Internet2 and Shibboleth (Shibboleth and Privacy)
Peter Brantley, California Digital Library
Presentation: ppt (0.8M); pdf (1.3M);
Access Management
list of requirements from A White Paper on Authentication and AccessM anagement Issues
by Clifford Lynch, CNI, 1998
Distributed Access Management
registration and authentication: library, college, university
authorization and accounting: the resource owner
Role vs. Identity
Conceptually, licenses to restricted content are by ROLE e.g. {member of} University of California
Therefore IP address authentication is inherently kludgey.
Improved AM
* something opaque that a service can use to associate with me and give me access
* if a service provider knows where you are from, it can ask your identity provider
* once authenticated, access can be determined by role
* SP can ask therefore only for relevant attributes
* might be {member of}, or {staff}, or {IT Director}
* this approach enables finer role-based distinctions
This is Shibboleth
three things:
* Shibboleth Project
- umbrella of activities around federated authentication and access management, still ad hoc
* Shibboleth Specs
- SAML 1.1 and enhancements
* Shibboleth System
- Internet2-developed open source (reference) implementation
- there are other implementations available
Shibboleth status
- Elsevier Science Direct, OCLC, JSTOR, EBSCO, Proquest, Blackwell
- international uptake: Switzerland, Finland, UK, Australia
- production federations (e.g. InCommon)
- discussions involving "Leagues of Federations"
- supports US Federal E-Authentication Initiative
typically will send both institutional attribs (e.g. contract #) as well as individual attribs
could have an attribute release policy interface so that users can control who gets what attributes
Shibboleth Federations
- Usually nationally-oriented
- Federation operator handles coordination and managment of operations
- coordination, management, sets of atrribute-types, what to trust, for what purposes, policy, operational direction
- Federations are very hard work, not to be taken lightly
- Shibboleth InCommon and US Federal Federation (FedFed) are establishing peering
- Sun's Project Liberty and Shibboleth will interoperate through advancement of technical standards
- increasing need to support Virtual Organizations (VOs)
- expect eventual formation of Shibboleth-enabled software-based infrastructures, extending the concepts of
VOs, that support personal attribute requests, very small groups
[Ohio State is one of leading adopters]
Meta-Fed Discussions: US, UK, Netherlands, Finland, Switzerland, Australia, Spain, ...
- policy framework
- privacy needs
- working with multinational service providers
- scaling WAYF
Slaughter meeting, Oct. 2004
Good meeting, not wholly conclusive.
Different authentication technologies and infrastructures exist within Europe.
EC funded GN2: eduroam, eduGAIN
Origins and targets establish trust bilaterally in out-of-band or no-band arrangements (using shared
posting of practices)
InCommon progress
- Eduperson attributes
more challenging:
- having apps make intelligent use of federated identity
- legal issues
- scalable paths for LOA [?] components
Shib communities
Flexible creation of federations within federations, of varying duration, are increasingly common
in the US
- RedCross for Hurricane Katrina
- UCTrust
Next Steps
- multi-Federation world
- enhancing support for US gov auth
- support GridShib
- encourage continued commercial and vendor uptake
- interop with Microsoft
- extending Shib beyond the browser, into service-service interaction
- Shib 2.0 utilizing SAML 2.0, enhances functionality. Design has been committed.
So... what's SAML?
[explanation of SAML]
An XML-based framework for exchanging security information.
Shibboleth and SAML
- Shibboleth is a profile of SAML
- extends SAML through Shib's data flow specs
Privacy and User Consent
- idea is that you only release what attribs you specify
Anonymous use hinders PZN; persistent anonymized identifiers permit a range of PZN options.
* More dialogue on privacy and policy best practices is necessary.
Comments: JSTOR - little Shib uptake - used as a research project - everyone is using IP
following Q: why isn't there more adoption? what is needed for broad-based adoption?
A: libraries say "what we works well enough" using IPs / proxies / VPNs
there is also a transition cost, user education
Shibboleth is currently gaining more tracking in accessing administrative apps (e.g. financial benefits management).
not much traction in university libraries
However, there is no better system available for this type of role-based authorization.
[Q about US PATRIOT Act and privacy implications]