Shibboleth At Texas A

1
Shibboleth At Texas AM UniversityAuthentication
Within and Across Institutionsby Web Single
Sign-on
2
Presented by Paul A. DavisOperating Systems
GroupComputing Information ServicesTexas AM
University Associate Director Michael Bolton
3
What is middleware?

• Middleware is software between network and
  applications. Useful for services like
  identification, authentication, authorization,
  directories, and security.
• This is as opposed to upperware, which is
  application-oriented middleware, such as those of
  ubiquitous, research (grid), and administrative
  computing.

4
What is Shibboleth?

• Middleware
• An Internet2 project
• I2-MI (Internet2 Middleware Initiative). a.k.a.
  Glueworks
• MACE (Middleware Architecture Committee for
  Education)
• A means by which groups of people (or computers)
  can recognize one another
• http//shibboleth.internet2.edu/

5
How Does It Work? Scenario

• Person from AM wants to use a digital resource
  (application, library, document, lab, etc.) made
  available through the Web
• Location of resource at a university (can by
  within AM or within AM System)
• Use of the resource requires authentication
• Person logs in using their NetID through the AM
  login page https//netid.tamu.edu/cas/index.jsp
• With successful login, the person then uses
  resource
• No separate computer account needed elsewhere
• AM controls directory attribute information
  sent, i.e. privacy

6
Features

• Federated administration
• Access control based on directory attributes
• Active management of privacy
• Standards (SAML v. 1.1)
• Framework for multiple, scalable trusts
  (federations)
• Standard set of attribute names (from eduPerson)

7
Benefits

• Reduces the number of separate computer accounts
• Can leverage a central authentication service for
  logging into almost any kind of campus resource
  that can be Web-enabled
• Increases security
• No need to remember multiple log ins and
  passwords
• Interoperable with other services if using the
  same standards
• Example SAML, which is based on XML and used to
  convey data for authentication, entitlement, and
  attributes of users and their directory
  accounts(http//www.oasis-open.org/committees/tc_
  home.php?wg_abbrevsecurity)

8
How Is It Different From CAS?

• CAS
• a uniform sign-on system to access all Web-based
  resources at one institution (designed originally
  for Yales systems)
• Leverages Kerberos very well for authentication
• Cross-institutional CAS is possible with
  customization
• Shibboleth
• Compliant with standards to federate many
  different institutions by Web single sign-on
  system (Web SSO)
• Goals
• Use any system following standards to validate
  users
• Use any Web sign-on system (including CAS)
• Selectively release attributes (a strength)

9
Flows
http//shibboleth.internet2.edu/shib-tech-intro.ht
ml
10
Possible Uses

• Digital libraries
• Distance education
• Web sites of research projects
• Web sites of co-taught classes
• Web applications for university business
• Web applications of student laboratories
• Government and commercial projects

11
Shibboleth at TAMU

• Two servers currently run Identity Provider
• Production, a.k.a. idp.tamu.edu
• Test, a.k.a. recurve.tamu.edu
• AM to join the InCommon Federation
• Main Web sites http//www.incommonfederation.org
  /
• Participants http//www.incommonfederation.org/pa
  rticipants.cfm
• Interest from NSF the supercomputing world

12
Questions?