January 27, 2004
To get it straight in my head I'm writing out the details of the Shibboleth authentication process. We're working on becoming a target, which means people from other institutions can view our content.
To get access to resources at another institution there must be a Shibboleth origin and target. The origin holds user data and provides attributes about a user to the target, allowing the target to authenticate. Resources are shared between institutions by establishing a set of attribute acceptance policies.
Details (with acronyms galore)
I have a resource at Tufts, located at http://tusk.tufts.edu/content/1234. Someone from Dew University wants to look at that document. Tufts and Dew university have an agreement where any student in the Dew Master of Public Health program can look at Tufts documents.
The student requests the document from our shib-enabled server. The request is handled initially by the shib Resource Manager (RM), which allows the Shibboleth Indexical Reference Establisher (SHIRE) to step in and use a Where Are You From (WAYF) to determine which origin the user is from (chosen from a dropdown), and get a handle to ask about the user.
The SHIRE passes the handle to the Shibboleth Attribute Requester (SHAR), which gets a set of attributes about the requesting user and passes them back to the RM. The RM uses the attributes to decide whether to grant access.
OK, that's better. I think I've got my arms around what will be happening. Still have some questions about establishing what attributes will be available, how the resource manager makes it's decision, and what is done on subsequent requests. Hopefully all questions will be answered as I get into setting up the test environment.
Posted by mike at January 27, 2004 3:18 PM