Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006 TAGPMA 27 Mar 2006 Shibboleth
What is Shibboleth? • Standard Internet 2 description: – Architecture – Project – Codebase – http: //shibboleth. internet 2. edu • Offshoots – In. Common – Federation (one of many) – Grid. Shib – Grid & Shibboleth Integration – SAML - transport TAGPMA 27 Mar 2006 Shibboleth 2
What is Shibboleth? Judges 12: 6 (KJV) Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Jueces 12 Entonces, le decían: Di, pues, la palabra Shibolet; pero él decía Sibolet, porque no podía pronunciarla correctamente. Entonces le echaban mano y lo mataban junto a los vados del Jordán. Y cayeron en aquella ocasión cuarenta y dos mil de los de Efraín. TAGPMA 27 Mar 2006 Shibboleth 3
Why is Shibboleth Important? • US: Internet 2’s “long bet” on Authentication and Authorization – Note: Internet 2 is the largest US NREN, 200+ Universities, multiple layers of projects, optical networking &c – Relationship with ESnet, NASA &c • US Higher Education federation • Other NREN – There are other AAA projects • Other - US Government – Whether all these federations can interoperate TAGPMA 27 Mar 2006 Shibboleth 4
Shibboleth Architecture • Next set of slides from I 2 (Michael Gedes et al) – used for illustration • Illustration probably from SWTCH TAGPMA 27 Mar 2006 Shibboleth 5
Shibboleth Architecture • Handle Service – Yields a “Handle token” – SAML authentication assertion – bearer credential – Neutral – (eg LDAP) • Attribute Authority – The AA is presented with a Handle Token, returns appropriate attributes for this user. • Target Resource – (Service Provider) – Find user’s institution, and understand appropriate attributes • WAYF – External service used to find home institution TAGPMA 27 Mar 2006 Shibboleth 6
Shibboleth Architecture • Next set of slides from I 2 (Michael Gedes et al) – used for illustration • Illustration probably from SWTCH TAGPMA 27 Mar 2006 Shibboleth 7
Shibboleth AA Process OK, I redirect your request now to the Handle Service of your home org. I don’t know you. Please authenticate Using WEBLOGIN Please tell me where are you from? I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 2 4 3 5 6 Identity Provider 1 Service Provider Web Site 7 Credentials HS 9 AA Attributes Handle AR 10 Resource TAGPMA ACS Handle User DB OK, I know you now. I redirect your request to the target, together with a handle 8 Resource Manager Handle Attributes I don’t know the Let’s pass over the attributes of this user. attributes the user Let’s ask the Attribute has allowed me to Authority release 27 Mar 2006 Shibboleth OK, based on the attributes, I grant access to the resource 8
From Shibboleth Arch doc Origin TAGPMA Target 27 Mar 2006 Shibboleth 9
From Shibboleth Arch doc Origin TAGPMA Target 27 Mar 2006 Shibboleth 10
Shibboleth Limitations • Limited IDP – Identity Provider does all the work – What about distributed authorization? ? ? – Attribute Authority, Authentication, Authorization often linked together – requires strong trust of Id. P • Limited deployment (web) • Grid Incompatibility • Focused on enterprises – Marketing limitation • Many of these issues are being addressed…. TAGPMA 27 Mar 2006 Shibboleth 11
Shibboleth Strengths • Privacy – Chaotic story in Grids, but mostly, none • Standardization – Relatively open development process • Marketing – – US Higher Ed Non-US: Higher Ed & NRENs US Government Well supported and development continues TAGPMA 27 Mar 2006 Shibboleth 12
Grid. Shib (NCSA) • NSF funded, development centered at NCSA – Argonne National Lab (ANL), Globus, University of Chicago • Really, Shibboleth->Grid – Enable use of some Shibboleth attributes in a Grid context • Replace Shibboleth “Handle token” with PKI credential • Using XACML • Next 3 slides – from NCSA Grid. Shib overview TAGPMA 27 Mar 2006 Shibboleth 13
The Grid. Shib picture User (1) Grid Authentication Grid Service (0) Attribute Release Policy Campus (2) Shib Attribute Request (3) Attributes (4) Attribute-based authorization Shibboleth TAGPMA 27 Mar 2006 Shibboleth 14
Grid. Shib Integration Principles • No modification to typical grid client applications • Leverage Shibboleth’s attribute administration and end-user maintenance of attribute release policies • Leverage high-quality Campus Identity Provider operations • Leverage high-quality Shib and Grid software TAGPMA 27 Mar 2006 Shibboleth 15
Grid. Shib Challenges • Use of an identifier in X. 509 certificate as a subject handle for use by the Shib Attribute Authority (SAA) – Shibboleth v 1. 3 should handle this – Name mapping has proved challenging – Focusing on My. Proxy to solve? Id. P function? • Allowing VOs to define attributes meaningful to them • Attribute Authority identification – “Where Are You From” problem • Plumbing interconnect • Translating requirements into meaningful authorization policy • Support pseudonymity (Shibboleth requirement) TAGPMA 27 Mar 2006 Shibboleth 16
Shibboleth and Grid Authentication/Authorization • Grid – community driven? • Grid – distributed authorization • Shibboleth – fundamentally based on site (or VO? ) – That is assumes a strong site open to working in this area – not always true • Grid->Shibboleth? – Projects exist in this area TAGPMA 27 Mar 2006 Shibboleth 17
US DOE Lab/ESnet Shibboleth • Something new – DOE Lab CIO’s have commissioned a pilot Shibboleth test bed and policy development activity • US DOE research labs are heavily influenced by trends and needs in US academic research (NSF, EDUCAUSE, and other US Gov’t funding sources) • US DOE labs have limited resources for development in this area – Shibboleth &al is both good news & bad news here: – Standard development platform – Limited resources to make changes TAGPMA 27 Mar 2006 Shibboleth 18
Shibboleth Federation • Shibboleth makes no sense w/o a federation component – why bother. • In. Common (http: //www. incommonfederation. org) • Internet 2 – US Higher Ed example of Shibboleth federation – There are some others: SWTCH, UK • US Legal System – More complex bylaws, legal membership & status &c • Good Example or Bad Example? – Some market inhibition – International legal context – Are our member organizations interested in federating for this purpose? TAGPMA 27 Mar 2006 Shibboleth 19
E-Authentication (separate) • • Summary Overlapping communities Overlapping interests What interest in this? TAGPMA 27 Mar 2006 Shibboleth 20
Acknowledgements • Technical content in most slides drawn from Michael Geddes &al from I 2; from Von Welch &al from NCSA; a bit from David Chadwick, and others. TAGPMA 27 Mar 2006 Shibboleth 21
Summary • Overlapping communities • Overlapping interests • What interest do we have in this? TAGPMA 27 Mar 2006 Shibboleth 22
Скачать презентацию Shibboleth and TAGPMA Michael Helm DOEGRids ESnet 27 Mar
1b6e946526cf61c4176085e8cf5231e1.ppt