Shibboleth and SAML:
Overview and Status
Scott Cantor, Marlena Erdos, and the
Shibboleth Design Team
Outline
What is Shibboleth?
Why Shibboleth?
What is SAML and how does it relate?
High Level Architecture
Current Status
2
What is Shibboleth?
An initiative to develop an architecture,
policy framework, and practical
technologies to support inter-organizational
sharing of secured web resources and
services
An Internet2/MACE project with intellectual
and financial support from IBM/Tivoli
3
Example Scenarios
1. A member of the campus community
accessing a licensed library resource
2. Students enrolled in a course across
multiple universities accessing class
materials and Learning Mgmt Systems
3. Research workgroups sharing
controlled resources (the original web)
4. Future extension to H.323 and beyond?
4
What is Shibboleth?
A system...
with an emphasis on privacy
•users control release of their attributes
based on open standards (SAML)
and available in open source form
using “federated administration”
5
Outline
What is Shibboleth?
Why Shibboleth?
What is SAML and how does it relate?
High Level Architecture
Current Status
6
Why Shibboleth?
Growing interest in collaboration and
resource sharing among institutions
Better security tools will make
collaboration more “painless” and more
secure
Current "solutions" are primitive; we
can do better today and without local
overhaul
7
Why Shibboleth?
Current Solutions
Access control by IP address
Each user given distinct
name/password by resource site
•overburdens resource administrator
A single name/password for all
users
•lack of security and accountability
8
Why Shibboleth?
Federated Administration
Federated Administration Features:
Users registered only at their “home”
or “origin” institution
Authorization information sent, instead
of authentication information
• when possible, use groups instead of people
on ACLs
• identity information still available for auditing
9
Why Shibboleth?
Privacy
Higher Ed has privacy obligations
• In US, “FERPA” requires permission for
release of most personal identification
information
General interest and concern for
privacy is growing
Shibboleth has privacy provisions
“built in”
10
Outline
What is Shibboleth?
Why Shibboleth?
What is SAML and how does it relate?
High Level Architecture
Current Status
11
SAML is (or will be)…
… Security Assertion Markup Language
... an OASIS XML framework for
exchanging authentication and
authorization information
… an industry standard supported by
most major web security vendors
12
SAML
Standard due for completion late 2001
More details available at OASIS SSTC
site
http://www.oasis-open.org/committees/security/index.shtml
Initial version of Shibboleth will be “as
SAML-compliant as possible”
Follow-on work will fully align (or
extend in a more proper manner)
13
Outline
What is Shibboleth?
Why Shibboleth?
What is SAML and how does it relate?
High Level Architecture
Current Status
14
Non-Technical Overview
(Technical Details Thursday PM)
Destination and origin site collaborate to
provide a privacy-preserving “context”
for Shibboleth users
Origin site authenticates user
Destination site requests attributes about
user directly from origin site
Users (and organizations) can control
what attributes are released
15
“Club Shibboleth”
To make inter-organizational sharing
effective and secure, agreements about
policies, procedures, and attributes must
be defined.
The architecture leaves lots of room; the
“tough questions” are answered out-ofband in an umbrella we call Club Shib.
16
Outline
What is Shibboleth?
Why Shibboleth?
What is SAML and how does it relate?
High Level Architecture
Current Status
17
Current Status
Architecture and policy discussions
almost complete, documents being
drafted
Programming divided among IBM/Tivoli,
Carnegie Mellon, and Ohio State
Code availability to pilot sites (US, UK,
including content providers) due in early
2002
18
THE END
Whew!
Acknowledgements:
Design Team: David Wasley U of C; RL Bob
Morgan U of Washington; Keith Hazelton U of
Wisconsin (Madison);Marlena Erdos IBM/Tivoli;
Steven Carmody Brown; Scott Cantor Ohio State
Important Contributions from: Ken Klingenstein
(I2); Michael Gettes Georgeton, Scott Fullerton
(Madison)
19