Shibboleth Access
Management System
Walter Hoehn & David Millman, Columbia University
Introduction
 Why the web needs identity?
 Access Control
 Customization
 Collaboration
 Challenges
 Privacy concerns/obligations
 Hundreds of passwords vs. Passport
 Protocol limitations
Shibboleth Overview





Federated Identity Management
Flexible attribute profiles
Privacy controls
Works with existing browser technology
Standards-based
Shibboleth Overview (cont.)
 Origins (Identity Providers)




Manages user identity data
Authenticates users
Administers attribute release policies
Provides user attributes
 Targets (Resource Providers)




Administers access control policies
Administers attribute acceptance policies
Requests attributes
Provides digital resources/services
Demo
NSDL.org
Who is working on Shibboleth?






Internet2 (UCAID)
Columbia University
Brown University
The Ohio State University
The University of Washington
MIT
Who is using Shibboleth?
 17 Identity Providers (15 US Universities,
1UK University, Swiss Education and
Research Network)
 4 Content vendors (JSTOR, OCLC, EBSCO,
ProQuest)
 2 course management systems (Blackboard,
WebCT)
 1 online grading system (WebAssign)
 1 inter-library loan vendor (Innovative
Interfaces)
Advances since the last All-Projects
meeting
 Security
 PKI-based signature verification
 SAML 1.1 support
 Performance
 Improved caching mechanisms
 Target can request specific attributes
 Privacy
 Attribute Release Policy language and engine
Advances since the last All-Projects
meeting (cont.)
 Integration
 Attribute Resolution Engine (runtime configuration,
metadirectory functionality)
 Support for international characters in assertions
 Stateless handle mechanism, which allows for
fault-tolerant configurations
 Support for using SSL Client Auth to authN to the
origin
 Expanded Platform Support
 Origin – All JDK 1.4 compatible platforms
 Target - Linux, Solaris, Windows / apache, IIS
Use Case: Accessibility
 A government agency creates a web site
containing video footage of historically
important NASA space flights
 The web site’s interface must be adaptable for
users with disabilities
- A user with low vision prefers custom colors, font face,
and font size.
- A user with hand tremors might prefer bigger links and
buttons.
Use Case: Accessibility (cont.)
 Appropriate content can be selected or search
priorities can be pre-set for accessible resources
- A user who is deaf may want only videos with closed
captioning
- A user who is blind may want images with text
descriptions and videos with audio descriptions to be
ranked highly in search results
Use Case: Accessibility (cont.)
 A Solution
 Agency installs a Shibboleth-enabled web service
 The user’s identity provider transmits accessibility
metadata to the web site (IMS Learner Information
Profile) via Shibboleth
 Web site assigns style sheets based on
accessibility metadata
 Web site search service uses accessibility
metadata in ranking algorithms
Contact: Madeleine_Rothberg@wgbh.org
Use Case: Subscription-based content
 An online aggregator of scholarly medical
publications sells subscriptions to a university
library
 Eligible users should be able to access the
content regardless of location
 The aggregator wants the flexibility to offer license
agreements to subsets of a University community
 The library wants to maintain the privacy of its
patrons and the security of their personal data
Use Case: Subscription-based content
(cont.)
 A Solution
 Aggregator installs a Shibboleth-enabled web
service
 The University’s IT department deploys a
shibboleth origin in conjunction with their central
directory service
 The University transmits eduPerson entitlement
attribute data via Shibboleth
Use Case: Web site contains curriculum
aids for middle school science
 The site includes curriculum aids; such as
photographs, videos, maps, report topics, etc.
that are available freely available for students
to download
 The site also includes lesson plans,
discussion questions, and tests that
accompany the freely available materials.
These materials should only be available to
educators.
Use Case: Web site contains curriculum
aids for middle school science (cont.)
 A Solution
 Site installs a Shibboleth-enabled web service
 The user’s identity provider transmits information
related to teacher credentialing
 Requirements are different
 Not a user settable preference (as in accessibility
use case)
 Not provided by existing university infrastructure
(as in subscription use case)
Target Installation
 Prerequisites
 SSL-enabled web server
 Supported platform
 Relationship with an identity provider or federation




Install pluggable Shibboleth module
Configure site metadata
Configure attribute acceptance policies
Configure access control rules
Target Installation (cont.)
 Current required skill set
 Service platform competency (OS, web server,
application environment)
 SSL
 XML
 X509/PKI
 Shibboleth federation model
 Closing the gap
 Identify appropriate staff
 Better software packaging/streamlined installation
Research/Directions for the future
 Access Management for N-tier applications
 Attribute Release Policies
 Interfaces
 Resource Description Metadata
 Authorization services (XACML)
 Integration with other SAML-based identity
services (Liberty)