CAMP Shibboleth 2.0: Words and Pictures

Download Report

Transcript CAMP Shibboleth 2.0: Words and Pictures

Federated Identity and
Shibboleth Concepts
Rick Summerhill
Chief Technology Officer
Internet2
GEC3
October 29, 2008
Slides by Nate Klingenstein
[email protected]
and
John Krienke
[email protected]
Internet2
Home
Circle University
[email protected]
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #1
The
Challenging
Way
????
Service Providers
The
Federated
Way
Home
!
Circle University
[email protected]
Dr. Joe Oval
Psych Prof.
SSN 456.78.910
Password #1
1. Single sign on
2. Services no longer manage user
accounts & personal data stores
3. Reduced help-desk load
4. Standards-based technology
5. Home org controls privacy
How Federated Identity
Works
1. A user tries to access a protected
application
2. The user tells the application where
it’s from
3. The user logs in at home
4. Home tells the application about the
user
5. The user is rejected
or
accepted
4
1. I’d like access
4. I’d like to
login for SP.
Identity
Provider
5. Login
6. Here is data
about you for
SP. Send it.
Directory
2. What is
your
home?
Use 3. Please login
at home.
r
Service
Provider
7. Here is
my data.
8a. See the
page!
8b. Access
Denied
Database
Shibboleth IdP
• Written in Java, runs in any Servlet 2.4
container
• Supports multiple protocols
• Does not contain attributes or logins
• Relies on external LDAP/Kerberos/SQL/etc.
• Extensive controls for the release of
attributes
6
Authentication
Shibboleth
IdP
Web
Browser
Tomcat
Shibboleth
SP
Directory / Database
Application
Shibboleth SP
• Written in C++ for Apache, IIS, or
NSAPI
• Apache often used to front-end other web
servers: Java containers, Zope, etc.
• Extensive clustering support
• No API: attributes & data available
through headers & env. variables
• Keeps identity management external to app
8
Apache or
IIS
Web
Browser
Tomcat
Shibboleth
SP
shibd
Directory / Database
Shibboleth
IdP
Person
Information
Words
• SAML: Security Assertion Markup Language
• Attribute: A name/value pair that
describes a user: uid/rrsum
• Scope: The domain within which an attribute is
valid: [email protected]
• Assertion: User authentication & attribute
information wrapped as SAML for
transport
• Name Identifier: Any attribute elevated
to identifier (primary key) status
10
More words
• entityID: The name of a provider
• Identity Provider (IdP): Supplies
assertions
• Attribute Authority (AA): Acquires user
attributes and encodes them for transport
• Service Provider (SP): Receives
assertions and protects resources
• Assertion Consumer Service (ACS): Receives
assertion, processes
it,
passes
user
along
11
Last words
• Federation: A trust structure to help
large communities of IdP’s or SP’s
interoperate without a MxN handshake
• Not necessary for federated identity
• Metadata: A file that describes how to
talk to and trust a provider
12
An Example:
13
Basic Architecture - IDC