Shibboleth Identity Provider Version 3

Slides:

Advertisements

Similar presentations

Struts Portlet Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.

Advertisements

Raptor Technical Details. Outline Workshop structured by Raptor workflow – Raptor Event model. – ICA log file parsing – ICA/MUA event storage – ICA event.

Shibboleth Identity Provider Version 3 IAM Online March 11, 2015

Apache Struts Technology

SOFTWARE MAINTENANCE 24 March 2013 William W. McMillan.

Microsoft ASP.NET AJAX - AJAX as it has to be Presented by : Rana Vijayasimha Nalla CSCE Grad Student.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Midwest Documentum User Group Harley-Davidson Documentum WCM 10/10/2006.

UNIT-V The MVC architecture and Struts Framework.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

JavaServer Faces: The Fundamentals Compiled from Sun TechDays workshops (JSF Basics, Web-Tier Codecamp: JavaServer Faces, Java Studio Creator; IBM RAD)

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

ASP.NET  ASP.NET is a web development platform, which provides a programming model, a comprehensive software infrastructure and various services required.

SWITCHaai Team Introduction to Shibboleth.

Integrating with UCSF’s Shibboleth system

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Chad La Joie Shibboleth’s Future.

WEB BASED DATA TRANSFORMATION USING XML, JAVA Group members: Darius Balarashti & Matt Smith.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Shibboleth: An Introduction

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Solutions using Microsoft Content Management Server 2002 Connector for SharePoint Technologies Sue Corke Mark Harrison Microsoft UK.

Copyright 2007 SpringSource. Copying, publishing or distributing without express written permission is prohibited. Spring MVC Essentials Getting started.

1 MSTE Visual SourceSafe For more information, see:

Storage dashboard Status report A.Baranovski 12/10/07.

Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.

Users are moving towards web applications Content on the web is more personal & meaningful Development on the web is easier than the OS.

Jasig CAS Roadmap Scott Battaglia Rutgers, the State University of New Jersey.

Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.

Shibboleth Identity Provider Version 3 Scott Cantor The Ohio State University Marvin Addison Virginia Tech.

Shibboleth Identity Provider Version 3 Scott Cantor The Ohio State University Marvin Addison Virginia Tech.

Shibboleth Identity Provider V3 Deployment Considerations Scott Cantor (tOSU) Walter Hoehn (U Memphis) David Langenberg (U Chicago)

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

2 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

1 A Look at the Application Authorized users can access Communicator! NXT from any Internet-capable computer via the Web.

MetaFrame Secure Access Manager Overview Presented by Douglas A. Brown.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

The Palantir Platform… …Changes in 2.3

The Holmes Platform and Applications

ArcGIS for Server Security: Advanced

Access Policy - Federation March 23, 2016

Architecture Review 10/11/2004

Software Configuration Management

Managing the Project Lifecycle

Netscape Application Server

Identity and Access Management Challenges in uPortal

B.6 Roadmap 2013 – 2014 SDMX RI User Group Luxembourg, September 2013.

SAML New Features and Standardization Status

Informatica PowerCenter Performance Tuning Tips

GeneXus 9.0: Web applications at their higher power

Shibboleth SP Update Spring 2012 Scott Cantor

Creating Novell Portal Services Gadgets: An Architectural Overview

Microsoft Implements Your Vision

Migrating Oracle Forms Using Oracle Application Express

Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.

Design and Maintenance of Web Applications in J2EE

Principles of report writing

The Object-Oriented Thought Process Chapter 05

JavaServer Faces: The Fundamentals

Visual Studio 2010 SharePoint Development Tools Overview

Metadata The metadata contains

NIEM Tool Strategy Next Steps for Movement

QoS Metadata Status 106th OGC Technical Committee Orléans, France

Presentation transcript:

Shibboleth Identity Provider Version 3 Scott Cantor The Ohio State University

A Bit of History Version 1 – 2003 – 2008 Version 2 – 2008 – 2015 SAML 1, inventing a lot of concepts on the fly Version 2 – 2008 – 2015 SAML 2, harmonizing two protocols Version 3 – 2015 - ? Focus on design, deployability, and sustainability over features

Why Upgrade? Compelling reasons for you Compelling reasons for us Easier UI and login customization, error handling, simpler clustering, attribute release consent, easier handling of vendor quirks, much improved update process, CAS protocol support Compelling reasons for us Up to date library stack, much easier to deliver future enhancements, V2 maintenance is a drain on limited resources A practical reason V2 maintenance ends July 2016; you don't have to upgrade, but you can't stay here

User Interface Leverages "views" from Spring Web Flow Views can be Velocity templates, JSP pages, potentially others Most views are Velocity by default so they can be modified on the fly, including example login/logout/error templates Spring message properties Reusable macros across views (e.g., logo paths, titles, organization names, etc.) Can be internationalized to a browser's primary language Velocity views generally live in idp.home/views Message properties are in idp.home/messages; to internationalize, add a translation file such as authn-messages_fr.properties (in French for example)

Error Handling WebFlow is event-driven, so most errors are "events", e.g., "MessageReplay" Events can be classified by you as Local or non-Local, local meaning "don't issue a response back to requester" Error view(s) under your control, an example view is provided using message properties to map events into different error content You can reuse example, roll your own, map events to different views, etc. https://wiki.shibboleth.net/confluence/display/IDP30/ErrorHandlingConfiguration

Clustering Ding-dong, Terracotta's dead With one exception, all short/long-term persistent state relies on a StorageService API in-memory cookie (*) JPA / database memcache Web Storage (work in progress) Defaults allow zero-effort clustering with most critical features supported https://wiki.shibboleth.net/confluence/display/IDP30/Clustering

Consent New feature: interceptor flows Security/policy checks run this way invisibly Also have “post-authentication” hook for running flows after user identified, several built-in examples uApprove-style attribute release consent and terms of use flows (former is on by default on new installs), has an enhanced mode of approving each attribute individually Context-checking flow that can halt processing if expected conditions aren’t met, such as attributes or specific values available https://wiki.shibboleth.net/confluence/display/IDP30/ConsentConfiguration (very incomplete so far)

Vendor Quirks Common use cases for integrating vendor SAML implementations are easier and less invasive Security settings like digest algorithms can finally be overridden per-SP or group of SPs Assertion Encryption can be made “optional” so it turns on whenever possible and off when not (based on metadata) Setting up custom NameID formats in a dedicated place Attaching custom SAML encoder rules to attribute definitions and limiting them to specific SPs https://wiki.shibboleth.net/confluence/display/IDP30/SecurityConfiguration https://wiki.shibboleth.net/confluence/display/IDP30/NameIDGenerationConfiguration https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration

Safe Upgrades Simpler, safer, robust upgrade process: Review release notes Stop service Unpack, install over top Rebuild warfile to add back local changes Start service Clearly delineated “system” and “user” config files Local warfile overlay to prevent losing webapp changes or additions On Windows, Jetty can be installed and managed for you in simple deployments, Unix TBD https://wiki.shibboleth.net/confluence/display/IDP30/Upgrading

CAS Protocol Major technical goal for redesign was to facilitate non-SAML / non-XML protocol integration CAS was a natural candidate to work on and help prove out the design Second phase of work will be integration of CAS features with SAML metadata to unify management/approach OpenID, if done, likely to follow a similar evolution

Work in Progress Delivery of V3.2.0 expected late summer HTML5 Local Storage support for sessions / consent Enhancements for complex authentication extensions SAML delegation support Lots of other fixes and improvements based on feedback