Title: Integrating Shibboleth with Enterprise Identity and Access Management IAM Systems
1Integrating Shibboleth with Enterprise Identity
and Access Management (IAM) Systems
- Presentation available at
- http//arch.doit.wisc.edu/keith/midnet
- ShibInteg-050609-01.ppt
- Keith Hazelton, hazelton_at_doit.wisc.edu
- Sr. IT Architect, University of Wisconsin-Madison
- Internet2 MACE
- MIDnet Spring Conference, June 10, 2005
2Shibboleth v 1.2.1a Integration Overview
- Identity Provider (Origin) Deployment,
Integration - Authentication/Identifier Assertion Phase
Components Dependencies - Identity Attribute Assertion Phase
- Service Provider (Target) Deployment, Integration
- Two scenarios for each
- Shib classic e-Lib accessing licensed
resources - Shib federation across a state system shared
services
3Basic IAM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory
AuthN
Systems of Record
AuthN
Log
Reflect
Provision
Join
WebISO
Credential
AuthZ
Mng. Affil.
Mng. Priv.
Deliver
Log
Grouper
Signet
Shibboleth
4Identity Provider / (Origin)
Ident. Provider (wasabi)
WAYF
HS
Service Provider (gari)
Browser User
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server /
Servlet container
Inspired by SWITCH (Swiss REN) HTTP//www.switch.c
h/aai/demo/
5Identity Provider / (Origin) AuthN, Identifier
Campus WebISO
Identity Provider (wasabi)
HS
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
6WebISO requirements from Shib
Campus WebISO
- WebISO can authenticate a set of users based on
locally issued/registered credentials - Open source WebISO package, PubCookie,mentioned
in Origin Deployment Guide. - For details download, see
- http//middleware.internet2.edu/webiso/
7 WebISO alternatives
Campus WebISO
- But end-user PKI certs work fine, too
(configurable filter) - And there are ways to support multiple AuthN
methods with failover - UW-Madison 2 InQueue IdP runs this
configuration - End entity certificate with failover to LDAP
basic auth. - See wasabiHttpd.conf, lines 1017 et seq.
8Shib assumes Identity and Access Management
(IAM) Services
Meta- Directory Processes
Registry
Student System of Record
Campus WebISO
Human Resources System of Record
LDAP Directory
Other Systems of Record
Enterprise Directory
9Identity Provider Middleware
Campus WebISO
wasabi
Enterprise Directory
HS
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
10Identity Provider / (Origin)
Ident. Provider (wasabi)
HS
Service Provider (gari)
Browser User
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
11Identity Provider / (Origin)Attribute Assertion
Phase
Ident. Provider
HS
Service Provider
Browser User
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
12Identity Provider Middleware
Campus WebISO
Enterprise Directory
HS
Attribute Authority
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container
13Attribute Authority (AA) ltgt Ent. Directory
- Shib AA Deployment Issues
- Configure AA to connect to Ent. Directory
- Data connectors can be JNDI-based, JDBC-based
(xml-configurable) or custom user plug-ins - Map Directory attributes to SAML attributes
14Attribute Authority (AA) ltgt Ent. Directory
- Fragment of ..conf/origin.xml
15Attribute Authority (AA) ltgt Ent. Directory
- Resolver links named attributes to specific data
connectors
16Attribute Authority (AA) ltgt Ent. Directory
- and specifies connector
- (here JNDI LDAP)
17Attribute Authority (AA) ltgt Ent. Directory
- and specifies connector
- (here JDBC SQL)
18Attribute Authority (AA) ltgt Ent. Directory
- Shib AA Deployment Issues, cont.
- Comply with Attribute Release Policy (ARP) in
determining which service providers get which
attributes - Federation rules are given
- Bilateral rules need to be worked out agreed to
19Attribute Authority (AA) ltgt Ent. Directory
- Ah, yes, data access policy
- This may drag stakeholders kicking screaming
into the room to confront policy - How you manage this will be key to successful
deployment - The DONT PANIC in big friendly letters on the
InCommon Book may help
20Attribute Authority (AA) ltgt Ent. Directory
- Shib can transport any attribute--its up to
sender and receiver to agree on its semantics - Simple matter of configuration
- Some of the newer attributes
- eduPersonTargetedID if you want a persistent
identifier, but one that is specific to a given
Identity Provider-Service Provider pair - Course-related attributes. URN-based identifier
guideline near for course offering. eduCourse
(currently in last call).
21Service Provider / (Target)
Service Provider (gari)
Identity Provider (wasabi)
Browser User
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container or IIS 5.x or 6
22Shib Features for Service Providers
- WAYF for federations, other options configurable
- Authentication method can be passed in attribute
assertion for fine tuning risk management - A site may have a public face with specific links
that invoke Shib
23Services you might not have thought of Shibbing
- Roaming Access to WLAN
- http//www.terena.nl/conferences/tnc2004/
programme/presentations/show.php?pres_id165 - Mikael Linden, CSC, the Finnish IT center for
Science - RADIUS-based access controller is a Shibboleth
service provider - Network access control decision based on users
home attributes
24Services you might not have thought of Shibbing
- Portal as Shib Service
- Apache in front of Portal on Tomcat
- Other approaches under consideration
25Coming Shib Features for Service Providers
- PKI-based direct-to-target scenario
- Cert would contains
- (possibly opaque) subject id
- Identifier for associated Identity Provider
- Would eliminate the first several steps in the
classic Shib flow diagram - First Service Provider contact to Identity
Provider would be the request for attributes - Lots of points of agreement to be worked out
26Multi-campus system deployment model 1
CampusA IdProv
CampusB Service Provider
CampusB IdProv
Browser User
Apache (1.3 or 2.0) / Tomcat Web server
/ Servlet container or IIS 5.x or 6
CampusC IdProv
CampusD IdProv
CampusE IdProv
27Multi-campus system deployment model 1
- Identity Provider per campus (vs. System IdP
model) - Create a system federation (some policy
configuration work here) - Any campus can put up Shibbed service
- Or a system library can offer system-licensed
resources - Each campus retains control of Identity
Management--high autonomy model
28Multi-campus system deployment model 2
CampusA Dir
Browser User
System-level Identity Provider
Service Provider
Service Provider
Service Provider
CampusB Dir
Service Provider
CampusC Dir
29Multi-campus system deployment model 2
- System-level Identity Provider model
- Significant campus-to-system metadirectory
infrastructure - Create a system federation (some policy
configuration work here) - Any campus can put up Shibbed service
- Or a system library can offer system-licensed
resources - More seamless system citizen experience
30Coming Shib breaks free of the browser
- Number of open source projects are exploring this
space - A pure Java implementation of Service Provider
components of Shibboleth (now in beta) will
really open the door
31Q A
- Which of these issues seem tough to you?
32(No Transcript)