Shibboleth Deployment Overview

Slides:



Advertisements
Similar presentations
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Inter-Institutional Registration UNC Cause December 4, 2007.
Shibboleth: How It Relates to SAML Marlena Erdos Aug 27, 2001.
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.
CAMP Integration Provisioning and Relaying: The Integration Story provrel ppt Keith Hazelton
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Shibboleth for Local Attribute Delivery 21 June 2007.
Shibboleth at Columbia Update David Millman R&D July ’05
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Campuses New to Shibboleth: WebSSO Barry Johnson
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Shibboleth for Middle Schools James Burger -
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Blackboard Learning System r6 and Shibboleth Barry Ribbeck U.Texas Health Science Center at Houston Christopher Etesse Blackboard Inc.
Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.
David Millman—Columbia January 2005
Shibboleth Architecture
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
Vidmid Session Overview
OMG, Another Simple, Lightweight Authentication Service???
Shibboleth Project at GSU
e-Infrastructure Workshop 28th March 2006, University of Leeds
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
What’s changed in the Shibboleth 1.2 Origin
Michael R Gettes, Duke University On behalf of the shib project team
Overview and Development Plans
Federated Digital Rights Management
Open Source Web Initial Sign-On Packages
AARC Blueprint Architecture and Pilots
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
Community AAI with Check-In
Supporting Institutions Towards a Shibbolized Infrastructure
Shibboleth: Status and Pilots
JAAS AuthN Tokens in uPortal and Beyond
Shibboleth 2.0 IdP Training: Introduction
Shibboleth Architecture and Requirements
Presentation transcript:

Shibboleth Deployment Overview Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 28-June-04

Shibboleth v 1.2 Deployment Overview Identity Provider (Origin) Deployment Authentication/Identifier Assertion Phase Components & Dependencies Identity Attribute Assertion Phase Service Provider (Target) Deployment Two scenarios for each: Shib “classic” e-Lib: accessing licensed resources Shib federation across a state system: shared services 2/24/2019 2

Identity Provider / (Origin) “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 2/24/2019 3

Identity Provider / (Origin): AuthN, Identifier Campus WebISO Identity Provider “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 2/24/2019 4

WebISO requirements from Shib Campus WebISO WebISO can authenticate a set of users based on locally issued/registered credentials Open source WebISO package, PubCookie,mentioned in “Origin” Deployment Guide. For details & download, see http://middleware.internet2.edu/webiso/ 2/24/2019 5

WebISO alternatives Campus WebISO But end-user PKI certs work fine, too (configurable filter) And there are ways to support multiple AuthN methods with failover (see poster session on “World’s Smallest WebISO”) 2/24/2019 6

WebISO requirements from Shib Campus WebISO WebISO can authenticate a set of users based on locally issued/registered credentials Are all the people who should get the licensed resources included? Do the policies governing accounts and credentials keep service provider’s risk at an acceptable level? Have you got WebISO? Which? Are you shopping? 2/24/2019 7

Shib assumes core middleware including Identity Management (IdM) Services Meta- Directory Processes Registry Student System of Record Campus WebISO Human Resources System of Record LDAP Directory Other Systems of Record Enterprise Directory 2/24/2019 8

Identity Provider Middleware Campus WebISO Enterprise Directory “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 2/24/2019 9

Identity Provider / (Origin) “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 2/24/2019 10

Identity Provider / (Origin) Attribute Assertion Phase “HS” Service Provider Browser User Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 2/24/2019 11

Identity Provider Middleware Campus WebISO Enterprise Directory “HS” Attribute Authority Apache (1.3 or 2.0) / Tomcat Web server / Servlet container 2/24/2019 12

Attribute Authority (AA) <–> Ent. Directory Shib AA Deployment Issues: Configure AA to connect to Ent. Directory Data connectors can be JNDI-based, JDBC-based (xml-configurable) or custom user plug-ins Map Directory attributes to SAML attributes 2/24/2019 13

Attribute Authority (AA) <–> Ent. Directory Fragment of ..conf/origin.xml 2/24/2019 14

Attribute Authority (AA) <–> Ent. Directory Resolver links named attributes to specific data connectors: 2/24/2019 15

Attribute Authority (AA) <–> Ent. Directory …and specifies connector (here JNDI LDAP): 2/24/2019 16

Attribute Authority (AA) <–> Ent. Directory …and specifies connector (here JDBC SQL): 2/24/2019 17

Attribute Authority (AA) <–> Ent. Directory Shib AA Deployment Issues, cont.: Comply with Attribute Release Policy (ARP) in determining which service providers get which attributes Federation rules are given Bilateral rules need to be worked out & agreed to 2/24/2019 18

Attribute Authority (AA) <–> Ent. Directory Ah, yes, data access policy This may drag stakeholders kicking & screaming into the room to confront policy How you manage this will be key to successful deployment The big, friendly “DON’T PANIC” on the InCommon Book may help 2/24/2019 19

Attribute Authority (AA) <–> Ent. Directory Shib can transport any attribute--it’s up to sender and receiver to agree on its semantics “Simple matter of configuration” Some of the newer attributes eduPersonTargetedID if you want a persistent identifier, but one that is specific to a given Identity Provider-Service Provider pair Course-related attributes. URN-based identifier guideline near for course offering. eduCourse coming. 2/24/2019 20

Service Provider / (Target) Identity Provider Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6 2/24/2019 21

Shib Features for Service Providers WAYF for federations, other options configurable Authentication method can be passed in attribute assertion for fine tuning risk management A site may have a public face with specific links that invoke Shib 2/24/2019 22

Services you might not have thought of Shibbing Roaming Access to WLAN http://www.terena.nl/conferences/tnc2004/ programme/presentations/show.php?pres_id=165 Mikael Linden, CSC, the Finnish IT center for Science RADIUS-based access controller is a Shibboleth target Network access control decision based on user’s “home” attributes 2/24/2019 23

Services you might not have thought of Shibbing Portal as Shib Service Apache in front of Portal on Tomcat Other approaches under consideration See Wed. am session, John Paschoud 2/24/2019 24

Coming Shib Features for Service Providers PKI-based direct-to-target scenario Cert would contains (possibly opaque) subject id Identifier for associated Identity Provider Would eliminate the first several steps in the classic Shib flow diagram First Service Provider contact to Identity Provider would be the request for attributes Lots of points of agreement to be worked out 2/24/2019 25

Multi-campus system deployment model 1 CampusA IdProv CampusB Service Provider CampusB IdProv Browser User Apache (1.3 or 2.0) / Tomcat Web server / Servlet container or IIS 5.x or 6 CampusC IdProv CampusD IdProv CampusE IdProv 2/24/2019 26

Multi-campus system deployment model 1 Identity Provider per campus (vs. System IdP model) Create a system federation (some policy & configuration work here) Any campus can put up Shibbed service Or a system library can offer system-licensed resources Each campus retains control of Identity Management--high autonomy model 2/24/2019 27

Multi-campus system deployment model 2 CampusA Dir Browser User System-level Identity Provider Service Provider Service Provider Service Provider CampusB Dir Service Provider CampusC Dir 2/24/2019 28

Multi-campus system deployment model 2 System-level Identity Provider model Significant campus-to-system metadirectory infrastructure Create a system federation (some policy & configuration work here) Any campus can put up Shibbed service Or a system library can offer system-licensed resources More seamless “system citizen” experience 2/24/2019 29

Coming: Shib breaks free of the browser Number of open source projects are exploring this space (details in afternoon session) Ongoing work on a Java implementation of Service Provider components of Shibboleth will really open the door 2/24/2019 30

Q & A Which of these issues seem tough to you? Lunch BoFs 2/24/2019 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.