Shibboleth review

1
Shibboleth review

• Guy Rixon to GWS-WG session, Kyoto, May 2005

2
What is it?

• A SSO authentication system
• Produced by the Internet 2 project
• Intended for securing web pages
• S/w for user-community sites and for service
  providers.
• Deployed (or to be deployed) in a variety of US
  and European universities.
• Specification reference implementation

3
What does it do?

• Lets users use sign-on mechanisms at their home
  sites.
• Transfers authentication assertions from user
  sites to service sites.
• Supplies user attributes, e.g. affiliation,
  nationality, group membership, to support
  authorization decisions.

4
Shibboleth architecture (1)

• Three-stage process for authentication
• Find origin site for user running agent
• Send SAML authentication statement from origin
  site to service site.
• Get attributes from origin site into service.

5
Shibboleth architecture (2)
1
2
3
6
Limitations

• Requires HTTP(S)
• Requires HTTP redirection
• Requires user interaction while calling service
  (presents web form)
• Doesnt support SOAP (or any HTTP-post)
• Protocols not full specified cant guarantee
  interoperation

7
Recomendations

• Dont use Shibboleth as-is.
• Discard the agent-authentication steps use
  certificate-based auth. instead.
• Keep the attribute-server bit
• http//www.ivoa.net/internal/IVOA/IvoaGridAndWebSe
  rvices/shibboleth-review-v0.1.html