Shibboleth: How It Relates to SAML

1
Shibboleth How It Relates to SAML

• Marlena Erdos
• Aug 27, 2001

2
Outline

• What is Shibboleth?
• Why Shibboleth? (Shortened)
• High Level Architecture
• Artifact Creation Use
• Connects Disconnects with SAML

3
What is Shibboleth?(meta-information)

• A joint project of Internet2/MACE and IBM
• Internet2 a consortium of 200 higher-ed
  institutions (e.g. MIT, Brown, Ohio State)
• A system with an emphasis on higher-ed
• A system very applicable to the B2B space

4
What is Shibboleth?(Really!)

• A system for the secure exchange of
  interoperable authorization information which can
  be used in access control decisions
• AuthZ info
• name
• attributes e.g. group, role, course membership

5
What is Shibboleth?(Yet More)

• A system ...
• with an emphasis on privacy
• users control release of their attributes
• partially based on the emerging SAML std
• both narrower and broader
• an example of federated administration

6
Outline

• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation Use
• Connects Disconnects with SAML

7
Why Shibboleth?

• Slides about the benefits of Federated Admin
  removed.
• Higher Ed has privacy obligations
• FERPA demands permission for PII release
• General interest and concern in privacy
• Shibboleth has privacy provisions built in

8
Outline

• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation Use
• Connects Disconnects with SAML

9
High Level Arch Outline

• Simplified Arch -- Getting Attributes
• More Full Arch -- Getting Handles
• Attributes
• Attribute Release Policies

10
Simplified Arch/FlowGetting Attributes

• Browser User tries to access web resource
• Shibbolized web server has no user context
• SHAR part of server gets attrs from an AA
• SHAR SHibboleth Attribute Requestor
• AA Attribute Authority

11
Simplified Flow
12
More Full Arch/FlowGetting an artifact aka
handle package

• Privacy aspect of Shibb creates burdens
• No (zero) identifying info on user initially
• No home site info either
• Shibbolized server must get a user handle
• The SHIRE does this work
• Note The following describes first contact
  rather than local portal. Both work.

13
SHIRE

• The part of the server that gets artifacts is
• Shibboleth Indexical Reference Establisher
• Indexical Reference -gt point at user
• No identity
• No description

14
SHIRE (cont)

• SHIRE uses http connection to point at user
• SHIRE acquires artifacts securely
• SHIRE passes the some of the artifact contents to
  SHAR
• handle to use in a query
• AA address info

15
SHIRE Flow

• The SHIRE interacts with
• WAYF to get users home institution info
• Home institutions Handle Server

16
SHIRE/WAYF

• WAYF Where Are You From
• WAYF
• asks user for their home institution
• retrieves handle server info of the home site
• Handle server info
• IP address
• PKI certificate or equivalent

17
SHIRE/Handle Server

• SHIRE asks handle server for a handle
• Point to user via http redirect
• Handle server interacts with
• authentication system and user if necessary
• AA (potentially)

18
Acquiring a handle
19
The Whole Flow
20
High Level Arch Outline

• Simplified Arch -- Getting Attributes
• More Full Arch -- Getting Handles
• Attributes
• Attribute Release Policies
• AQMs, ARPs, Assertions

21
Attributes

• EPPN EduPerson Principal Name
• From the EduPerson schema
• e.g. StevenCarmody_at_brown.edu
• Affiliation
• Faculty, Staff, Student
• MemberOfCommunity
• GroupMembershipExt
• allow for extension of attribute space

22
Attribute Release Policies (ARPs)

• An ARP at an AA consists of
• The destination SHAR's name
• The attributes to be released to the SHAR
• And optionally a URL (called a target)
• Target refers to entire subtree of resources

23
ARPs (cont)

• User can have as many ARPs as needed
• AA finds set of ARPs
• Initial set based on SHAR making AQM
• AA finds best match
• AQM contains users requested destination URL
• Requested URL compared with targets in ARPs

24
ARPs, AQM, Assertions

• When AQM comes in ...
• AA finds best fit ARP ...
• ... creates or finds an assertion that fits the
  ARP!
• Finds ARP based on user and SHAR
• Finds user from handle!!!
• -gt Handle is in the AQM

25
Outline

• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation Use
• Connects Disconnects with SAML

26
Artifact Creation and Use

• Handle Server
• SHIRE

27
Handle Server

• Answers attribute query handle request
• AQHR contains
• SHIRE Name (FQDN)
• URL that user typed (for the redirect)

28
Handle Server (cont)

• The AQHR is redirect thru the browser
• HS must
• figure out who the user is
• can interact with user and authN system
• create a handle that identifies the user to the
  AA (but to no one else)
• Could encrypt principal id with AAs public key

29
Handle Server

• The response to the AQHR
• version number of response
• opaque user handle
• FQDN of the requesting SHIRE
• IP address of browser process
• issue time of this response
• AA contact information
• FQDN of Handle Server
• Signature (w/o certificate) (XSIG)

30
SHIRE

• Performs inpersonation checks
• Possible threats include
• malicious user pretends to be real user
• malicious SHIRE pretends to be real user

31
SHIRE (cont)

• Malicious user counter-measure
• IP address and issue time
• Malicious SHIRE counter-measure
• Intended SHIRE name
• SHIRE checks counter-measure info against
• reality.

32
Outline

• What is Shibboleth?
• Why Shibboleth?
• High Level Architecture
• Artifact Creation Use
• Connects Disconnects with SAML

33
Connects

• Query Assertion Artifact formats
• We want to use SAML query assn format!
• We want to be artifact framework compliant!
• Summary Differences from current spec seem
  workable.

34
Disconnects with SAML

• Disconnects
• Semantics of the artifact
• Where impersonation countermeasure info belongs
• In the assertion or in packaging?
• Requirement for an AuthN assertion
• How to represent an anonymous browser user in the
  assertion

35
Disconnects

• Semantics of the artifact
• Shibb A handle that refers to a user plus
  counter-measure packaging.
• Bindings doc A small, bounded-size item,
  which unambiguously identifies an assertion
• Possible resolution The thing can be used to
  retrieve an assertion about the related browser
  user.

36
Connect within the Disconnect

• Out of Band trust info for the source
• Bindings ltPartnerIDgt is a four byte value used
  by the destination site to determine source site
  identity as well as the URL (or address) for the
  assertion lookup service.
• Shib Destination keeps lists of trusted Handle
  Services. But, Assertion Lookup Service addr
  info is carried in the handle package.

37
Artifact Structure

• Framework for Artifacts
• B64 rep of ltTypeCodegt ltartifact contentsgt
  

38
Artifact vs Handle Package

• Bindings Instantiation of an Artifact
• ltTypeCodegt 0x0001 ltPartnerIDgt
• ltAssertionHandlegt
• Handle Package
• No type code -- yet!!
• Name Signature of Handle Service
• Opaque user handle
• plus
• Countermeasure Info
• AA contact information

39
Disconnects

• CounterMeasure Protection Placement
• Shibb Countermeasures are in the artifact and
  package the handle.
• Bindings Countermeasures are in the assertion
• the assertion must be an AuthN assertion!!
• -e.g Audience Restriction
• What about Post-ed assertions?
• Marlena Package the assertion just like the
  handle!

40
Disconnect

• Web Browser profiles currently requires an
  AuthN assn
• Mar claims
• not really necessary for the framework
• rather tied to the 001 type artifact
• A Shib-like artifact is possible 002
• Different specifics to meet overall goals!

41
Disconnects

• Representation of anonymous browser user
• In the query and in the assertion
• Shibb hope Query by handle
• Shibb hope Assertion Subject indicates handle
  (in some way)
• Core doc says ...

42
Disconnects (?)

• Core Doc Subject
• Name
• SubjectConfirmation
• Assertion Specifier.
• SubjectConfirmation
• Confirmation Method -gt Artifact (4.1.1)
• Marlena Which part of the artifact?
• What about new types of artifacts?

43
THE END

• Shibboleth Acknowledgements
• Design Team David Wasley U of C RL Bob Morgan U
  of Washington Keith Hazelton U of Wisconsin
  (Madison)Marlena Erdos IBM/Tivoli Steven
  Carmody Brown Scott Cantor Ohio State
• Important Contributions from Ken Klingenstein
  (I2) Michael Gettes Georgeton, Scott Fullerton
  (Madison)