A brief introduction to Shibboleth: Difference between revisions
(Created) |
(Updated) |
||
Line 1: | Line 1: | ||
Strictly speaking, [http://shibboleth.internet2.edu/ 'Shibboleth'] is a set of policies and protocols | Strictly speaking, [http://shibboleth.internet2.edu/ ''Shibboleth''] | ||
designed | is a set of policies and protocols | ||
practice | designed "to support inter-institutional sharing of web resources | ||
web-based resources similar to that currently provided by [http://www.cam.ac.uk/cs/raven/ Raven], | subject to access controls" (http://shibboleth.internet2.edu/about.html) developed by [http://www.internet2.edu/ Internet2] in the US. In | ||
but extended to | practice it is a system providing an access control system for | ||
web-based resources similar to that currently provided by [http://www.cam.ac.uk/cs/raven/ ''Raven''], | |||
but extended to allow users from multiple organisations to access | |||
resources provided by other independent organisations. | |||
This extension make Shibboleth more complex than the current Raven | |||
service, but from a user perspective there is little difference. On | service, but from a user perspective there is little difference. On | ||
initially accessing a Shibboleth-protected resource, a user is asked | initially accessing a Shibboleth-protected resource, a user is asked | ||
to select a service willing to identify them (an 'Identity Provider', | to select a service willing to identify them (an ''Identity Provider'', | ||
or 'IdP'). For University users this is a service operated by the | or ''IdP''). For University users this is a service operated by the | ||
Computing Service as part of Raven. Having selected the University's | Computing Service as part of Raven. Having selected the University's | ||
IdP, the user sees a standard Raven login screen and on completing the | IdP, the user sees a standard Raven login screen and on completing the | ||
login process sees the resource they wanted | login process sees the resource they wanted providing they are | ||
authorised to access it. Access to further resources, even if provided | authorised to access it. Access to further resources, even if provided | ||
by different organisations, uses information already gathered and the | by different organisations, uses information already gathered and the | ||
existing Raven login to | existing Raven login to streamline the process. | ||
Shibboleth-protected resources make access control decisions based on | Shibboleth-protected resources make access control decisions based on | ||
attributes supplied by the user's IdP. These attributes may include a | attributes supplied by the user's IdP. These attributes may or may not | ||
user's real-world identity | need to include a user's real-world identity. For example, | ||
some resources is available to any current member of the | |||
University. Using only an attribute that asserts this relationship | University. Using only an attribute that asserts this relationship | ||
helps to preserve the user's privacy, and reduces the Data Protection | helps to preserve the user's privacy, and reduces the Data Protection | ||
issues surrounding the operation of IdPs and protected services. | issues surrounding the operation of IdPs and protected | ||
services. Shibboleth also supports release of non-anonymous attributes | |||
where required. For University users, attribute values will be derived | |||
be derived from information in lookup. | from information in lookup. | ||
An initial application for Shibboleth will be | Four core attributes form the 'base set' for inter-organisation | ||
on-line journals and databases. | Shibboleth deployments. Their names reflect their original definition | ||
resources is currently managed by [http://www.lib.cam.ac.uk/electronicresources/Access_Passwords.htm#Athens Athens] | in the [http://www.educause.edu/eduperson ''eduPerson LDAP specification'']. They are: | ||
funding for this by [http://www.jisc.ac.uk/ JISC] | |||
service will | * ''eduPersonScopedAffiliation'' indicating a user's relationship (e.g., staff, student, etc.) with the organisation running their IdP. | ||
the short term, JISC have sponsored a 'Gateway' that allows current | * ''eduPersonTargetedID'' providing a persistent user pseudonym that is distinct for each protected service. | ||
Athens | |||
* ''eduPersonPrincipalName'' providing a persistent user identifier which is consistent across all protected services. | |||
* ''eduPersonEntitlement'' allowing an organisation to assert that a user satisfies additional sets of specific conditions. | |||
An initial application for Shibboleth in the UK will be control of | |||
access to on-line journals and databases. Access to many such | |||
resources is currently managed by [http://www.lib.cam.ac.uk/electronicresources/Access_Passwords.htm#Athens ''Athens'']. The current funding for | |||
this by [http://www.jisc.ac.uk/ JISC] ceases in July 2008 after which the service will | |||
operate on a subscription basis. It is JISC's intention that current | |||
Athens use should transition to Shibboleth. In the short term, JISC | |||
have sponsored a 'Gateway' that allows resources current protected by | |||
Athens to be accessed via Shibboleth. | |||
Beyond this initial use, groups such as the e-science community are | Beyond this initial use, groups such as the e-science community are | ||
Line 42: | Line 56: | ||
is already being adopted for various purposes in the US, Europe and | is already being adopted for various purposes in the US, Europe and | ||
Australia. Shibboleth is being developed in an open collaborative | Australia. Shibboleth is being developed in an open collaborative | ||
fashion and is itself based on open standards such as | fashion and is itself based on open standards such as [http://www.oasis-open.org/committees/security/ ''SAML'']. A | ||
[http://www.oasis-open.org/committees/security/ SAML]. A | benefit of this open approach is that built-in support for Shibboleth | ||
is already appearing in commercial and open source software | |||
products. It is likely that we will eventually need to support its use | |||
products. It is likely that | within the University in parallel with the current Raven service. | ||
Shibboleth | Shibboleth deployments require agreements on technical and policy | ||
issues. This can be established by bilateral agreements between IdPs | |||
and corresponding ''Service Providers'' (''SPs''). However this scales | |||
badly and it is usual to establish ''federations'' of IdPs and SPs who | |||
SPs who mutually agree technical and policy | mutually agree technical and policy standards to allow their members | ||
to inter-work. JISC and [http://www.becta.org.uk/ Becta] have established [http://www.ukfederation.org.uk/ ''The UK Access Management Federation for Education and Research''] to fulfil this | |||
function in the UK. The University joined the federation in January | |||
2007. It is likely that a less formal 'University of Cambridge' | 2007. The UK Federation recommends that the four core attributes | ||
federation | listed above should be used between members, and that wherever | ||
contained entirely within the University. | possible only eduPersonScopedAffiliation and eduPersonTargetedID | ||
should be required. It is likely that a less formal 'University of | |||
Cambridge' federation will eventually be needed to support Shibboleth | |||
deployments contained entirely within the University. |
Revision as of 13:39, 27 February 2007
Strictly speaking, Shibboleth is a set of policies and protocols designed "to support inter-institutional sharing of web resources subject to access controls" (http://shibboleth.internet2.edu/about.html) developed by Internet2 in the US. In practice it is a system providing an access control system for web-based resources similar to that currently provided by Raven, but extended to allow users from multiple organisations to access resources provided by other independent organisations.
This extension make Shibboleth more complex than the current Raven service, but from a user perspective there is little difference. On initially accessing a Shibboleth-protected resource, a user is asked to select a service willing to identify them (an Identity Provider, or IdP). For University users this is a service operated by the Computing Service as part of Raven. Having selected the University's IdP, the user sees a standard Raven login screen and on completing the login process sees the resource they wanted providing they are authorised to access it. Access to further resources, even if provided by different organisations, uses information already gathered and the existing Raven login to streamline the process.
Shibboleth-protected resources make access control decisions based on attributes supplied by the user's IdP. These attributes may or may not need to include a user's real-world identity. For example, some resources is available to any current member of the University. Using only an attribute that asserts this relationship helps to preserve the user's privacy, and reduces the Data Protection issues surrounding the operation of IdPs and protected services. Shibboleth also supports release of non-anonymous attributes where required. For University users, attribute values will be derived from information in lookup.
Four core attributes form the 'base set' for inter-organisation Shibboleth deployments. Their names reflect their original definition in the eduPerson LDAP specification. They are:
- eduPersonScopedAffiliation indicating a user's relationship (e.g., staff, student, etc.) with the organisation running their IdP.
- eduPersonTargetedID providing a persistent user pseudonym that is distinct for each protected service.
- eduPersonPrincipalName providing a persistent user identifier which is consistent across all protected services.
- eduPersonEntitlement allowing an organisation to assert that a user satisfies additional sets of specific conditions.
An initial application for Shibboleth in the UK will be control of access to on-line journals and databases. Access to many such resources is currently managed by Athens. The current funding for this by JISC ceases in July 2008 after which the service will operate on a subscription basis. It is JISC's intention that current Athens use should transition to Shibboleth. In the short term, JISC have sponsored a 'Gateway' that allows resources current protected by Athens to be accessed via Shibboleth.
Beyond this initial use, groups such as the e-science community are actively investigating using Shibboleth in their particular areas. It is already being adopted for various purposes in the US, Europe and Australia. Shibboleth is being developed in an open collaborative fashion and is itself based on open standards such as SAML. A benefit of this open approach is that built-in support for Shibboleth is already appearing in commercial and open source software products. It is likely that we will eventually need to support its use within the University in parallel with the current Raven service.
Shibboleth deployments require agreements on technical and policy issues. This can be established by bilateral agreements between IdPs and corresponding Service Providers (SPs). However this scales badly and it is usual to establish federations of IdPs and SPs who mutually agree technical and policy standards to allow their members to inter-work. JISC and Becta have established The UK Access Management Federation for Education and Research to fulfil this function in the UK. The University joined the federation in January 2007. The UK Federation recommends that the four core attributes listed above should be used between members, and that wherever possible only eduPersonScopedAffiliation and eduPersonTargetedID should be required. It is likely that a less formal 'University of Cambridge' federation will eventually be needed to support Shibboleth deployments contained entirely within the University.