Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd
Accessing a Web Resource Request Client WWW Server Response • Client user accesses a free resource • Client user is authenticated via a username and password to access a protected resource • Client user is responsible for setting up that account
Web Resources for Education • Educational establishments subscribe to resources on behalf of many users • Parts of a given resource may only be accessible by some of the users in a given educational establishment • The resources to which a given user has access change periodically
Authentication School Resource Available to all Authentication Available to year 3 and above Students Available to year 6 and above Authorisation Directory/Database Student data … … … …
Authentication • Common Issues – Exposure of personal information – High administrative burden – Lack of traceability – Password leakage – Many passwords problem – Resource accessibility is restricted – Complicated to use
Shibboleth • Aims to: – Ensure no personal information is exposed unless necessary – Minimise the number of passwords a user needs to remember – Minimise the administrative burden – Enable user traceability – Be transparent to the user – Enable access from any location
Shibboleth User Authentication Request LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF User Authentication User Attributes (LDAP/SQL) Bash Street St Trinians Hogwarts LGf. L Resource(s) Oxford … Attribute Authority SHAR
Shibboleth User Authentication 1. Request URL LEA/RBC (Origin) Resource (Target) 5. Request URL + Handle + AA URL Handle Service 3. Request URL + SHIRE URL 4. Username + password 2. Request URL + SHIRE URL Bash Street User Authentication User Attributes WAYF 8. Handle returns User ID (LDAP/SQL) SHIRE 6. Request URL + Handle + AA URL St Trinians Hogwarts LGf. L Resource(s) Oxford … 11. User Attributes 9. User Attributes 7. Request URL + Handle Attribute Authority 10. Request URL + User Attributes SHAR
Shibboleth User Authentication 1. Subsequent Request URL (Same Domain) LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF User Authentication User Attributes (LDAP/SQL) Bash Street SHIRE has Cached Session & Handle = OK St Trinians Hogwarts LGf. L Resource(s) Oxford … Attribute Authority SHAR has Cached Attributes = OK
Shibboleth User Authentication 1. Subsequent Request URL (Different Domain) LEA/RBC (Origin) Resource (Target) Handle Service SHIRE WAYF Bash Street User Authentication User Attributes Handle returns User ID (LDAP/SQL) SHIRE has Cached Session & Handle = OK St Trinians Hogwarts LGf. L Resource(s) Oxford … Request New Domain Attributes Attribute Authority SHAR Return New Domain Attributes SHAR has no Cached Attributes for the new Domain so ask AA
Shibboleth User Authentication LEA/RBC (Origin) Handle Service P o r t a l Resource (Target) SHIRE User Authentication User Attributes Resource(s) (LDAP/SQL) Attribute Authority SHAR
Shibboleth User Authentication • Pros – Low administrative burden – Exposure of personal information under user’s control – Same identity for all resources – User traceability – Resources can be accessed from any location • Cons – (Possible) multi-stage authentication
Shibboleth Demonstration 1 Shibboleth Target Windows 2003 Server IIS 6. 0 7 Browser 2 6 4 3 5 WAYF Service Windows 2003 Server IIS 6. 0 Shibboleth Origin Windows XP Pro Apache Server 2. 0. 49 LDAP Directory (Active Directory) Windows 2003 Server
Shibboleth Demonstration Shibboleth Target Windows 2003 Server IIS 6. 0 1 2 7 WAYF Service Browser 6 3 4 5 Shibboleth Origin Windows 2003 Server Apache Server 2. 0. 49 LDAP Directory (Active Directory)
Shibboleth http: //shibboleth. internet 2. edu “Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. ” Judges 12: 6
Скачать презентацию Shibboleth On-line Authentication System Jon Browne Senior Consultant
1fdc4817e94f2e2e1feb9981f4ca485a.ppt