Integrating Shibboleth with Enterprise Identity and Access Management IAM Systems

1
Integrating Shibboleth with Enterprise Identity
and Access Management (IAM) Systems

• Presentation available at
• http//arch.doit.wisc.edu/keith/midnet
• ShibInteg-050609-01.ppt
• Keith Hazelton, hazelton_at_doit.wisc.edu
• Sr. IT Architect, University of Wisconsin-Madison
• Internet2 MACE
• MIDnet Spring Conference, June 10, 2005

2
Shibboleth v 1.2.1a Integration Overview

• Identity Provider (Origin) Deployment,
  Integration
• Authentication/Identifier Assertion Phase
  Components Dependencies
• Identity Attribute Assertion Phase
• Service Provider (Target) Deployment, Integration
• Two scenarios for each
• Shib classic e-Lib accessing licensed
  resources
• Shib federation across a state system shared
  services

3
Basic IAM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory
AuthN
Systems of Record
AuthN
Log
Reflect
Provision
Join
WebISO
Credential
AuthZ
Mng. Affil.
Mng. Priv.
Deliver
Log
Grouper
Signet
Shibboleth
4
Identity Provider / (Origin)
Ident. Provider (wasabi)
WAYF
HS
Service Provider (gari)
Browser User
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server /
Servlet container
Inspired by SWITCH (Swiss REN) HTTP//www.switch.c
h/aai/demo/
5
Identity Provider / (Origin) AuthN, Identifier
Campus WebISO
Identity Provider (wasabi)
HS
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
6
WebISO requirements from Shib
Campus WebISO

• WebISO can authenticate a set of users based on
  locally issued/registered credentials
• Open source WebISO package, PubCookie,mentioned
  in Origin Deployment Guide.
• For details download, see
• http//middleware.internet2.edu/webiso/

7
WebISO alternatives
Campus WebISO

• But end-user PKI certs work fine, too
  (configurable filter)
• And there are ways to support multiple AuthN
  methods with failover
• UW-Madison 2 InQueue IdP runs this
  configuration
• End entity certificate with failover to LDAP
  basic auth.
• See wasabiHttpd.conf, lines 1017 et seq.

8
Shib assumes Identity and Access Management
(IAM) Services
Meta- Directory Processes
Registry
Student System of Record
Campus WebISO
Human Resources System of Record
LDAP Directory
Other Systems of Record
Enterprise Directory
9
Identity Provider Middleware
Campus WebISO
wasabi
Enterprise Directory
HS
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
10
Identity Provider / (Origin)
Ident. Provider (wasabi)
HS
Service Provider (gari)
Browser User
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
11
Identity Provider / (Origin)Attribute Assertion
Phase
Ident. Provider
HS
Service Provider
Browser User
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
12
Identity Provider Middleware
Campus WebISO
Enterprise Directory
HS
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
13
Attribute Authority (AA) ltgt Ent. Directory

• Shib AA Deployment Issues
• Configure AA to connect to Ent. Directory
• Data connectors can be JNDI-based, JDBC-based
  (xml-configurable) or custom user plug-ins
• Map Directory attributes to SAML attributes

14
Attribute Authority (AA) ltgt Ent. Directory

• Fragment of ..conf/origin.xml

15
Attribute Authority (AA) ltgt Ent. Directory

• Resolver links named attributes to specific data
  connectors

16
Attribute Authority (AA) ltgt Ent. Directory

• and specifies connector
• (here JNDI LDAP)

17
Attribute Authority (AA) ltgt Ent. Directory

• and specifies connector
• (here JDBC SQL)

18
Attribute Authority (AA) ltgt Ent. Directory

• Shib AA Deployment Issues, cont.
• Comply with Attribute Release Policy (ARP) in
  determining which service providers get which
  attributes
• Federation rules are given
• Bilateral rules need to be worked out agreed to

19
Attribute Authority (AA) ltgt Ent. Directory

• Ah, yes, data access policy
• This may drag stakeholders kicking screaming
  into the room to confront policy
• How you manage this will be key to successful
  deployment
• The DONT PANIC in big friendly letters on the
  InCommon Book may help

20
Attribute Authority (AA) ltgt Ent. Directory

• Shib can transport any attribute--its up to
  sender and receiver to agree on its semantics
• Simple matter of configuration
• Some of the newer attributes
• eduPersonTargetedID if you want a persistent
  identifier, but one that is specific to a given
  Identity Provider-Service Provider pair
• Course-related attributes. URN-based identifier
  guideline near for course offering. eduCourse
  (currently in last call).

21
Service Provider / (Target)
Service Provider (gari)
Identity Provider (wasabi)
Browser User
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container or IIS 5.x or 6
22
Shib Features for Service Providers

• WAYF for federations, other options configurable
• Authentication method can be passed in attribute
  assertion for fine tuning risk management
• A site may have a public face with specific links
  that invoke Shib

23
Services you might not have thought of Shibbing

• Roaming Access to WLAN
• http//www.terena.nl/conferences/tnc2004/
  programme/presentations/show.php?pres_id165
• Mikael Linden, CSC, the Finnish IT center for
  Science
• RADIUS-based access controller is a Shibboleth
  service provider
• Network access control decision based on users
  home attributes

24
Services you might not have thought of Shibbing

• Portal as Shib Service
• Apache in front of Portal on Tomcat
• Other approaches under consideration

25
Coming Shib Features for Service Providers

• PKI-based direct-to-target scenario
• Cert would contains
• (possibly opaque) subject id
• Identifier for associated Identity Provider
• Would eliminate the first several steps in the
  classic Shib flow diagram
• First Service Provider contact to Identity
  Provider would be the request for attributes
• Lots of points of agreement to be worked out

26
Multi-campus system deployment model 1
CampusA IdProv
CampusB Service Provider
CampusB IdProv
Browser User
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container or IIS 5.x or 6
CampusC IdProv
CampusD IdProv
CampusE IdProv
27
Multi-campus system deployment model 1

• Identity Provider per campus (vs. System IdP
  model)
• Create a system federation (some policy
  configuration work here)
• Any campus can put up Shibbed service
• Or a system library can offer system-licensed
  resources
• Each campus retains control of Identity
  Management--high autonomy model

28
Multi-campus system deployment model 2
CampusA Dir
Browser User
System-level Identity Provider
Service Provider
Service Provider
Service Provider
CampusB Dir
Service Provider
CampusC Dir
29
Multi-campus system deployment model 2

• System-level Identity Provider model
• Significant campus-to-system metadirectory
  infrastructure
• Create a system federation (some policy
  configuration work here)
• Any campus can put up Shibbed service
• Or a system library can offer system-licensed
  resources
• More seamless system citizen experience

30
Coming Shib breaks free of the browser

• Number of open source projects are exploring this
  space
• A pure Java implementation of Service Provider
  components of Shibboleth (now in beta) will
  really open the door

31
Q A

• Which of these issues seem tough to you?

32
(No Transcript)