Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrating with UCSF’s Shibboleth system

Published byReynard Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "Integrating with UCSF’s Shibboleth system"— Presentation transcript:

1 Integrating with UCSF’s Shibboleth system
MyAccess Workshop Integrating with UCSF’s Shibboleth system Elliot Kendall, ITS MyAccess Workshop July 16, 2007

2 Introduction Elliot Kendall, ITS Identity and Access Management (IAM)
Started at UCSF in July Previously ran web single-sign on at Emory and Brandeis Interested in Information Security and Systems Automation Please ask questions! You don’t need to wait until the end Please stop me if there’s something you want to ask

3 What MyAccess does Single sign-on User Information Federation Security
Enter your password once, access many resources User Information Tells the application the name, address, etc. of the logged in user Federation Use your UCSF credentials to log into non-UCSF systems, and let others log into your systems Security Applications and sites don’t see your password, just that you are logged in

4 MyAccess and Shibboleth
MyAccess is UCSF-branded Shibboleth Shibboleth is an Internet2 project to support federated authentication among colleges and universities Shibboleth is an implementation of SAML Security Assertion Markup Language An XML-based protocol for federated authentication MyAccess works with Shibboleth or other SAML Most universities use Shibboleth, but we can integrate with anything that supports SAML This workshop will focus on Shibboleth

5 Terms and concepts Identity Provider (IdP) Service Provider (SP)
What users log into Displays login page, validates username and password, looks up attributes about the user Tells SPs who is logged in Service Provider (SP) Protects an application or website Sends users to the IdP to authenticate Reads the attribute information from the IdP

6 How it works User is not logged in MyAccess (IdP) PeopleSoft (SP)
Visit PeopleSoft website User’s Browser

7 How it works MyAccess (IdP) PeopleSoft (SP)
SAML request is from a trusted SP Redirect to IdP with encrypted SAML request Visit IdP with encrypted SAML request from SP User’s Browser

8 How it works MyAccess (IdP) PeopleSoft (SP) Display login page
User’s Browser

9 How it works MyAccess (IdP) PeopleSoft (SP) Send username and password
User’s Browser

10 How it works SAML response is from a trusted IdP MyAccess (IdP)
PeopleSoft (SP) Visit PeopleSoft website with encrypted SAML response from IdP Redirect to PeopleSoft website with encrypted SAML response User’s Browser

11 How it works MyAccess (IdP) PeopleSoft (SP)
Return logged in PeopleSoft page User’s Browser

12 Terms and concepts Metadata Federation
To communicate securely, the IdP and SP must have a copy of one another’s metadata Contains cryptographic public keys and URLs to redirect the user’s browser to Federation A group of organizations that wants to be able to cross-authenticate Essentially just a big collection of metadata UCSF is part of InCommon, a federation of US colleges, universities, and companies that work with them; and UCTrust, which includes all UC schools

13 Hands on Setting up your own SP Warning: technical detail ahead!
To integrate with MyAccess, you or your vendor needs to set up and configure an SP to talk to our IdP We’ll go through the process of a simple integration step by step, using the VMware image you received before class. This is a simplified example! Please do not use these instructions to set up a production SP! Warning: technical detail ahead! The VM is running Linux. You will need to use a command line interface, although we will tell you what to type. You will need to edit XML files, although we will provide detailed instructions

14 Booting the VM If you have not already, please start the VM now
Once it finishes starting up, log in with username root and password ucsf Run a terminal (second icon from the left at the bottom of the screen) This VM is running CentOS 5 (almost the same as RedHat Enterprise 5) No special configuration has been done. We’ll do everything necessary to integrate with MyAccess The steps are different for different operating systems, but the concepts are the same

15 Installing Shibboleth
Enable an external package repository In the terminal, type: wget -O /etc/yum.repos.d/shibboleth.repo That’s goo.gl as as “Google” Install the Shibboleth SP package yum –y install shibboleth

16 Configuring Shibboleth
Look at some configuration files Leave the terminal open, but start the text editor (to the right of the terminal icon) To open a file, go to File -> Open and start typing the name, or browse from File System under Places Open /etc/httpd/conf.d/shib.conf. This file controls how the Apache web server interacts with Shibboleth. Note the <Location> block that specifies that the /secure path will be protected. We don’t need to make any changes for this example. Open /etc/shibboleth/shibboleth2.xml. This file controls the guts of the SP. There’s a lot in here, but you don’t need to worry about most of it. Don’t be intimidated.

17 Configuring Shibboleth
Find <ApplicationDefaults entityID= For entityID, enter followed by your AD username. For example, Find <SSO entityID= For entityID, enter: Find <MetadataProvider type="XML" file= For file, enter idp-metadata.xml Remove the <!-- and --> lines just before and after Save the file

18 Starting the SP Download a copy of the IdP metadata
wget -O /etc/shibboleth/idp-metadata.xml Start the SP and web server /etc/init.d/shibd start /etc/init.d/httpd start Log into your SP Open Firefox (globe icon, second from the right) Navigate to What happened? The IdP doesn’t have your SP’s metadata, so it doesn’t know where to send users after they log in

19 Submitting your metadata
Download a copy of your SP’s metadata Make sure you type “https” not “http”! wget --no-check-certificate Submit it In Firefox, go to Upload your Metadata file Wait It’ll take a few minutes for me to add all of your metadata to the IdP

20 Logging in Let’s try it again
In Firefox, go back to What happens this time?

21 A production SP What would be different?
Different path(s) protected in shibd.conf Different IdP – production, not dev (Maybe) load InCommon metadata, not just our IdP Automatically download and validate new metadata on a regular basis Modify your application to look at the REMOTE_USER environment instead of prompting for a username and password Maybe integrate with multiple IdPs so people from outside UCSF can log in

22 Integration process See tiny.ucsf.edu/myaccess Highlights include
Read and agree to division of responsibilities Determine what information you need about users Configure your SP Submit a formal request Wait for data owners to approve information release Communicate to your users Production deployment

23 Questions?

Download ppt "Integrating with UCSF’s Shibboleth system"

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
RSDB Installation & Configuration

RSDB Installation & Configuration
Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???

Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???
NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.

NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.
B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.

B: STUDENT DRIVE MOVE INSTRUCTIONS. Using Internet Explorer: From your computers desktop, double click on the Internet Explorer icon. (Internet Explorer.
Welcome to WebCRD.

Welcome to WebCRD.
DSL-2730B, DSL-2740B, DSL-2750B.

DSL-2730B, DSL-2740B, DSL-2750B.
Custom Import Process 2013-2014 School Year.  Legislation requires grades K-12 to report fitness scores to the GA DOE.  GA DOE selected FITNESSGRAM.

Custom Import Process School Year.  Legislation requires grades K-12 to report fitness scores to the GA DOE.  GA DOE selected FITNESSGRAM.
Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
How to post to Wordpress Chruton Budd. Click on the Login link.

How to post to Wordpress Chruton Budd. Click on the Login link.
Objectives Moodle is an online learning environment where instructors & their students interact. In this workshop you will learn: 1.Configure system requirements.

Objectives Moodle is an online learning environment where instructors & their students interact. In this workshop you will learn: 1.Configure system requirements.
TRIRIGA Anywhere 10.4 Beta Registration Steps

TRIRIGA Anywhere 10.4 Beta Registration Steps
Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.

Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.
Radoncssi.org Google based IT infrastructure Alf Siochi.

Radoncssi.org Google based IT infrastructure Alf Siochi.
Hosted Exchange 2007. The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
LGC Website and Customer On-line Tools LGC RESOURCE 2014.

LGC Website and Customer On-line Tools LGC RESOURCE 2014.
Panorama High School E.G.P./ Training to Put Students’ Grades on the Website Wednesday, September 29, 2010 1.

Panorama High School E.G.P./ Training to Put Students’ Grades on the Website Wednesday, September 29,

Similar presentations

Ads by Google