SlideShare a Scribd company logo

Authentication Methods: Shibboleth

Download as PPT, PDF
EDINA, University of Edinburgh
EDINA, University of Edinburgh

Presented by Chris Higgins at the UKLP Location Programme Data Publishing WG meeting, Cardiff, 28 March 2011.

Related slideshows

National Activities and the UK LOCKSS Alliance
National Activities and the UK LOCKSS AllianceNational Activities and the UK LOCKSS Alliance
National Activities and the UK LOCKSS Alliance
 
The Keepers Registry: Enabling Trust in E-Journal Preservation
The Keepers Registry: Enabling Trust in E-Journal PreservationThe Keepers Registry: Enabling Trust in E-Journal Preservation
The Keepers Registry: Enabling Trust in E-Journal Preservation
 
Shibboleth Access Management Federations as an Organisational Model for SDI
Shibboleth Access Management Federations as an Organisational Model for SDIShibboleth Access Management Federations as an Organisational Model for SDI
Shibboleth Access Management Federations as an Organisational Model for SDI
 
1 of 32
Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011 [email_address]
Synopsis What is Shibboleth? How does it work? Shibb and OGC Web Services Work done to date What are the implications? or why do we think this important Some things that could happen next…
Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes Small coordination centre, large federation of organisations (service and identity providers) Many Shibboleth Access Management Federations: https:// www.aai.dfn.de /links/ https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
UK Access Management Federation Managed by JISC Collections (previously JANET) and EDINA Federation Operator: JISC Collections Technical and Operational Support: EDINA 840 Member Organisations (IdPs and SPs) Approximately 8 million users Cost of running is not insignificant
Key Roles within an Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP
Basic SAML Concepts From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )
From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf ) Service Provider Initiated Single Sign On
From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf ) Identity Provider Initiated Single Sign On
Example Shibboleth Login Procedures http:// www.switch.ch/aai/demo/medium.html
Why put effort into federated access control? Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. Even more so if removing some of the barriers to interoperability…
Why put effort into federated access control round OWS? Open geospatial interoperability standards underpin SDI OGC Standards agnostic about security Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors EU requested that ESDIN project focus on testing practical existing solutions Prior work by same team (JISC funded SEE-GEO project) Demonstrated Shibb Access Control around WMS No changes to the OWS interface specification No changes to the core mainstream Shibboleth
Work to Date: ESDIN Project Resourced EDINA to build on in-house access control expertise An eContent plus Best Practice Network project Ran from Sept 2008 until end Feb 2011 Coordinated by EuroGeographics From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states Key goal : help member states prepare their data for INSPIRE Annex 1 themes
ESDIN – Mostly NMCA’s Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
OGC Interoperability Experiments (IE’s) Key vehicle for taking the work forward Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline Facilitated by OGC staff More lightweight than the OGC Web Services initiatives Focussed on specific interoperability issues Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations Duration normally around 6 months
Authentication IE Test standard ways of authentication between OGC clients and OGC Web Services Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth; OpenID; WS-Security ESDIN concentrated on: Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions OGC Engineering Report: Doc 09-092r1
OGC Web Services Shibboleth IE (OSI) Started Aug 2010 Previous work had shown it was possible to protect WMS with Shibb so that: No mods required to OGC the interface No mods required to Shibb download BUT mods required to OWS clients OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb Emphasis on desktop OWS client software Provide participants with the opportunity to demonstrate their software in action.
OSI - How Use the test ESDIN Federation to provide OSI participants with services to develop against Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile http:// esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile Regular telcons OSI Technology Integration Experiment event
OSI - Who 31 individuals registered Shibb OGC portal site EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI, Joint Research Centre all modified their OWS client software or open source Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes Recently started EU funded BRISEIDE project http:// www.briseide.eu /
Technology Integration Experiment Webinar Afternoon of Thurs 18 th November Approx 30 people turned up on the day EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated: Different clients (desktop, browser, proxy) Different services (WMS and WFS) Different federations (ESDIN and BKG)
OSI - Outcomes Using Shibboleth to protect OWS is practical Not particularly difficult on server side Not particularly difficult with browser based clients More subtle with desktop based clients but possible with some effort in short space of time This kind of “IE testbed” approach appreciated by participating OGC members Highly likely community support and tooling will be available if decision made to operationalise Draft Engineering Report (OGC 11-019r1)
Related Outcomes – Germany Betriebsmodell GDI-DE" (Operating model for SDI Germany) Technical feasibility (authentication/authorisation) Securing OWS using SAML via Shibb, XACML and geoXACML AuthN using German Identity Card and connection to eID i/f Organisational requirements Which SAML attributes for the Federation Who is responsible for what Costs Business Processes Admitting/Excluding IdP/SP’s from the Federation Roles and Processes in operation a WAYF Extending their Test Federation Additional SP’s serving real restricted data, eg, cadastral parcels via OWS Not just geospatial data Additional IdP’s (including one that supports eID) Establishing a WAYF Investigating additional Use Cases: Gov2Bus; Gov2Gov and Gov2Citz Results and Demo at InterGEO in Sept and at OGC TC later this year Why don’t we collaborate more? Inter-Federation?
Related Outcomes – Sweden Swedish NSDI Shibboleth project initiated Exact objectives still being formulated but likely to include: Feasibility of replacing existing system with Shibboleth Feasibility of devolving AuthN. Centralised at the moment Issues relating to administering a Federation Investigation of collaborative opportunities with other NMCA’s. Something like the “Nordic Initiative” in respect of GeoNetwork
Where Next?
An INSPIRE Federation? One federation and every legally mandated organisation joins Multiple federations: one in each country and one pan-European One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services
An INSPIRE Federation? OWS Providers Member State organisations, eg, INSPIRE Points of Contact WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS Coordinating Centre IdP IdP IdP IdP IdP IdP
Workshop at INSPIRE Conference in June Title: Shibboleth Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Original intention is a re-run of the Nov 2010 “plugfest” More public, slicker More member state NMCA’s in ESDIN Federation Maybe get more system suppliers to modify their software Up the level of discussion IOC Task Force Involvement?
Interoperable Geographic Information for Biosphere Study JISC funded IGIBS project from Apr 1 st to 31 st Oct 2011 Partnership between EDINA, Aberystwyth University and Welsh Assembly Government (WAG) Focussed on Research and Education related to the UNESCO Dyfi Biosphere Reserve Allow users to create WMS’s to view data in conjunction with reference data from WAG Access control so: Students can publish intermediary results, or commercial in confidence datasets, etc. WAG can make available a wider range of data Better integration between academic and public sector Opportunity to transfer knowledge and explore (a bit)
Lots of open questions How do e-commerce solutions bolt onto this architecture? Whats the best way of approaching inter-federation interoperability? Whats best practice in respect of interoperability with different member states identity management systems? Similarly, pan-European identity management systems? Whats best practice in terms of AuthZ infrastructures? How do the processes and roles involved in governing an access management federation map to those required for SDI governance? How may the more advanced service chaining patterns be realised where some or all of the services in the chain are protected?
B. Lawrence, http://www.osdm.gov.au/SBF201011_Lawrence.pdf?ID=1072
Dimensions of Interoperability From the European Interoperability Framework for Pan-European eGovernment Services ( http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597 )
 
Comparison between OpenID and Shibb From EDINA “Review of OpenID”, 2007

More Related Content

Authentication Methods: Shibboleth

  • 1. Authentication methods: Shibboleth UKLII: Data Publishing Working Group, Welsh Assembly Government, Cardiff. 28 th March 2011 [email_address]
  • 2. Synopsis What is Shibboleth? How does it work? Shibb and OGC Web Services Work done to date What are the implications? or why do we think this important Some things that could happen next…
  • 3. Shibboleth Internet2 consortium Open source package for web Single Sign On across admin boundaries based on standards: Security Assertion Markup Language (SAML)‏ Organisations can exchange user information and make security assertions by obeying privacy policies Devolved authentication – maintain and leverage existing user management Enables finer grained authorisation through use of attributes Small coordination centre, large federation of organisations (service and identity providers) Many Shibboleth Access Management Federations: https:// www.aai.dfn.de /links/ https://spaces.internet2.edu/display/SHIB/ShibbolethFederations
  • 4. UK Access Management Federation Managed by JISC Collections (previously JANET) and EDINA Federation Operator: JISC Collections Technical and Operational Support: EDINA 840 Member Organisations (IdPs and SPs) Approximately 8 million users Cost of running is not insignificant
  • 5. Key Roles within an Access Management Federation SP SP SP SP SP SP SP SP SP SP SP Coordinating Centre Federation Service Providers Identity Providers Users Organisations SP SP IdP IdP IdP IdP IdP IdP
  • 6. Basic SAML Concepts From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf )
  • 7. From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf ) Service Provider Initiated Single Sign On
  • 8. From the SAML Technical Overview ( http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.pdf ) Identity Provider Initiated Single Sign On
  • 9. Example Shibboleth Login Procedures http:// www.switch.ch/aai/demo/medium.html
  • 10. Why put effort into federated access control? Authentication is the process of verifying that claims made concerning a subject, eg, identity, who is attempting to access a resource are true, ie, authentic Frequently, SDI content and service providers need to know who is accessing their valuable, secure, protected, etc, data The ability for a group of organisations with common objectives, ie, a federation, to securely exchange authentication information is a powerful SDI enabler Article 19 of the INSPIRE Directive ”…Member States may limit public access…etc, etc”. Even more so if removing some of the barriers to interoperability…
  • 11. Why put effort into federated access control round OWS? Open geospatial interoperability standards underpin SDI OGC Standards agnostic about security Grand challenge: lack of a genuinely interoperable security solution a major barrier to all sectors EU requested that ESDIN project focus on testing practical existing solutions Prior work by same team (JISC funded SEE-GEO project) Demonstrated Shibb Access Control around WMS No changes to the OWS interface specification No changes to the core mainstream Shibboleth
  • 12. Work to Date: ESDIN Project Resourced EDINA to build on in-house access control expertise An eContent plus Best Practice Network project Ran from Sept 2008 until end Feb 2011 Coordinated by EuroGeographics From AuthN perspective, the main ESDIN Use Case was Key Users, eg, EEA, EuroStat, JRC, accessing INSPIRE Annex 1 services from different member states Key goal : help member states prepare their data for INSPIRE Annex 1 themes
  • 13. ESDIN – Mostly NMCA’s Interactive Instruments Bundesamt für Kartographie und Geodäsie Lantmäteriet National Technical University of Athens IGN Belgium Bundesamt für Eich- und Vermessungswesen Universität Münster EDINA, University Edinburgh National Agency for Cadastre and Real Estate Publicity Romania Helsinki University of Technology IGN France Kadaster Kort & Matrikelstyrelsen Geodan Software Development & Technology 1Spatial The Finnish Geodetic Institute National Land Survey of Finland Institute of Geodesy, Cartography and Remote Sensing Statens kartverk EuroGeographics
  • 14. OGC Interoperability Experiments (IE’s) Key vehicle for taking the work forward Simple, low overhead, means for OGC members to get together and advance specific technical objectives within the OGC baseline Facilitated by OGC staff More lightweight than the OGC Web Services initiatives Focussed on specific interoperability issues Effort is viewed as voluntary and supported by in-kind contributions by participating member organisations Duration normally around 6 months
  • 15. Authentication IE Test standard ways of authentication between OGC clients and OGC Web Services Intended that the following mechanisms would be tested: HTTP Authentication; HTTP Cookies; SSL/X509; SAML; Shibboleth; OpenID; WS-Security ESDIN concentrated on: Putting together a prototype Shibboleth Access Management Federation comprised mainly of NMCA’s Understanding how OWS clients could be modified to be capable of undergoing the Shibboleth interactions OGC Engineering Report: Doc 09-092r1
  • 16. OGC Web Services Shibboleth IE (OSI) Started Aug 2010 Previous work had shown it was possible to protect WMS with Shibb so that: No mods required to OGC the interface No mods required to Shibb download BUT mods required to OWS clients OSI provided the OGC software producing community with means and opportunity of modifying OWS clients to work with Shibb Emphasis on desktop OWS client software Provide participants with the opportunity to demonstrate their software in action.
  • 17. OSI - How Use the test ESDIN Federation to provide OSI participants with services to develop against Provide an open source reference implementation of a modified desktop client conformant with the SAML ECP Profile http:// esdin.fgi.fi/wiki/index.php/Esdin:AuthIE:Client Provide some technical support, eg, with OpenLayers clients conformant with the Web Browser SSO Profile Regular telcons OSI Technology Integration Experiment event
  • 18. OSI - Who 31 individuals registered Shibb OGC portal site EDINA, Snowflake, Cadcorp, Envitia, con terra/ESRI, Joint Research Centre all modified their OWS client software or open source Federal Agency for Cartography and Geodesy (BKG) contributed another test Shibb federation they have been using for similar purposes Recently started EU funded BRISEIDE project http:// www.briseide.eu /
  • 19. Technology Integration Experiment Webinar Afternoon of Thurs 18 th November Approx 30 people turned up on the day EDINA, Snowflake, Cadcorp, Envitia, con terra, JRC all demonstrated: Different clients (desktop, browser, proxy) Different services (WMS and WFS) Different federations (ESDIN and BKG)
  • 20. OSI - Outcomes Using Shibboleth to protect OWS is practical Not particularly difficult on server side Not particularly difficult with browser based clients More subtle with desktop based clients but possible with some effort in short space of time This kind of “IE testbed” approach appreciated by participating OGC members Highly likely community support and tooling will be available if decision made to operationalise Draft Engineering Report (OGC 11-019r1)
  • 21. Related Outcomes – Germany Betriebsmodell GDI-DE" (Operating model for SDI Germany) Technical feasibility (authentication/authorisation) Securing OWS using SAML via Shibb, XACML and geoXACML AuthN using German Identity Card and connection to eID i/f Organisational requirements Which SAML attributes for the Federation Who is responsible for what Costs Business Processes Admitting/Excluding IdP/SP’s from the Federation Roles and Processes in operation a WAYF Extending their Test Federation Additional SP’s serving real restricted data, eg, cadastral parcels via OWS Not just geospatial data Additional IdP’s (including one that supports eID) Establishing a WAYF Investigating additional Use Cases: Gov2Bus; Gov2Gov and Gov2Citz Results and Demo at InterGEO in Sept and at OGC TC later this year Why don’t we collaborate more? Inter-Federation?
  • 22. Related Outcomes – Sweden Swedish NSDI Shibboleth project initiated Exact objectives still being formulated but likely to include: Feasibility of replacing existing system with Shibboleth Feasibility of devolving AuthN. Centralised at the moment Issues relating to administering a Federation Investigation of collaborative opportunities with other NMCA’s. Something like the “Nordic Initiative” in respect of GeoNetwork
  • 24. An INSPIRE Federation? One federation and every legally mandated organisation joins Multiple federations: one in each country and one pan-European One federation: one organisation in each country, the INSPIRE point of contact joins the single pan-European federation and acts as the gateway for all the other legally mandated organisations in the country that are standing up INSPIRE services
  • 25. An INSPIRE Federation? OWS Providers Member State organisations, eg, INSPIRE Points of Contact WMS Key organisations, eg. EEA, JRC WMS WMS WMS WMS WMS WFS WFS WFS WFS WFS WFS Coordinating Centre IdP IdP IdP IdP IdP IdP
  • 26. Workshop at INSPIRE Conference in June Title: Shibboleth Federations and Secure SDI: Outcome and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Original intention is a re-run of the Nov 2010 “plugfest” More public, slicker More member state NMCA’s in ESDIN Federation Maybe get more system suppliers to modify their software Up the level of discussion IOC Task Force Involvement?
  • 27. Interoperable Geographic Information for Biosphere Study JISC funded IGIBS project from Apr 1 st to 31 st Oct 2011 Partnership between EDINA, Aberystwyth University and Welsh Assembly Government (WAG) Focussed on Research and Education related to the UNESCO Dyfi Biosphere Reserve Allow users to create WMS’s to view data in conjunction with reference data from WAG Access control so: Students can publish intermediary results, or commercial in confidence datasets, etc. WAG can make available a wider range of data Better integration between academic and public sector Opportunity to transfer knowledge and explore (a bit)
  • 28. Lots of open questions How do e-commerce solutions bolt onto this architecture? Whats the best way of approaching inter-federation interoperability? Whats best practice in respect of interoperability with different member states identity management systems? Similarly, pan-European identity management systems? Whats best practice in terms of AuthZ infrastructures? How do the processes and roles involved in governing an access management federation map to those required for SDI governance? How may the more advanced service chaining patterns be realised where some or all of the services in the chain are protected?
  • 29. B. Lawrence, http://www.osdm.gov.au/SBF201011_Lawrence.pdf?ID=1072
  • 30. Dimensions of Interoperability From the European Interoperability Framework for Pan-European eGovernment Services ( http://ec.europa.eu/idabc/servlets/Docb0db.pdf?id=31597 )
  • 31.  
  • 32. Comparison between OpenID and Shibb From EDINA “Review of OpenID”, 2007

Editor's Notes

  1. Better emphasize that this “security guy” does not have all the answers
  2. Make this generic to show the components of a federation
  3. Examples for each of the components Bindings : eg, HTTP Redirect, HTTP POST, HTTP Artifact Binding
  4. Typical series of SAML interactions
  5. Typical series of SAML interactions JRC has done something like this
  6. User attempts to access a Shibboleth-protected resource on the Service Provider (SP) site. User is redirected to the WAYF in order to select their home organisation (IdP). Part of same exchange as 2. IdP ensures that user is authenticated, by whatever means IdP deems appropriate After successful authentication, a one-time handle (a SAML artefact) is generated for this user session. SP uses the handle to request attribute information from the IdP for this user IdP allows or denies attribute information to be made available to this SP Based on the attribute information made available, SP makes authorisation decision, ie, allows or denies the user access to the resource.
  7. Not just SDI, many kinds of information infrastructure require access control Typically, authentication is a pre-requisite. Some use cases where you don’t, eg, public Barriers to interoperability include; cost, vendor lock-in, lack of a support community, not standards based, etc Return later to those last points
  8. But not OSGB
  9. Advantage of working within the processes of a Standards Body
  10. ESDIN contributed Shibboleth No openID, ws-security for catalogue
  11. Link back to profiles and IdP led as opposed to SP led flows
  12. Probably other activity taking place across Europe that I don’t know about. Geonetwork
  13. “ British experience with building standards based networks for climate and environmental research”