June 28, 2004
Intro to Shibboleth
Michael Gettes from Duke is giving a Shibboleth overview. I heard Michael speak last year at CAMP briefly about shib.
Shibboleth preserves privacy, an attribute-based approach for authentication as opposed to identity. The service doesn't need to know who you are, but needs to know some things about you.
Installing Shibboleth can take between 3 hours and 3 years (depends on existing infrastructure).
Person tries to get a resource (web page). The ACS (assersion consumer service) says I don't know where you're from so redirects to WAYF (where are you from). The WAYF directs you to login at the identity provider, which creates a handle and forwards it to the ACS. The handle is passed to the attribute requestor (AR), which contacts the atribute authority (AA) which is typically on the identity providor and sends back a list of attributes. The attributes are then used in authorization to grant access.
Demo of shib-enabled Blackboard, give identity to home institution which passes a few attributes to Blackboard and Michael is signed in and perusing. Then he clicks on jstor and without a login or any further authentication he's on perusing JStor.
A few questions, which lead to the point that the WAYF is a completely separate thing from the trust fabric built by federations.
Michael goes into details of how Duke is using shibboleth.
There is hope that the higher ed certificate authority will be able to build a bridge to federal certificate authority and use eAuth using an inter-federation agreement.
Posted by mike at June 28, 2004 9:18 AM