Shibboleth for Real Dave Kennedy

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

College An insight Into the College VLE Graham Mason

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

PDS User Management DigiTool Version 3.0. User Management 2 PDS Overview PDS Setup Single Sign On Agenda.

1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Napster Shibboleth Target PSU/Napster Technical Integration R. Ramos

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (

Shibboleth IdP Training: Productionalization January, 2009.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

Michael Ghens Information Systems Specialist Santa Barbara City College.

David Kennedy, UMD Shibboleth and Library Resources Internet2 Library/Shibboleth Project.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.

Shibboleth for Local Attribute Delivery 21 June 2007.

Shibboleth at Columbia Update David Millman R&D July ’05

Shibboleth: An Introduction

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.

Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Holly Eggleston, UCSD Beyond the IP Address: Shibboleth and Electronic Resources InCommon Library/Shibboleth Project.

Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.

Campuses New to Shibboleth: WebSSO Barry Johnson

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.

126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Introduction to Terra Dotta Applications Integration with Campus Data Systems for institutions beginning their software implementation.

Web SSO with Cloud Resources using AD Federation Services

Access Policy - Federation March 23, 2016

Shibboleth and eLibrary

Secure Single Sign-On Across Security Domains

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

Shibboleth Roadmap

Federation Systems, ADFS, & Shibboleth 2.0

Shibboleth Project at GSU

Shibboleth Integration Fairfield University

An authorization service for Virtual Organizations (VO)

CAS and Web Single Sign-on at UConn

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

e-Infrastructure Workshop 28th March 2006, University of Leeds

CNI Spring 2006 Task Force Meeting

Identity Federations - Installation and operation

Shibboleth Implementation in EZproxy

Bodleian Libraries Authentication System: Dual sign-on from Primo

ESA Single Sign On (SSO) and Federated Identity Management

Open Source Web Initial Sign-On Packages

Shibboleth for Real: USMAI and Ex Libris Collaborate

Presentation transcript:

Shibboleth for Real Dave Kennedy

Environment Consortium –16 institutions Services –Ex Libris’ Metalib, Aleph, SFX, Digitool –EZproxy –ILLiad –DSpace, Fedora, etc.

What is the problem? Multiple logins for multiple services Need to secure flow of data for multiple logins for different applications Username/password embedded in URLs to give appearance of single sign on

Why Shibboleth? Other considered solutions: PDS, CAS, Pubcookie Shibboleth –Single sign on –Secure handling of user attributes –Flexibility to use different AuthZ criteria per service –Designed to function across domains –Ability to authenticate for different vendors’ products

Shib architecture Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner Service Provider (SP) – resource Identity Provider (IdP) – AuthN source WAYF – Where Are You From WebISO – Web Initial Sign On

Shib architecture

Investigation Installed generic single institution IdP Installed generic service provider (script that prints out attributes) Proof of concept

Implementation Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs EZproxy was already shibboleth-enabled, so easily configured Had to implement multiple identity providers for institutions in the consortium

IdP Implementation Multiple institutions in one installation Multiple configurations for attributes and trust settings Multiple ldap settings in WebISO for user verification

Multiple Identity Providers – Virtually Separate Totally separate identity providers as far as service providers are concerned Unique access points Separate trust relationships

PDS Patron Directory Service Single Sign On between ExLibris applications AuthN and AuthZ

Role of PDS in Shib Environment Dual role of WAYF and SP AuthN AuthZ at the application level (Metalib, in our case)

PDS as WAYF PDS to present list of institutions (WAYF) Choice of institutions redirects to an institution specific URL within PDS

PDS as SP Each URL protected by different institution’s Identity Provider IdP handles authentication and attribute assertion SP receives attributes back from IdP and establishes PDS session

Shib SP configuration Shibboleth.xml – settings for SP Multiple applications defined, each with a different Identity Provider RequestMap defined – map URLs to shib applications

Logout No logout provided in shibboleth architecture Created a logout for identity provider, with an optional redirect back to service provider

Before

After

Project Details Began investigation – March staff member 16 IdPs, 3 SPs into production, April 2006 Hardware: –Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server) –Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server) Documentation

Challenges Technical –Consortia – virtually separate identity providers –Logout –LDAP – hook into our ldap, single ldap for all institutions, only use institution specific attributes Learning curve, needed concentrated chunks of staff time Making shibboleth a priority

What’s next? We are rolling out more service providers ILLiad going into production within the month Aleph to be shib service provider by year’s end Online resources Consortial members implementing their own identity providers

Dave Kennedy Shib project page: