Shibboleth Integration Fairfield University Michael Graham-Cornell Director, Computing & Network Services mgraham-cornell@fairfield.edu
Agenda The user experience with Shibboleth (before & after CAS) Shibboleth Overview What we had What we did What we have Benefits and Gotchas
Initial Shibboleth Implementation Active Gmail Session? Student accesses mail.student.fairfield.edu Yes Gmail access granted No eduPersonPrincipalName Active Shibboleth Session? Yes No User logs into Shibboleth
Shibboleth Integrated with CAS Active Gmail Session? Student accesses fairfield.edu/gmail Yes No Active Shibboleth Session? Yes Gmail access granted No Active CAS Session? eduPersonPrincipalName Yes User logs into CAS No
Overview of Shibboleth
What We Had Banner (Identity System of Record) Sun Identity Manager (Identity Provisioning) Sun Directory Server (LDAP) Shibboleth Identity Provider (IdP) Gmail Service Provider (SP) Library Database Provider (SP)
What We Did Install CAS in Test Install CAS Service Manager CASify Shibboleth
Benefits CAS very secure and robust SSO environment CAS easily integrated into PHP and .NET applications (preferred for in-house authentication) We now support CAS and Shibboleth Service Providers – very flexible and easy to configure Only authorized service providers can authenticate Legacy applications can still authenticate through LDAP, but are rapidly being “CASified” Banner Forms, Self-Service, Workflow and BDMS use CAS authentication
What’s Better, CAS or Shibboleth? Whatever works! Actually, the initial framework is a challenge for both implementations. However, adding new service providers is MUCH EASIER with CAS than with Shibboleth.