Integrating Shibboleth with Enterprise Identity and Access by xit16869

VIEWS: 7 PAGES: 32

									Integrating Shibboleth with Enterprise
   Identity and Access Management
             (IAM) Systems
                 Presentation available at:

   http://arch.doit.wisc.edu/keith/midnet
          ShibInteg-050609-01.ppt
           Keith Hazelton, hazelton@doit.wisc.edu
      Sr. IT Architect, University of Wisconsin-Madison
                        Internet2 MACE
         MIDnet Spring Conference, June 10, 2005
           Shibboleth v 1.2.1a
           Integration Overview

• Identity Provider (Origin) Deployment, Integration
   • Authentication/Identifier Assertion Phase Components &
     Dependencies
   • Identity Attribute Assertion Phase

• Service Provider (Target) Deployment, Integration

• Two scenarios for each:
   • Shib “classic” e-Lib: accessing licensed resources
   • Shib federation across a state system: shared services


                                                          2
                        Basic IAM functions mapped to the
                        NMI / MACE components

                                                     Apps / Resources
                    Enterprise Directory
Systems of Record




                                           WebISO




                    Grouper      Signet      Shibboleth
                                                              3
                  Identity Provider / (Origin)


           Ident.
     Provider (wasabi)                  WAYF

              “HS”
                                                   Service
                                                   Provider
                                 Browser User       (gari)
        Attribute Authority


Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container

Inspired by SWITCH (Swiss REN) HTTP://www.switch.ch/aai/demo/
                                                              4
           Identity Provider / (Origin):
            AuthN, Identifier
Campus
WebISO


                      Identity
                 Provider (wasabi)

                        “HS”




                  Attribute Authority


    Apache (1.3 or 2.0) / Tomcat
    Web server / Servlet container

                                           5
          WebISO requirements
          from Shib
 Campus
 WebISO




• WebISO can authenticate a set of users
  based on locally issued/registered
  credentials
• Open source WebISO package,
  PubCookie,mentioned in “Origin”
  Deployment Guide.
• For details & download, see
  http://middleware.internet2.edu/webiso/
                                            6
           WebISO alternatives
 Campus
 WebISO




• But end-user PKI certs work fine, too
  (configurable filter)
• And there are ways to support multiple
  AuthN methods with failover
  • “UW-Madison 2” InQueue IdP runs this
    configuration
  • End entity certificate with failover to LDAP
    basic auth.
  • See wasabiHttpd.conf, lines 1017 et seq.
                                                   7
                    Shib assumes Identity and Access
                    Management (IAM) Services


    Student              Meta-        Registry
System of Record       Directory
                       Processes
                                                    Campus
Human Resources                                     WebISO
System of Record
                                   LDAP Directory

     Other
Systems of Record


                        Enterprise Directory



                                                       8
              Identity Provider Middleware


             Campus
             WebISO

Enterprise
                                wasabi
Directory
                                    “HS”

                             Attribute Authority

                  Apache (1.3 or 2.0) / Tomcat
                  Web server / Servlet container




                                                   9
                  Identity Provider / (Origin)


           Ident.
     Provider (wasabi)
              “HS”
                                                Service
                                                Provider
                                 Browser User    (gari)
        Attribute Authority


Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container


                                                           10
                  Identity Provider / (Origin)
                  Attribute Assertion Phase


           Ident.
          Provider
              “HS”
                                                Service
                                                Provider
                                 Browser User
        Attribute Authority


Apache (1.3 or 2.0) / Tomcat
Web server / Servlet container


                                                           11
              Identity Provider Middleware


             Campus
             WebISO

Enterprise
Directory
                                    “HS”

                             Attribute Authority

                  Apache (1.3 or 2.0) / Tomcat
                  Web server / Servlet container




                                                   12
            Attribute Authority (AA) <–>
            Ent. Directory



• Shib AA Deployment Issues:

• Configure AA to connect to Ent. Directory
  • Data connectors can be JNDI-based, JDBC-based
    (xml-configurable) or custom user plug-ins
• Map Directory attributes to SAML attributes


                                                13
   Attribute Authority (AA)
   <–> Ent. Directory
• Fragment of ..conf/origin.xml




                                  14
  Attribute Authority (AA)
  <–> Ent. Directory
• Resolver links named attributes
  to specific data connectors:




                                    15
  Attribute Authority (AA)
  <–> Ent. Directory
• …and specifies connector
    (here JNDI LDAP):




                             16
Attribute Authority (AA)
<–> Ent. Directory
 • …and specifies connector
    (here JDBC SQL):




                              17
            Attribute Authority (AA) <–>
            Ent. Directory



• Shib AA Deployment Issues, cont.:
• Comply with Attribute Release Policy
  (ARP) in determining which service
  providers get which attributes
  • Federation rules are given
  • Bilateral rules need to be worked out &
    agreed to

                                              18
          Attribute Authority (AA) <–>
          Ent. Directory


• Ah, yes, data access policy
• This may drag stakeholders kicking &
  screaming into the room to confront
  policy
• How you manage this will be key to
  successful deployment
• The “DON’T PANIC” in big friendly
  letters on the InCommon Book may help19
              Attribute Authority (AA) <–>
              Ent. Directory



• Shib can transport any attribute--it’s up to
  sender and receiver to agree on its semantics
   • “Simple matter of configuration”
• Some of the newer attributes
   • eduPersonTargetedID if you want a persistent
     identifier, but one that is specific to a given
     Identity Provider-Service Provider pair
   • Course-related attributes. URN-based identifier
     guideline near for course offering. eduCourse
     (currently in last call).                         20
            Service Provider / (Target)



                                   Service
 Identity
Provider                        Provider (gari)
(wasabi)
            Browser User   Apache (1.3 or 2.0) / Tomcat
                           Web server / Servlet
                           container
                               or
                           IIS 5.x or 6




                                                     21
        Shib Features for Service
        Providers

• WAYF for federations, other options
  configurable
• Authentication method can be passed in
  attribute assertion for fine tuning risk
  management
• A site may have a public face with
  specific links that invoke Shib


                                         22
          Services you might not have
          thought of Shibbing

• Roaming Access to WLAN
• http://www.terena.nl/conferences/tnc2004/
  programme/presentations/show.php?pres_id
  =165
• Mikael Linden, CSC, the Finnish IT center for
  Science
• RADIUS-based access controller is a
  Shibboleth service provider
• Network access control decision based on
  user’s “home” attributes
                                              23
        Services you might not have
        thought of Shibbing


• Portal as Shib Service
• Apache in front of Portal on Tomcat
• Other approaches under consideration




                                         24
             Coming Shib Features
             for Service Providers

• PKI-based direct-to-target scenario
• Cert would contains
  • (possibly opaque) subject id
  • Identifier for associated Identity Provider
  • Would eliminate the first several steps in the
    classic Shib flow diagram
  • First Service Provider contact to Identity Provider
    would be the request for attributes
• Lots of points of agreement to be worked out

                                                          25
                Multi-campus system
                deployment model 1

           CampusA
            IdProv
                                    CampusB Service
CampusB
 IdProv                                Provider
                Browser User     Apache (1.3 or 2.0) / Tomcat
                                 Web server / Servlet
 CampusC                         container
  IdProv
                                     or
                                 IIS 5.x or 6
           CampusD
            IdProv
                       CampusE
                        IdProv
                                                           26
          Multi-campus system
          deployment model 1

• Identity Provider per campus (vs. System IdP
  model)
• Create a system federation (some policy &
  configuration work here)
• Any campus can put up Shibbed service
• Or a system library can offer system-licensed
  resources
• Each campus retains control of Identity
  Management--high autonomy model


                                              27
                Multi-campus system
                deployment model 2


CampusA Dir                       Browser User
                System-level
              Identity Provider
                                      Service
                                        Service
CampusB Dir                           Provider
                                         Service
                                       Provider
                                           Service
                                         Provider
                                          Provider




CampusC Dir


                                                     28
          Multi-campus system
          deployment model 2

• System-level Identity Provider model
• Significant campus-to-system metadirectory
  infrastructure
• Create a system federation (some policy &
  configuration work here)
• Any campus can put up Shibbed service
• Or a system library can offer system-licensed
  resources
• More seamless “system citizen” experience


                                              29
        Coming: Shib breaks free of the
        browser

• Number of open source projects are
  exploring this space
• A pure Java implementation of Service
  Provider components of Shibboleth
  (now in beta) will really open the door




                                            30
        Q&A

• Which of these issues seem tough to
  you?




                                        31
32

								
To top