Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Slides:

Advertisements

Similar presentations

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Advertisements

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

The Changing Role of the Technologist as Higher Ed Embraces the Cloud Michele Decker, University of Notre Dame Jacob Farmer, Indiana University Derek D.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.

Seeing the Forest and the Acorns in the Decision Tree Sandy Burke Computing Center HelpDesk Manager Copyright Sandy Burke, This work is the intellectual.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

Identity Management: The Legacy and Real Solutions Project Overview.

Copyright 2008, Elizabeth A. Evans. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

How Collaboration Created an Online Help Desk and Knowledge Base for the Campus Community EDUCAUSE Mid-Atlantic Regional Conference 2008.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.

LionShare Presented by Eric Ferrin, Sr Director, Digital Library Technologies Feb 3, 2004 Copyright Penn State University, This work is.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

SWITCHaai Team Federated Identity Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

Integrating with UCSF’s Shibboleth system

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Mellon Year 1 Review Michael J. Halm Alex Valentine.

Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.

Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)

Shibboleth: An Introduction

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.

Copyright © 2003, The University of Texas at Austin. This work is the intellectual property of the author. Permission is granted for this material to be.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Next Steps: becoming users of the NGS Mike Mineter

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Digital Diversity: Multi- institutional Access to Distributed Course Resources Barry Ribbeck UT HSC - Houston.

Integration is Critical for Success Curriculum Course Delivery Ongoing Support Instructor & Learner.

1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

Copyright Michael Dieckmann, Geissler Golding, Melanie Haveard This work is the intellectual property of the author. Permission is granted for this material.

WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.

Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.

Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.

Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Tom Barton, Senior Director for Integration, University of Chicago

Federated Identity Management at Virginia Tech

LIGO Identity and Access Management

John O’Keefe Director of Academic Technology & Network Services

Federating with NIH, NSF, and the National Student Clearinghouse

Federated Identity to Support Collaboration in the CIC

Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.

Overview and Development Plans

Open Source Web Initial Sign-On Packages

Shibboleth Deployment Overview

Presentation transcript:

Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Flexible Access Control: Shibboleth and the InCommon Federation Michael Bolton Xavier Chapa Texas A&M University

Why We Are Here Recently installed Shibboleth and joined InCommon. We would like to share with you the experience and let you know it really works. And, it works really well.

Our Initial Goals Explore use of Shibboleth Gain experience with Federations Join InCommon Support Texas Digital Library Project

Shibboleth Overview Shibboleth is Federated Identity Management Built on the concept of an Identity Provider and a Service Provider Preserves privacy and anonymity

Shibboleth Diagram

Why We Like Shibboleth Built on standards – implementing standards Secure connections to Service Providers Clear, controlled attribute release Tailored to application Flexible integration with SSO Easy to manage

How we use Shibboleth The General Case: CAS is authentication and SSO Shibboleth is attribute release

What is InCommon Higher Ed Federation of Identity and Service Providers Growing Number of Participants Common Framework for Accessing Sites

InCommon

Why This Approach Shibboleth and InCommon are standards in higher education. We have a common framework to build in and on. Can easily leverage existing work and effort.

Start with a Plan What do you want to do What do you need to do it Realize what you are doing Integrate with existing infrastructure Wealth of knowledge out there

Work the Plan 1.Install and test Shibboleth 2.Add Service Provider 3.Add InCommon Not intended as a rigid plan but adds a little structure for your deployment

CAS - Shibboleth

Install Shibboleth IdP Started with 1.3 Deployed on Linux and not all Linux’s are the same CAS as SSO Solution LDAP based Use the Web (for help and support)

Test Initial Deployment Used Simple application to verify operation of Shibboleth Used our applications for debugging Made sure Shibboleth was running and we knew how to use it

Simple ENV Application

Customize Site Update and change pages for your institution Read the guide on what needs updating Branding is an ongoing project You are now an operational Shibboleth site

Join InCommon Fill out the contract Study the Federation Operating Practices and Procedures Complete the Participant Operational Practices Work with your Legal and Contracts departments

POP Participant Operational Practices  Participant Information  Credential Provider Information  Electronic Identity Credentials  …

Test Connections Build on step One, your local Shibboleth deployment Will be added to InCommon WAYF Use Shibboleth test/reference site

It Worked!

Staying in InCommon Watch the fee schedule Remember your password Vetted process – know the players Keep documentation current (POP, etc.)

MetaData MetaData is key for Shibboleth Need to update frequently or better yet, regularly Out of sync MetaData causes a lot of problems

Managing MetaData We used virtual hosts for the various federations we plan/are joining Keep your documentation straight Monitor the process – make sure it is running

InCommon Metadata

Keep up with Sites

Build a Production System Added redundancy for Shibboleth Redundant LDAP and Kerberos servers Separated testing and production Use good certificates

System Diagram

Our Next Goal Make it easy to use WebAssign First pass – authenticate existing ids Second pass – just add classes to WebAssign site

Keys To Project Need the data Need a schema Need to negotiate the attribute release Following a naming convention

Called WebAssign Worked with Brian WebAssign Used Certificate Information from InCommon Federation MetaData Agreed on format of elements released

Leverage Existing Data Had course data in Oracle Used for SYMPA mailing lists Maintained on semester basis Had remaining essential data in LDAP Updated nightly

Accessing the Data Updated Resolver Added JDBC Connector to Shibboleth Developed ARP for WebAssign Check your logs

Have a Schema Deployed EduPerson Deployed EduCourse Researched and used appropriate attributes

Update Shibboleth Update the resolver.xml file to add your data sources Update the arp.xml for attribute release Names matter Restrict the access whenever possible

Resolver.XML

Arp.xml

AAP.xml

Attribute Release Declared WebAssign valid academic use of data Watch the use of eduPersonTargetedID Need to maintain privacy and protect restricted or confidential data

What’s In a Name Sample Course Identifier urn:mace:tamu.edu:crs:2007C:TEST209504

Verified System Used our test accounts Worked closely with vendor Great support from WebAssign

Customized Login Page Did not use WAYF or InCommon Site for this deployment Had customized WebAssign login page Could be integrated into existing pages fairly easily

WebAssign Login

Texas A&M Login

Market the Service Work with your departments Educate your helpdesk Multiple levels of support Leverage SSO if you have it

Texas Digital Library Institutional Repositories Built on DSpace Shibboleth for AuthN/AuthZ Establishing a new Texas-wide Federation Layered authorization model

Schema Part II The local federation needed a different set of attributes Extended the EduPerson schema Used tamuEduPerson extensions TDL Federation attributes Must agree upon names

More Applications Departmental use of institutional data For Moodle deployments Allows institution to share applications Wireless network access at UT TAMU Security Awareness Training

Even More Applications Grid Computing Sakai LionShare at Penn State

The Big Benefit We have a standard More people will adopt it Reach critical mass in implementers Leverage with vendors

And we learned … You do not dabble with this You cannot cut corners Be serious about privacy and suppression Be careful with accounts Stay involved with community The more you do, the more you know

Philosophy “ I hear and I forget, I see and I remember, I do and I understand.” Confucius

Links

Michael Bolton Xavier Chapa