4. Authentication and
Authorization
• Authentication: verifying who you are &
associated attributes.
• Authorization: verifying that you are
allowed access to a resource (room, web
page, file, equipment, etc); assumes
authentication.
• Traditionally in the library world, the
distinctions between these two concepts
are conflated.
4
5. Authorization Models
• Identitybased
– The identity is passed to the resource
owner who decides whether to grant
access: Privacy issues
• Attributebased
– Enough attributes are passed to the
resource owner to allow access: no or
limited Privacy issues.
5
6. Identity and Privacy:
Identity
• Identity management: in the physical
world: passports; birth certificates; driver’s
licenses; national identity cards; SIN; etc.
• Used by others (government, police,
banks, etc.) to verify ID
• In the Internet age, much more difficult
problem “Like nailing jello to a wall…”
• For individuals:
– proliferation of userids and passwords
– some digital certificates
– security smart cards 6
7. Identity and Privacy:
Identity (cont.)
• For organizations
– Costly management of userids
– Costly and complex management of
relationships with resource owners
– Security issues
– Poor general solutions (i.e. access by
organizations IP address ranges; etc)
7
8. Identity and Privacy:
Privacy
• Privacy has different dimensions:
– “privacy of the person:… integrity of the
individuals body”
– “privacy of personal behaviour sexual
preferences and habits, political
activities and religious practices”
– “privacy of personal communications:...
able to … without routine monitoring of
their communications… ”
– “privacy of personal data”
From Clarke, 1999
8
9. Identity and Privacy:
Privacy (cont.)
• Electronic records, networks, electronic
transactions: not just telephone anymore
• A range of expectations: some people are
willing to give up more rights in
Cyberspace; others expect similar to “real
world”
• Canadian legislation: Personal Information
Protection and Electronic Documents Act
(PIPEDA)
9
10. Shibboleth
• Intro to Shibboleth
– What is Shibboleth?
– What issues does Shibboleth address?
– Shibboleth architecture
– How does it work?
– Who is using it?
• Shibboleth at CISTI
10
11. What is Shibboleth?
• “Interrealm attributebased authorization
for Web Services” – Shibboleth web page
– Architecture and technology to support
interinstitutional sharing of resources
(middleware)
– Based on a federated administration
trust framework
– Controlled dissemination of attribute
information, based on administration
defaults and user preferences
11
13. What is Shibboleth? (cont.)
• Founding assumptions:
– Federated administration
– Lightweight mechanisms: disturb as
little as possible of existing
infrastructure as possible
– Leverage vendor and standards activity
wherever possible
13
14. What is Shibboleth? (cont.)
• Key concepts:
– Federated Administration
– Access Control Based On Attributes
– Active Management of Privacy
– Standards Based
– A Framework for Multiple, Scaleable
Trust and Policy Sets (Federations)
14
18. Shib: How does it work?
1. User requests resource from resource
owner
2. User is asked to selfidentify their
organization
3. User is redirected to her organizations
Shib origin instance + authenticates
4. User attributes are transferred to
resource owners instance of Shib target
5. Resource owner compares attributes to
Policy associated with user’s
organization
6. User gets access to resource 18
20. Shibboleth is:
• “NOT an authentication scheme (relies on
home site infrastructure to do this)”
• “NOT an authorisation scheme (leaves
this to the resource owner)”.
• “BUT an open, standards based protocol
for securely transferring attributes
between home site and resource site”.
• “Also provided as an OpenSource
reference software implementation”.
After Paschoud,
2004 20
21. Shibboleth
• Who is using it?
– JISC (UK Joint Information Systems
Committee), EBSCO, Elsevier, OCLC,
Sfx (Ex libris), JSTOR, McGraw Hill ,
Books, Innovative, WebCT, Blackboard,
Swiss Education and Research
Network (SWITCH), National Science
Digital Library (NSDL), more…
– Carnegie Mellon, Columbia, Dartmouth,
Georgetown, London School of
Economics, NYU, Ohio State, more…
21
22. Shibboleth at CISTI
• Prototyped the user owner end of
Shibboleth (Target) for 3 NRC
Research Press Journals
• Evaluated use within NRC Virtual
Library
• Developed code for MySQL db lookup;
submitted code to Shibboleth project
• Next steps dependent on adoption by
resource producers (for VL) and
resource users (for NRC Research
Press) 22
25. Liberty Alliance
• What is the Liberty Alliance?
– More commercially oriented than Shib
– Members include: Sun, Sony, Ericson,
GM, Novell, NEC, Oracle, SAP, NTT,
Entrust, HP, AmEx.
– However, Microsoft and IBM have
refused to join!
25
26. Liberty Alliance
• Architecture
– Very similar to Shibboleth, but more
commercially oriented, with special
features oriented around mobile device,
etc.
– Less focus on user mediated privacy
– More reporting
26
31. References
• Blum, D. 2003.
Federating Identity Management: Standards, T
.
• Blum, D. 2004.
Federated Identity: Extending Authentication an
.
• Clarke, R. 1999. Introduction to
Dataveillance
and Information Privacy, and Definitions of Ter
• Lacey, D. 2003.
Current Privacy Research and Frameworks
. SecureWorld Expo. 31
32. References (cont.)
• Liberty Alliance Web Site.
• Paschoud. J. 2004.
The (now… then…) next of Authentication:Shib
ALPSP Effective Customer Authentication
• Rapoza, J. 2003.
Liberty Alliance Has Missed the Point.
eWeek November 24.
• Shibboleth Project.
• Weil, N. 2004.
NSF middleware initiative goes beyond science
. InfoWorld May.
32