user

One-Stop-Shop/Single-Sign-On Requirements of CESSDA Ken Miller –UK Data Archive, University of Essex

The term "shibboleth“ originates from a Hebrew word which literally means the part of a plant containing grains. It derives from an account in the Hebrew Bible, in which pronunciation of this word was used to distinguish members of the Ephraimites, whose dialect lacked the "sh" sound, from members of the Gileadites whose dialect did include such a sound.


Doris Salcedo’s "Shibboleth" is a subterranean chasm that stretches the length of the Turbine Hall.

Salcedo is addressing racism and colonialism that underlies the modern world. A ‘shibboleth’ acting as

a test of belonging to a particular social group or class. By definition, it is used to exclude those

deemed unsuitable to join this group.


Shibboleth Single Sign-on and Federating Software was developed specifically to address the challenges of:

• Multiple passwords required for multiple applications

• Scaling the account management of multiple applications

• Security issues associated with accessing third-party services

• Privacy

• Interoperability within and across organizational boundaries

• Enabling institutions to choose their authentication technology

• Enabling service providers to control access to their resources.



UserUser

Internet

CESSDA Data PortalCESSDA Data Portal

Discover by Discover by Browsing and Browsing and SearchingSearching

Internet

Harvest and Harvest and categorise using categorise using multilingual thesauri.multilingual thesauri.

ExploreExploreAnalyseAnalyse

Distributed Distributed Semantic Semantic

Web Web (Meta)data (Meta)data

ServersServers

http://damad.essex.ac.uk/portal/

There are two primary parts to the Shibboleth system:

Identity Provider - the software run by an organization with users wishing to access a restricted service;

Service Provider - the software run by the provider managing the restricted service.

Shibboleth acts a broker between these two providers, so that the individual’s relationship with the institution determines access rights to resources that are hosted by the service provider. It uses Security Assertion Markup Language (SAML) for Authentication and Aurthorisation (AA)


Step 1: When you click on a protected resource' link, your web browser sends a HTTP request to URL for the webpage '/secure/'

Step 2: The web server answers with a HTTP Redirect to a WAYF server located at another URL for Shibboleth authentication.

Step 3: The WAYF server sends your web browser a HTML webpage with a list of all Home Organizations available in the Federation


Step 4: Your web browser sends the selection you made for the Home Organization to the WAYF server for the webpage '/secure/' .

Step 5: The WAYF server sends your web browser a HTTP Redirect sends a HTTP Request for the login page of your Home Organization.

Step 6: Your Home Organization answers with a login webpage.


Step 7: Your web browser submits your user ID and password (your 'Credentials') to the web server of your Home Organization

Step 8: The web server checks the validity of user ID and password provided. An HTTP Redirect is sent to your web browser that forwards you to the resource you initially requested.

Together with this redirect your web browser receives a handle (some opaque data) and forwards this handle to the resource web server.


Step 9: When the web server of the resource receives a handle from a user, it directly sends an attribute request to the Home Organization of the user by sending the handle it just received.

Step 10: At the Home Organization, the handle received from the resource gets checked. To be valid, it must be presented by the resource before a timeout is reached.

If valid, the requested user attributes for the user referred to by the handle are transmitted to the resource


UK Federation

Census

ESDS ukda

HE/FE Instistutions

NHS organisations

Local Government Offices

National Government Offices

eduPersonTargetedIDeduPersonScopedAffiliation


UK Federation

Census

ESDS ukda

Additional information:-

HE/FE

Name

Email

Department/Discipline

Commercial Research

Agreement to Special Licences

Virtual Organization Service Provider

Registration Database



1. A user attempts to access the SP resource.

2. This directs the user to the VO Proxy IdP

3. A request is sent to the VO Proxy SP

4. VO Proxy SP directs the user to the WAYF

5. The user authenticates at their HO (IdP)

6. HO replies to VO with SAML AA and handle.



6. VO uses handle and address of HO AA to request attributes. HO AA releases attributes to the VO

7. VO AA consults ARP for directory entry corresponding to handle

8. VO AA releases attributes to SP

9. Based on the attributes, the SP either sends user to registration system or allows access.


EU Federation?

NO Fed

NSD

UK Fed

UKDA

CESSDA

CESSDA challenges:-

What information/attributes?

Does the Portal collect any additional information not provided by Feds?

Do individual CESSDA members have VOSP systems?

Does the Portal have a VOSP system?

Can CESSDA members and/or the Portal operate with a standard Shibboleth set-up?

Does the Portal need Shibboleth at all?


user

Documents

university of essexone

university of essexstep

shibboleth authentication

shibboleth system

service providers

web browser

web server answers

wayf server