{"id":604,"date":"2009-11-23T17:40:28","date_gmt":"2009-11-23T16:40:28","guid":{"rendered":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/2009\/11\/shibboleth-developments\/"},"modified":"2009-11-24T22:51:41","modified_gmt":"2009-11-24T21:51:41","slug":"shibboleth-developments","status":"publish","type":"post","link":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/2009\/11\/shibboleth-developments\/","title":{"rendered":"Shibboleth Developments"},"content":{"rendered":"<p>Chad La Joie &#8211; from SWITCH<\/p>\n<p>Shibboleth 1.3 reaches end of life on June 30th 2010 &#8211; there will be absolutely no support after this time &#8211; so you should be planning to have upgraded to Shib 2.0 by this date!<\/p>\n<p>Next release of Shibboleth IdP is 3.0 &#8211; this is not a major rewrite &#8211; do not wait to upgrade! Main goal &#8211; to clean up APIs hindering new work. Also includes n-tier delegation support and non-browser based authentication.<\/p>\n<p>Discovery Service 2.0<\/p>\n<ul>\n<li>incorporation of feedback from JANET funded usability study<\/li>\n<li>support for centralised and page-embedded models<\/li>\n<li>HTML\/CSS\/JavaScript that can be dropped into an SP to render a discovery interface<\/li>\n<\/ul>\n<p>Chad claims that if you give SPs just a snippet of HTML or JavaScript, they are happy to embed it in their interface (not sure about this &#8211; what if they get competing demands from different federations)<\/p>\n<p><strong>N-tier delegation<\/strong><\/p>\n<p>What? &#8211; user logs into the portal, and the portal logs into back-end services as the user &#8211; this is delegation<\/p>\n<p>Goals<\/p>\n<ul>\n<li>allow service to log in to the back-end server as the user<\/li>\n<li>control which services can impersonate the user<\/li>\n<li>keep a complete audit trail of impersonation<\/li>\n<li>and other stuff &#8230;(sorry, missed this)<\/li>\n<\/ul>\n<p><strong>Attribute Aggregation<\/strong><\/p>\n<p>What:<\/p>\n<ul>\n<li>aggregate user attribute from home organization and other sources such as professional organizations<\/li>\n<\/ul>\n<p>Goals<\/p>\n<ul>\n<li>Allow SP to pull in attribute from multiple attribute authorities (IdPs)<\/li>\n<li>use existing attribute release\/acceptance policy mechanisms<\/li>\n<\/ul>\n<p>Status<\/p>\n<ul>\n<li>latest SP has support out of the box<\/li>\n<li>2.x IdP has support out of the box<\/li>\n<li>currently only identifiers shared by AAs and SPs are supported<\/li>\n<\/ul>\n<p>Future work<\/p>\n<ul>\n<li>determine if non-shared identifiers are usable\/supportable<\/li>\n<li>determine if IdP aggregated attributes is useful and tenable<\/li>\n<\/ul>\n<p>How does the SP know where to aggregate attributes from? At the moment can either be hardcoded in SP, or sent from the IdP.<\/p>\n<p>OpenID Support<\/p>\n<p>Goals:<\/p>\n<ul>\n<li>support XRD 1.0, Open ID 2.0, PAPE, Simpler Registration, Attribute Exchange<\/li>\n<li>use existing trust layer to create trust between OpenID entities<\/li>\n<li>use existing attribute release mechanism<\/li>\n<\/ul>\n<p>Status<\/p>\n<ul>\n<li>XRD 1.0 now out of community review<\/li>\n<li>basic support for OpenID 2.0 and PAPE support via proof-of-concept IdP plug-in<\/li>\n<li>trust equal to standard deployment of Shibboleth<\/li>\n<ul>\n<li>OpenID protocol dos not support certain advanced trust models<\/li>\n<\/ul>\n<li>No SP support planned<\/li>\n<\/ul>\n<p>Future Work<\/p>\n<ul>\n<li>develop real IdP plugin based on IdP v3<\/li>\n<\/ul>\n<p><strong>Buzzwords: User-centric identity<\/strong><\/p>\n<ul>\n<li>Two views of user-centric identity<\/li>\n<ul>\n<li>1. Purist &#8211; all data about a person is property of, should be kept by, and should be released by the person &#8211; i.e. OpenID model<\/li>\n<li>2. Identity 2.0: User picks which account and associated data should be used with which service &#8211; i.e. Cardspace model<\/li>\n<\/ul>\n<li>But &#8211; users aren&#8217;t authoritative &#8211; or trustable source of, for most of their data<\/li>\n<li>most user&#8217;s can&#8217;t run their own identity provider<\/li>\n<li>most user&#8217;s have a hard time understanding relationships between attributes and the service provider<\/li>\n<\/ul>\n<p>The goal should probably be a release consent model added to the Identity 2.0 view &#8211; e.g. Shibboleth + uApprove&#160; (<a href=\"http:\/\/www.switch.ch\/aai\/support\/tools\/uApprove.html\">http:\/\/www.switch.ch\/aai\/support\/tools\/uApprove.html<\/a>)<\/p>\n<p><strong>Buzzwords: Cardspace<\/strong><\/p>\n<p>CardSpace generally refers to two things:<\/p>\n<ul>\n<li>Microsoft&#8217;s evolution of Passport in to a decentralized service &#8211; know by MS as the &#8216;identity metasystem&#8217;<\/li>\n<li>Microsoft&#8217;s client for the service is the the only thing that Microsoft calls CardSpace<\/li>\n<\/ul>\n<p>Primary focus on avoiding phishing.<\/p>\n<p>However &#8211; now Microsoft now doing server-side implementation called &#8216;Geneva&#8217; &#8211; which is the non-interoperable, spiritual successor to ADFS. This does not currently interoperate with other products &#8211; including MS own Cardspace selector.<\/p>\n<p>MS-hosted &#8216;cloud&#8217; Exchange, SharePoint and storage service have Geneva support &#8211; and SharePoint 2010 will have support as well.<\/p>\n<p>MS have asked Shibboleth team to add Geneva support &#8211; which they would do if MS would actually make the specification available!<\/p>\n<p><strong>Buzzwords: OAuth<\/strong><\/p>\n<p>OAuth is an access delegation protocol:<\/p>\n<ul>\n<li>You login to Service B. Service B wants your information from Service A. You login to A, get a token, and give it to B. B uses&#160; the token to get information from A.<\/li>\n<li>OAuth is independent of the means by which a user is authenticated of the format of the token<\/li>\n<ul>\n<li>so OAuth is orthogonal to federated identity management (although you could use things like n-tier delegation to achieve this)<\/li>\n<\/ul>\n<li>OAuth is current under-specified<\/li>\n<ul>\n<li>creating interoperable implementations tends to be a trial-and-error exercise<\/li>\n<li>IETF WG attempting to provide a more clear standard <a href=\"http:\/\/www.ietf.org\/dyn\/wg\/charter\/oauth-charter.html\">http:\/\/www.ietf.org\/dyn\/wg\/charter\/oauth-charter.html<\/a><\/li>\n<\/ul>\n<\/ul>\n<div style=\"padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px\" id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:a48060d1-0ac5-4752-8a8b-22c855425118\" class=\"wlWriterEditableSmartContent\">IceRocket Tags: <a href=\"http:\/\/blogs.icerocket.com\/search?q=fam09\" rel=\"tag\">fam09<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Chad La Joie &#8211; from SWITCH Shibboleth 1.3 reaches end of life on June 30th 2010 &#8211; there will be absolutely no support after this time &#8211; so you should be planning to have upgraded to Shib 2.0 by this date! Next release of Shibboleth IdP is 3.0 &#8211; this is not a major rewrite [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[37],"class_list":["post-604","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-fam09"],"_links":{"self":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts\/604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/comments?post=604"}],"version-history":[{"count":2,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts\/604\/revisions"}],"predecessor-version":[{"id":614,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts\/604\/revisions\/614"}],"wp:attachment":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/media?parent=604"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/categories?post=604"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/tags?post=604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}