><ul><li>http://video.google.co.uk/videoplay?docid=6664146721575915928 </li></ul><li>Internet 2 Wiki </li><ul><li>https://spaces.internet2.edu/ </li><ul><li>Shibboleth Documentation
    114. 115. Shib Install Fest Materials </li></ul></ul></ul>
    115. 116. Questions & Answers John A. Lewis Chief Software Architect Unicon, Inc. [email_address] www.unicon.net

    ×