Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

Published byBrook Heath Modified over 7 years ago

Similar presentations

Presentation on theme: "IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits."— Presentation transcript:

1 IT Services Shibboleth Single Sign-On overview

2 Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits for Application Developers Setting up Shibboleth on a web server (demo)

3 What/where/why Shibboleth? What? Web Single Sign-On system Separates authentication + authorisation Where? Websites/web applications (+ mobile applications) eJournals Why? Single University username and password Log in once, access everything Lightweight development of personalised content

4 Central store for Shibboleth registrations Automatic integration Federated trust Institutions/organisations sign up Separate registration for each service Enables inter-institutional collaboration (using University username and password) The UK-Federation/Registration http://www.ukfederation.org.uk/library/uploads/Documents/overview.pdf

5 User types their password once per browser session (or not at all) SPs trust the IdP’s assertion of user identity and other information Terminology: IdP/SP e.g. Website/webapp/eJournal Our “gateway” login server

6 Accesses to other SPs go through the same flow but the user doesn’t have to login to the IdP again Terminology: Single Sign-on e.g. Website/webapp/eJournal Our “gateway” login server

7 Attributes – things about a person (forename/department etc.) Most come from a database on the IdP updated nightly from IDFS Group memberships come from the Active Directory updated live from Grouper Some standard attributes, some custom to us release everything to Newcastle SPs, minimal to external SPs SAML – Security Assertion Mark-up Language Terminology: Attributes/SAML https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

8 Unique identifier for servers running Shibboleth (IdP or SP) Also referred to as “Relying Party” Not a valid URL Newcastle standard: https://servicename.ncl.ac.uk/shibboleth/metadatahttps://servicename.ncl.ac.uk/shibboleth/metadata e.g. https://blackboard.ncl.ac.uk/shibboleth/metadatahttps://blackboard.ncl.ac.uk/shibboleth/metadata Terminology: EntityID/Metadata <!-- This is a Shibboleth Blackboard Server SP for the University of Newcastle upon Tyne. -->.

9 shibboleth2.xml Main Shibboleth service provider configuration file Mostly won’t need updating once setup * attribute-map.xml Defines how attributes get turned into web server headers Probably never needs updating Service Provider Configuration files <Attribute name=" urn:oid:2.16.840.1.113730.3.1.241 " id="displayname" />

10 Protecting content (mod_shib) Most web applications require authentication Service Provider software can control who can access the pages Programs/programmers (and users) can personalise content

11 shibd.conf – Apache configuration file Protecting content: Linux/Apache Require (attribute from the attribute-map.xml file)

12 Protecting content: Linux/Apache AuthType shibboleth ShibRequireSession On Require grouper_groups Applications:D-NUIT:Mailing_Lists:NUIT_All_Mailing_List AuthType shibboleth ShibRequireSession On Require valid-user Any user User group

13 shibboleth2.xml Protecting content: Windows

14 Protecting content: Windows Any user User group Applications:D- ECLS:ECLS_Auto_StaffContact_Admin

15 Application Developers No authentication code required No user credentials stored Access to live accurate user information Server headers contain headers for personalisation Language and platform independent PHP $_SERVER['Shib-affiliation']; Java HttpServletRequest.getHeader("Shib-affiliation") ASP Request.ServerVariables("HTTP_SHIB_AFFILIATION") Cold Fusion CGI.SHIB_AFFILIATION

16 1.Download/install the Shibboleth SP software - instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/Installation https://wiki.shibboleth.net/confluence/display/SHIB2/Installation 2.Download the attribute-map.xml and shibboleth2.xml files from http://www.ncl.ac.uk/itservice/login-gateway/installing/ --------------------------------- http://www.ncl.ac.uk/itservice/login-gateway/installing/ 3.Edit shibboleth2.xml – replace “servicename.ncl.ac.uk” (test at: https://.ncl.ac.uk/secure) 4.Open an NUService ticket telling us the service address you want us to register. Setting up a Shibboleth Service Provider

17 Authentication dealt with by the IdP Authorisation dealt with by SPs Removes need for apps to authenticate Passwords entered in one place SP configuration in XML or Apache files Access based on user attributes/federated trust Personalised content Access to many resources without re-authentication Lightweight personalisation of content Minimal (none identifiable) information released off-campus, by default Summary

18 Any questions? Shibboleth Wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted Our service pages: http://www.ncl.ac.uk/itservice/login-gateway/

Download ppt "IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits."

Similar presentations

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Authentication via campus single sign-on 2012 VIVO Implementation Fest.

Authentication via campus single sign-on 2012 VIVO Implementation Fest.
Www.eduserv.org.uk/openathens Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SYST 28043 Web Technologies SYST 28043 Web Technologies Installing a Web Server (XAMPP)

SYST Web Technologies SYST Web Technologies Installing a Web Server (XAMPP)
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Similar presentations

Ads by Google