Shibboleth An Introduction

1
Shibboleth - An Introduction

• UCAR Web Advisory Group
• Peter Burkholder
• 6 October 2004

2
Credits

• This talk borrowed from
• Thomas Dowling, tdowling_at_ohiolink.edu
• http//sienna.ohiolink.edu/tdowling/presentations
  /ww2004/auth.ppt

3
Outline

• Shibboleth philosophy
• Use Contexts
• Architecture
• Trust model Federations
• Technical notes
• Challenges

4
Starting From This

• Suppose I am
• Chris Jones, with these attributes in campus
  directory
• UW student number 62-3407
• home phone number 715-555-1234
• e-mail chris.jones_at_uw.edu
• Currently enrolled UW student
• undergraduate
• psychology major
• enrolled in Psych 402 senior seminar

5
We Want This

• Unambiguous mechanism that
• Protects your privacy
• Demonstrates you really a member of an
  appropriate group (e.g., UW Student, or enrolled
  in Pysch 402)
• Works securely

6
Not This

• EXP DATEp4309-30-04
• RANKp44v
• CAMPUSp45a
• DEPTp460
• P TYPEp475
• TOT CHKOUTp4813
• TOT RENWALp491
• CUR CHKOUTp500
• HOME LIBRp53none
• PMESSAGEp54
• MBLOCKp56-
• REC TYPEp80p
• RECORD p811383699
• REC LENGp82252
• CREATEDp8308-12-99
• UPDATEDp8401-07-04
• REVISIONSp85100

• AGENCYp861
• CL RTRNDp950
• MONEY OWEDp960.00
• BLK UNTILp101 - -
• CUR ITEMAp1020
• CUR ITEMBp1030
• PIUSEp1040
• OD PENALTYp1050
• ILL REQUESp1220
• CIRCACTIVEp16308-14-03
• PATRN NAMEpnJONES, CHRIS M
• ADDRESSpaCheyenne2455 N STAR RDSUITE 300VIA
  U.S. CARGO
• ZIP CODEpzCAMPUS
• TELEPHONEpt614-728-3600
• UNIQUE NOps391
• S/Npu391

7
Enter Shibboleth

• FAQ 1 Why is it called Shibboleth?
• A Judges 125-6And the Gileadites took the
  fords of the Jordanwhen any of the fugitives of
  Ephraim said, Let me go over, the men of Gilead
  said to him, Then say Shibboleth, and he said
  Sibboleth, for he could not pronounce it right
  then they seized him and slew him at the fords of
  the Jordan.

8
Enter Shibboleth

• Product of Internet2 development
• Secure framework for one organization to
  transmit attributes about a web-browsing
  individual across security domains to another
  institution.
• Only end-user requirement is a browser that
  supports cookies, redirection, and SSL
• Only for web apps
• Reduces of passwords, protects privacy (vs.
  Passport, or Liberty Alliance)
• Authentication, not security (use TLS/SSL)

9
Shibboleth Vocabulary

• Four main structures
• Origin site with user directory information
• Target site with restricted resource
• Where Are You From (WAYF) service to let a
  target sites users select an appropriate origin
• Federations groups of origins and targets with
  agreed-upon policies for authentication

10
Use Contexts - 1

• Napster (target) Cornell (origin)
• Cornell buys reduced-rate student subscription
• Napster creates special Cornell login page
• Student logs in using Napster username
• Napster redirects user to Cornell origin node
• Cornells Shibboleth Origin Node tells Napster
  whether or not user is a student
• Napster isnt privy to any additional information
• http//shibboleth.internet2.edu/seas.html

11
Use Contexts - 2

• DLESE
• An origin authenticating users as Library members
  or as educators (tricky) to access resources at
  remote targets
• A target providing services limited to members of
  a library federation or educational federation
• UCAR
• An origin authenticating users as UCAR staff to
  access resources at remote targets, e.g Books 24x7

12
Shibboleth Vocabulary

• Origin components
• Attribute Authority (AA) manages attribute
  release policies (ARPs) for different targets
• Handle Service (HS) manages temporary references
  (handles) to identify user sessions
• Local sign-on system (SSO) performs check
  against user directory for a valid login
• User directory with necessary attributes

13
Shibboleth Vocabulary

• Target components
• Resource Manager (RM) passes unauthenticated
  requests to SHIRE, grants access to authenticated
  requests
• Shib. Indexical Reference Establisher (SHIRE)
  consults the WAYF to get a handle to query
• Shib. Attribute Requester (SHAR) contacts origin
  Attribute Authority for needed attributes

14
A Shibboleth Login
15
A Shibboleth Login
16
A Shibboleth Login
17
A Shibboleth Login
18
A Shibboleth Login
19
Example

• https//wayf.internet2.edu/InQueue/sample.jsp

20
Federations

• Group of mutually trusting institutions
• Origins and targets
• Common policies on attributes to request,
  certificate authorities to accept, sec. standards
• Higher Ed federations
• InQueue - loose standards, free
• http//inqueue.internet2.edu/who/
• InCommon - production quality, 1000/annum
• http//www.incommonfederation.org/participants.cfm

21
Technical notes - Target

• Target software
• written for Apache 1.3/2.0 and IIS
• C, compiles under GCC 3.2
• OpenSAML required
• Creates mod_shib and shar
• ShibConfig /opt//shibboleth.xml.
• AuthType shibboleth
• ShibRequireSession On
• require valid-user
• SSL required to provide security

22
Technical notes - Origin

• Origin software
• Written in Java for Tomcat 4.1/5.X
• Suggested run w/ Apache and mod_jk
• Installing is 1 of the job
• Protect Handle Service auth, provide REMOTE_USER
• AuthType Kerberos
• AuthName "Internet2 Handle Service
• KrbAuthRealms UCAR.EDU
• KrbMethodK4Passwd off
• require valid-user
• SSL required the Handle Service

23
Challenges - Origin Side

• Authoritative User Directory
• What UCAR directory?
• How could DLESE verify anyones a teacher?
• No Personal ARP GUI
• Single-Sign On Service (pubcookie?)
• Attribute provision
• AA does mapping
• Meeting Federation requirements, e.g
  eduPersonScopedAffiliation (faculty, alum,
  student,..)

24
URLs of Note

• http//shibboleth.internet2.edu/
• http//inqueue.internet2.edu