Shibboleth A Technical Overview

1
ShibbolethA Technical Overview

• Tom Scavotrscavo_at_ncsa.uiuc.edu
• NCSA

2
What is Shibboleth?

• Shibboleth provides cross-domain single sign-on
  and attribute-based authorization while
  preserving user privacy
• Shibboleth is simultaneously
• A project
• A specification
• An implementation

3
Shibboleth Project

• Shibboleth, a project of Internet2-MACE
• Advocates a federated identity management policy
  framework focused on user privacy
• Develops middleware architectures to facilitate
  inter-institutional attribute sharing
• Manages an open source reference implementation
  of the Shibboleth spec
• Shibboleth has made significant contributions to
  the SAML-based identity management space

4
Collaborations
Internet2
E-Auth
OASIS
Shibboleth
Liberty
Educause
Vendors
5
Shibboleth Specification

• Shibboleth is an extension of the SAML 1.1
  browser profiles
• Shibboleth Browser/POST Profile
• Shibboleth Browser/Artifact Profile
• Shibboleth Attribute Exchange Profile
• See the Shibboleth spec for detailsS. Cantor et
  al., Shibboleth Architecture Protocols and
  Profiles. Internet2-MACE, 10 September 2005.

6
Shibboleth Implementation

• The Shibboleth implementation consists of two
  components
• Shibboleth Identity Provider
• Shibboleth Service Provider
• The Identity Provider is a J2EE webapp
• The Service Provider is a C Apache module
• A pure Java Service Provider is in beta

7
The Shibboleth Experience
8
The Shibboleth Wiki

• For example, the Shibboleth wiki (hosted at
  ohio-state.edu) is shibbolizedhttps//authdev.
  it.ohio-state.edu/twiki/bin/view/GridShib/WebHome
  
• To edit wiki pages, a user must be known to the
  wiki
• Users have wikiNames but do not have wiki
  passwords
• Users log into their home institution, which
  asserts user identity to the wiki

9
(No Transcript)
10
Shib Browser Profile

• The user clicks the link Login via InQueue IdP
• This initiates a sequence of steps known as the
  Shibboleth Browser Profile

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
11
(No Transcript)
12
Shib Browser Profile

• InQueue provides a Where Are You From? service
• The user chooses their preferred identity
  provider from a menu

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
13
(No Transcript)
14
Shib Browser Profile

• The user is redirected to UIUC login page
• After login, the user is issued a SAML assertion
  and redirected back to the wiki

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
15
(No Transcript)
16
Shib Browser Profile

• After validating the assertion, the wiki_at_OSU
  retrieves user attributes via back-channel Shib
  attribute exchange

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
17
Asserting Identity

• Initially, the user is unknown to the wiki
• After querying the home institution, the wiki
  knows the users identity
• trscavo-uiuc.edu is wiki-speak for
  trscavo_at_uiuc.edu
• The latter is eduPersonPrincipalName, an identity
  attribute asserted by the users home institution

18
OpenIdP.org

• By design, a user with an account at an
  institution belonging to InCommon, InQueue, or
  SDSS can log into the wikihttps//authdev.it.ohi
  o-state.edu/twiki/bin/view/GridShib/WebHome
• Other users can register at openidp.org, which is
  a zero-admin Shibboleth IdP
• The openidp asserts an alternate form of identity
  (email addresses as opposed to eduPersonPrincipalN
  ame)

19
Shibboleth SSO Profiles
20
The Actors
Identity Provider

• Identity Provider
• The Identity Provider (IdP) creates, maintains,
  and manages user identity
• A Shibboleth IdP produces SAML assertions
• Service Provider
• The Service Provider (SP) controls access to
  services and resources
• A Shibboleth SP consumes SAML assertions

Authentication Authority
Attribute Authority
SSO Service
Artifact Resolution Service
Assertion Consumer Service
Attribute Requester
Resource
Service Provider
21
Shib SSO Profiles

• Shibboleth SSO profiles are SP-first
• Shibboleth specifies an Authentication Request
  Profile
• Shibboleth Browser/POST Profile Shib Authn
  Request Profile SAML Browser/POST Profile
• Shibboleth Browser/Artifact Profile Shib
  Authn Request Profile SAML
  Browser/Artifact Profile

22
Shib AuthN Request Profile

• A Shibboleth authentication request is an
  ordinary GET requesthttps//idp.org/shibboleth/S
  SO? providerIdhttps//sp.org/shibboleth/
  shirehttps//sp.org/shibboleth/SSO
  targethttps//sp.org/myresource
  time1102260120
• The client is redirected to this location after
  requesting a protected resource at the SP without
  a security context

23
Shib Browser/POST Profile
Identity Provider

• Browser/POST is an SP-first profile
• The IdP produces an assertion at step 4, which
  the SP consumes at step 5

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
6
5
8
Resource
7
2
1
Service Provider
24
Attributes
25
Shib Attribute Exchange

• A Shibboleth SP often queries an IdP for
  attributes after validating an authN assertion
• An opaque, transient identifier called a handle
  is embedded in the authN assertion
• The SP sends a SAML AttributeQuery message with
  handle attached

26
Browser/POST Profile
Identity Provider

• The first 5 steps of this profile are identical
  to ordinary Browser/POST
• Before redirecting the Client to the Resource
  Manager, the SP queries for attributes via a
  back-channel exchange

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
10
Resource
9
2
1
Service Provider
27
Browser/POST Step 1
Identity Provider

• The Client requests a target resource at the SP

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
Assertion Consumer Service
Resource
1
Service Provider
28
Browser/POST Step 2
Identity Provider

• The SP performs a security check on behalf of the
  target resource
• If a valid security context at the SP does not
  exist, the SP redirects the Client to the single
  sign-on (SSO) service at the IdP

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
Assertion Consumer Service
Resource
2
1
Service Provider
29
Browser/POST Step 3
Identity Provider

• The Client requests the SSO service at the IdP

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
3
Assertion Consumer Service
Resource
2
1
Service Provider
30
Browser/POST Step 4
Identity Provider

• The SSO service processes the authN request and
  performs a security check
• If the user does not have a valid security
  context, the IdP identifies the principal
  (details omitted)
• The SSO service produces an authentication
  assertion and returns it to the Client

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
Resource
2
1
Service Provider
31
Browser/POST Step 5
Identity Provider

• The Client issues a POST request to the assertion
  consumer service at the SP
• The authN assertion is included with the request

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
5
Resource
2
1
Service Provider
32
Browser/POST Step 6
Identity Provider

• The assertion consumer service validates the
  request, creates a security context at the SP
• The attribute requester sends a (mutually
  authenticated) attribute query to the AA

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
6
Assertion Consumer Service
Attribute Requester
5
Resource
2
1
Service Provider
33
Browser/POST Step 7
Identity Provider

• The IdP returns an attribute assertion subject to
  attribute release policy
• The SP filters the attributes according to
  attribute acceptance policy

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
5
Resource
2
1
Service Provider
34
Browser/POST Step 8
Identity Provider

• The assertion consumer service updates the
  security context and redirects the Client to the
  target resource

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
Resource
2
1
Service Provider
35
Browser/POST Step 9
Identity Provider

• The Client requests the target resource at the SP
  (again)

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
Resource
9
2
1
Service Provider
36
Browser/POST Step 10
Identity Provider

• Since a security context exists, the SP returns
  the resource to the Client

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
10
Resource
9
2
1
Service Provider
37
Directory Schema

• Neither Shibboleth nor SAML define any attributes
  per se
• It is left to individual deployments to define
  their own attributes
• A standard approach to user attributes is crucial
• Without such standards, interoperability is
  impossible

38
eduPerson

• Internet2 and EDUCAUSE have jointly developed a
  set of attributes and associated bindings called
  eduPerson
• The LDAP binding of eduPerson is derived from the
  standard LDAP object class called inetOrgPerson
  RFC 2798
• Approximately 40 attributes have been defined by
  InCommon as common identity attributes

39
InCommon Attributes

• InCommons 6 highly recommended attributes

Attribute Name Attribute Value
givenName Mary
sn (surname) Smith
cn (common name) Mary Smith
eduPersonScopedAffiliation student_at_example.org
eduPersonPrincipalName mary.smith_at_example.org
eduPersonTargetedID ?
(eduPersonTargetedID does not have a precise
value syntax)