Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu International Center for Advanced Internet Research
Outline Security Mechanisms Access Control Schemes Shibboleth Underlying Technologies Conclusion David E. Martin NetSecure09 March 12, 2009 2
Common Security Mechanisms Username/Password Static Password One Time Password Dynamically Generated Password (SecureID Fob) Digital Certificate Kerberos Ticket Biometric Data David E. Martin NetSecure09 March 12, 2009 3
Username/Password Advantages Everyone is familiar with it Generally easy to remember Disadvantages People Generally Chose Common Username and a Bad Password Difficult to Securely Issue/Reset a Password Others Can Read a Username/Password Sent Over a Network David E. Martin NetSecure09 March 12, 2009 4
Username/Password Variations One Time Password User Gets a List of Passwords Each Can Be Used Once Example: German Banks Issues 6-Digit TAN To Customers to Authorize On-Line Transactions Dynamically Generated Password A Program or Device Uses an Algorithm to Generate a Password the Server Expects Example: Wells Fargo Sends out SecureID Fobs Biometric Data Fingerprint or Retinal Image is Sent as Password Mostly Used to Secure Local Data Example: Lenovo Client Security Solutions Uses Fingerprint Reader to Access Local Password Store David E. Martin NetSecure09 March 12, 2009 5
Issues Enforcing Good Passwords Nobody Likes Your Password must be at least six characters with a mixture of letters and numbers. It must be changed every 90 days and you cannot reuse passwords. Issuing One-Time Passwords List Must Be Transmitted Securely And Stored Securely Hardware SecureID Fobs Get Lost, Fingerprint Readers Break David E. Martin NetSecure09 March 12, 2009 6
Digital Certificates Private/Public Keys Each User and Server Has A Public and Private Key A Message Encrypted with the Private Key Can Only Be Read with the Public Key A Message Encrypted with the Public Key Can Only Be Read with the Private Key X.509 ITU-T Standard for a Public Key Infrastructure Public Key Certificates, Certificate Revocation Lists, Attribute Certificates, and a Certification Path Validation Algorithm David E. Martin NetSecure09 March 12, 2009 7
Public/Private Key Scenarios Verify Identity X Gets An Encrypted Message from Y X Decrypt it With the Y s Public Key If This Decryption Works, The Message is From Y Send Message Securely X Encrypts the Message with Y s Public Key and Sends the Message to Y Y Receives the Message and Decrypts It with His Private Key The Message Can Only Be Read by Y David E. Martin NetSecure09 March 12, 2009 8
SSL Negotiation From https://www.securetrust.com/resources/how-ssl-works David E. Martin NetSecure09 March 12, 2009 9
Digital Certificate Problems Users Hate Them Can t Remember Them Can t Understand Them Can t Move Them Around A Certificate Doesn t Verify Identity You Have a Secure Link, But Who Is On the Other End? David E. Martin NetSecure09 March 12, 2009 10
Required New Yorker Cartoon David E. Martin NetSecure09 March 12, 2009 11
Identity Solutions Manual Sending of Public Key Public Directory LDAP, Web Pages Web of Trust Key Ring Private Key Infrastructure David E. Martin NetSecure09 March 12, 2009 12
PKI Architecture David E. Martin NetSecure09 March 12, 2009 13
PKI Implementations PKI Deployed In Limited Areas Verification of WWW Server Identity Heavily Used in Internet Explorer and Firefox Closed User Groups Like Universities or Government Despite Expectations A Worldwide PKI Has Not Formed PKI Is Used for Users to Authenticate a Server And To Establish Secure Connection Between Server and User But Plain Old Username/Password is Used by the Server to Authenticate User David E. Martin NetSecure09 March 12, 2009 14
Controlling Access to Resources Identity Based on IP Address The Site Supplies a Range of IP Addresses to the Resource Provider The Resource Provider s Server Looks at the Source IP of the Request Requests from Addresses in the Range Identified Are Granted Access to the Resources Purchased by the Site Proxy Servers or VPNs Allow Off-Site Access Privacy is Maintained, But No Ability to Control Specific Users or Groups Identity Based on Registration A User Registers with a Resource Supplier, Who Verifies It with the Site The User is Given a Unique Username/Password to Gain Access to the Resource Privacy is Lost, But Access Can Be Tailored to Each User or Group Attributes Rather Than Identity The User Requests Access to a Resource The Resource Provider Queries the Site About the User and Attributes are Exchanged Until the Resource Provider Has Enough Information Privacy is Maintained, And Access Can Be Controlled at the User Level David E. Martin NetSecure09 March 12, 2009 15
What is Shibboleth? An Architecture and Protocol An Attribute-Based System A Set of Profiles Based on the OASIS SAML Standard A Project of the Internet2 Middleware Initiative Defining a Policy Framework and the Shibboleth Architecture Developing an Open Source Implementation Supporting the Deployment of Shibboleth in Higher Ed An Implementation of the Shibboleth Architecture Software Developed by the I2/MACE Shibboleth Project There are Other Independent Implementations David E. Martin NetSecure09 March 12, 2009 16
Where Does Shibboleth Come From? Shibboleth is a Hebrew Word That Means an Ear of Corn, Stream or Flood The Word Comes from the Old Testament (Judges 12:1-6) The Ephraimites Were Returning Home After Being Defeated Trying to Invade Gilead. The Fords Across the River Jordan Were Blocked By Gildeadites Who Made Those Who Wanted to Pass Say Shibboleth. The Ephraimites Pronounced the sh as si and Thus Were Identified and Killed. In Modern Usage, A Shibboleth is a Word or Sound Used to Detect Outsiders David E. Martin NetSecure09 March 12, 2009 17
Shibboleth Goals Provide Security While Not Degrading Privacy Attribute-based Access Control Have the Enterprise Broker Most Services in Inter-Realm Interactions Authentication, Authorization, Resource Discovery, etc. Foster Inter-Realm Trust Fabrics Leverage campus expertise and build rough consensus Influence the Marketplace; Develop Where Necessary Support for Heterogeneity and Open Standards Multiple Implementation of Shibboleth OASIS SAML David E. Martin NetSecure09 March 12, 2009 18
Shibboleth Architecture 1. The User Accesses A Protected Resource 2. The Resource Redirects The User To The Where Are You From? (WAYF) Service, So That He Can Select His Home Organization 3. The User Is Then Directed To His Home Organization, Which Sends Him To The Authentication System For His Organization 4. The User Authenticates Himself, By Whatever Means His Organization Deems Appropriate 5. After Successful Authentication, A One-time Handle Or Session Identifier Is Generated For This User Session, And The User Is Returned To The Resource 6. The Resource Uses The Handle To Request Attribute Information From The Identity Provider For This User 7. The Organization Allows Or Denies The Attribute Information To Be Made Available To This Resource Using The Attribute Release Policy. 8. Based On The Attribute Information Made Available, The Resource Then Allows Or Denies The User Access To The Resource David E. Martin NetSecure09 March 12, 2009 19
Shibboleth Architecture David E. Martin NetSecure09 March 12, 2009 20
Shibboleth Demo Here https://aai-demo.switch.ch/secure/ David E. Martin NetSecure09 March 12, 2009 21
Trust and Attribute Exchange In Order for This to Work The Service Provider and Identity Provider Must Trust Each Other Shibboleth Projects Spends Much Time on Such Federation There Must Also be a Common Way of Requesting and Supplying Attributes Shibboleth Drove Efforts to Develop SAML Finally, the Attributes Must be Understood by Both Parties Shibboleth Led eduperson Effort David E. Martin NetSecure09 March 12, 2009 22
SAML Security Assertion Markup Language (SAML) An XML-Based Standard for Exchanging Authentication and Authorization Data Between Security Domains Between an Identity Provider (a Producer of Assertions) and a Service Provider (a Consumer of Assertions) SAML is a product of the OASIS Security Services Technical Committee SAML 2.0 Issued in March 2005 David E. Martin NetSecure09 March 12, 2009 23
eduperson SAML Defines How to Pass Attributes, But Not What The Attributes Are Most Shibboleth Service Providers Require eduperson Attributes to be Passed From the Identity Provider eduperson Defines a Common Set of Attributes and Definitions displayname, givenname, Initials, telephonenumber, postaladdress, preferredlanguare, eduperson Extends inetorgperson with Attributes Supporting inter-realm Access David E. Martin NetSecure09 March 12, 2009 24
Conclusion Shibboleth Provides Strong Authentication While Maintaining Privacy Shibboleth Drives Associated Technologies SAML, eduperson, Federation Shibboleth is Being Expanded Beyond Web Access GridShib Integrates Shibboleth Into Globus Toolkit Shibboleth is A Model for Commercial Efforts CardSpace, Liberty Alliance, etc. Thanks to Ken Klingenstein and Team David E. Martin NetSecure09 March 12, 2009 25