Download - Shibboleth Update
Shibboleth UpdateShibboleth Update
Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005
Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005
2
TopicsTopics
• Shibboleth v1.3 – • Shibboleth Futures -- the
Roadmap after 1.3• Shibboleth and e-Authn
3
Shibboleth v1.3Shibboleth v1.3
• Planned Availability -- June, 2005• Currently in beta
• Major New Functionality• Full SAML v1.1 support -- BrowserArtifact Profile
and AttributePush• Support for SAML-2 metadata schema• Improved Multi-Federation Support• Support for the Federal Gov’t’s E-authn Profile• Native Java SP Implementation• Improved build process
4
Restructuring of FederationsRestructuring of Federations
• The Transition to InCommon• InCommon is now “Real”• Campuses and Vendors are Transitioning…• May soon see negative incentives for long term membership in
InQueue
• “Negative Trust” Federation• Available for software development, testing• Self-service application to register• Expect to see many relatives of Donald Duck as members
• International Federation Peering• Moving forward…• Vendors moving toward supporting multi-federation world
5
Shibboleth and GridsShibboleth and Grids
• • Shib/SAML is currently web-browser centric• so doesn't apply to more general protocols• yet can easily apply to Grid portals• SAML could carry certs/keys as attributes
• • Grid-Shib project• NSF-funded• focus on access to campus Attribute Authority to
provide attributes for Grid service authz decisions
6
WS* Interop -- StatusWS* Interop -- Status
• Agreements to build WS-Fed interoperability into Shib• Contracts signed; work to begin AFTER Shib v1.3• WS-Federation + Passive Requestor Profile + Passive
Requestor Interoperability Profile
• Discussions broached, by Microsoft, in building Shib interoperabilty into WS-Fed; no further discussions
• Devils in the details• Can WS-Fed-based SPs work in InCommon without having
to muck up federation metadata with WS-Fed-specifics?• All the stuff besides WS-Fed in the WS-* stack
7
WS* Interop -- High Level GoalsWS* Interop -- High Level Goals
• Establish interoperability of the ADFS Identity Provider and Service Provider implementations (and any other WS-F/PRP/PRIP Provider conformant implementations), with the Internet2 Shibboleth System Identity Provider and Service Provider implementations.
• Establish ADFS as a supported option for use for Identity Provider and Service Provider deployments in the Internet2-operated InCommon Federation of US higher-education and partner sites.
• Build a strategic relationship with a fully deployed and leading edge federation (InCommon) and the higher ed academic community.
8
Shibboleth -- Future ReleasesShibboleth -- Future Releases
• “Interim” Release
• Target Date -- within Calendar 2005
• Include some SAML-2 Functionality• Rely on feedback from user community to
identify SAML-2 features which are HIGH priority
• Lots of potential partners interested in helping….
9
Shibboleth 2.0Shibboleth 2.0
• SAML 2.0 specification approved March 2005
• Shibboleth 2.0• Expect to provide support for ALL
REQUIRED SAML-2 functionality• Target Date -- mid-year 2006
• Who wants to help?
10
Federal eAuthenticationFederal eAuthentication
•Key driver for e-government, operating under the auspices of GSA
•Leveraging key NIST guidelines•Setting the standard for a variety of federated identity requirements• Identity proofing• SAML bindings•Credential assessment•Risk assessment
•Technical components driven through the InterOp Lab•http://www.cio.gov/eAuthentication/
11
eAuthentication Key Concepts eAuthentication Key Concepts
• Approved technologies
• The Federal “e-Authentication Federation”
• Credential assessment framework
• Trusted Credential Service providers
• Agency Applications (outward facing…)
12
Shibboleth E-Authn CertificationShibboleth E-Authn Certification
• V1.3 has already successfully navigated interoperability testing
• Scheduled for Certification Testing the week of June 20
• Campuses could then• Join the E-authn Federation• Use the Shibboleth software to access e-authn
enabled federal gov’t web sites• More E-authn info available at
http://www.cio.gov/eauthentication/
13