1 / 32

Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems

Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems. Presentation available at: http://arch.doit.wisc.edu/keith/midnet ShibInteg-050609-01.ppt Keith Hazelton, hazelton@doit.wisc.edu Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE

RoyLauris
Download Presentation

Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating Shibboleth with Enterprise Identity and Access Management (IAM) Systems Presentation available at: http://arch.doit.wisc.edu/keith/midnet ShibInteg-050609-01.ppt Keith Hazelton, hazelton@doit.wisc.edu Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE MIDnet Spring Conference, June 10, 2005

  2. Shibboleth v 1.2.1a Integration Overview • Identity Provider (Origin) Deployment, Integration • Authentication/Identifier Assertion Phase Components & Dependencies • Identity Attribute Assertion Phase • Service Provider (Target) Deployment, Integration • Two scenarios for each: • Shib “classic” e-Lib: accessing licensed resources • Shib federation across a state system: shared services

  3. Basic IAM functions mapped to theNMI / MACE components Apps / Resources Enterprise Directory AuthN Systems of Record AuthN Log Reflect Provision Join WebISO Credential AuthZ Mng. Affil. Mng. Priv. Deliver Log Grouper Signet Shibboleth

  4. Identity Provider / (Origin) Ident. Provider (wasabi) WAYF “HS” Service Provider (gari) Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container Inspired by SWITCH (Swiss REN) HTTP://www.switch.ch/aai/demo/

  5. Identity Provider / (Origin): AuthN, Identifier Campus WebISO Identity Provider (wasabi) “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container

  6. WebISO requirements from Shib Campus WebISO • WebISO can authenticate a set of users based on locally issued/registered credentials • Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide. • For details & download, see http://middleware.internet2.edu/webiso/

  7. WebISO alternatives Campus WebISO • But end-user PKI certs work fine, too (configurable filter) • And there are ways to support multiple AuthN methods with failover • “UW-Madison 2” InQueue IdP runs this configuration • End entity certificate with failover to LDAP basic auth. • See wasabiHttpd.conf, lines 1017 et seq.

  8. Shib assumes Identity and Access Management (IAM) Services Meta- Directory Processes Registry Student System of Record Campus WebISO Human Resources System of Record LDAP Directory Other Systems of Record Enterprise Directory

  9. Identity Provider Middleware Campus WebISO wasabi Enterprise Directory “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container

  10. Identity Provider / (Origin) Ident. Provider (wasabi) “HS” Service Provider (gari) Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container

  11. Identity Provider / (Origin)Attribute Assertion Phase Ident. Provider “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container

  12. Identity Provider Middleware Campus WebISO Enterprise Directory “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container

  13. Attribute Authority (AA) <–> Ent. Directory • Shib AA Deployment Issues: • Configure AA to connect to Ent. Directory • Data connectors can be JNDI-based, JDBC-based (xml-configurable) or custom user plug-ins • Map Directory attributes to SAML attributes

  14. Attribute Authority (AA) <–> Ent. Directory • Fragment of ..conf/origin.xml

  15. Attribute Authority (AA) <–> Ent. Directory • Resolver links named attributes to specific data connectors:

  16. Attribute Authority (AA) <–> Ent. Directory • …and specifies connector (here JNDI LDAP):

  17. Attribute Authority (AA) <–> Ent. Directory • …and specifies connector (here JDBC SQL):

  18. Attribute Authority (AA) <–> Ent. Directory • Shib AA Deployment Issues, cont.: • Comply with Attribute Release Policy (ARP) in determining which service providers get which attributes • Federation rules are given • Bilateral rules need to be worked out & agreed to

  19. Attribute Authority (AA) <–> Ent. Directory • Ah, yes, data access policy • This may drag stakeholders kicking & screaming into the room to confront policy • How you manage this will be key to successful deployment • The “DON’T PANIC” in big friendly letters on the InCommon Book may help

  20. Attribute Authority (AA) <–> Ent. Directory • Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics • “Simple matter of configuration” • Some of the newer attributes • eduPersonTargetedID if you want a persistent identifier, but one that is specific to a given Identity Provider-Service Provider pair • Course-related attributes. URN-based identifier guideline near for course offering. eduCourse (currently in last call).

  21. Service Provider / (Target) Service Provider (gari) Identity Provider (wasabi) Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6

  22. Shib Features for Service Providers • WAYF for federations, other options configurable • Authentication method can be passed in attribute assertion for fine tuning risk management • A site may have a public face with specific links that invoke Shib

  23. Services you might not have thought of Shibbing • Roaming Access to WLAN • http://www.terena.nl/conferences/tnc2004/ programme/presentations/show.php?pres_id=165 • Mikael Linden, CSC, the Finnish IT center for Science • RADIUS-based access controller is a Shibboleth service provider • Network access control decision based on user’s “home” attributes

  24. Services you might not have thought of Shibbing • Portal as Shib Service • Apache in front of Portal on Tomcat • Other approaches under consideration

  25. Coming Shib Features for Service Providers • PKI-based direct-to-target scenario • Cert would contains • (possibly opaque) subject id • Identifier for associated Identity Provider • Would eliminate the first several steps in the classic Shib flow diagram • First Service Provider contact to Identity Provider would be the request for attributes • Lots of points of agreement to be worked out

  26. Multi-campus system deployment model 1 CampusA IdProv CampusB Service Provider CampusB IdProv Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6 CampusC IdProv CampusD IdProv CampusE IdProv

  27. Multi-campus system deployment model 1 • Identity Provider per campus (vs. System IdP model) • Create a system federation (some policy & configuration work here) • Any campus can put up Shibbed service • Or a system library can offer system-licensed resources • Each campus retains control of Identity Management--high autonomy model

  28. Multi-campus system deployment model 2 CampusA Dir Browser User System-level Identity Provider Service Provider Service Provider Service Provider CampusB Dir Service Provider CampusC Dir

  29. Multi-campus system deployment model 2 • System-level Identity Provider model • Significant campus-to-system metadirectory infrastructure • Create a system federation (some policy & configuration work here) • Any campus can put up Shibbed service • Or a system library can offer system-licensed resources • More seamless “system citizen” experience

  30. Coming: Shib breaks free of the browser • Number of open source projects are exploring this space • A pure Java implementation of Service Provider components of Shibboleth (now in beta) will really open the door

  31. Q & A • Which of these issues seem tough to you?

More Related