Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

Central Authentication Service Roadmap JA-SIG Winter 2004.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

WebFTS as a first WLCG/HEP FIM pilot

Authentication via campus single sign-on 2012 VIVO Implementation Fest.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

AAI with simpleSAMLphp

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Identity Management Report By Jean Carreon and Marlon Gonzales.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Integrating with UCSF’s Shibboleth system

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Chad La Joie Shibboleth’s Future.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Shibboleth for Local Attribute Delivery 21 June 2007.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Shibboleth: An Introduction

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Shibboleth and IIS Integration Tips, Tricks, Alternatives

Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Integrating and Troubleshooting Citrix Access Gateway.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Shibboleth A Technical Overview

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.

Secure Mobile Development with NetIQ Access Manager

F5 APM & Security Assertion Markup Language ‘sam-el’

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Using Your Own Authentication System with ArcGIS Online

Shibboleth Architecture

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Federation made simple

Shibboleth Integration Fairfield University

HMA Identity Management Status

Identity Federations - Installation and operation

What’s changed in the Shibboleth 1.2 Origin

Overview and Development Plans

Your web application PDI, January 2017

Shibboleth 2.0 IdP Training: Introduction

INTEGRATIONS WITH Single Sign-On

Presentation transcript:

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011

CAH Retirement CAH slated to go away in October 2011 Motivation: –IPv6 compatibility –Move to standards-based (SAML) solution CAH and Shib will do SSO between them until CAH is gone

What is Shibboleth? Software project sponsored by Internet2 Implements SAML Web SSO Profile Two main packages: –Identity Provider (IdP – logs users in) –Service Provider (SP – uses login to do something useful)

How does it work? User visits application web site (SP) SP redirects user to IdP with SAML AuthnRequest IdP authenticates user, if necessary IdP sends user back to SP with SAML AuthnResponse –Authentication Assertion (data about login) –Attribute Assertion (data about user)

The Gory Details

It’s like CAH… User never gives credentials to SP Additional attributes can be returned Single sign-on

It’s different than CAH… No shared cookie –Allows non-umn.edu SPs –Logout works differently SSO still requires a trip to the IdP No free-for-all WEBCOOKIE method More complex protocol – need more than cookies + HTTPS to integrate

Our IdPs OIT/IDM runs production and test IdPs IdPs use production/test X.500 respectively Federated with InCommon

Integrating your application Best strategy: use Shib SP –Requires Apache or IIS –Usually easier to front app with Apache than to directly embed SAML support in your app –Can protect files, directories, or locations via server config or.htaccess

Integrating your application Best strategy: use Shib SP –Lazy sessions allow unauthenticated browsing until login needed –Shib session can bootstrap app session –Standard builds available for Windows and several Linux distros Preinstalled on OIT Red Hat Linux VMs

Integrating your application Install and configure the Shib SP –Careful – lots of knobs, few need turning –Choose an appropriate entityID (see wiki) –Export metadata (generate, then hand edit) Submit an Access Request Form if you need nonpublic attributes Ask us to add your metadata to our test IdP

Integrating your application Access attributes –Environment variables (Apache) –HTTP headers (IIS or Apache) –REMOTE_USER

Converting from CAH to Shib Shib SP is drop-in replacement for mod_cookieauth –sets REMOTE_USER No ARF needed if you already get data from CAH Apps requiring M Key can use AuthnContext to ask for and check for it

Gotchas Shib signs/encrypts assertions –Uses certs in metadata to carry keys –Shib ONLY looks at keys, not rest of cert Ignores expiration Doesn’t validate CA –These are NOT the same certs/keys used for your browser-facing HTTPS port (443)

Gotchas entityID looks like a URL but isn’t –It’s a URI, being used as a name –Handy to use as URL sometimes (metadata) –Use a domain you control to facilitate self- managed metadata someday

Other SAML Implementations simpleSAMLphp (PHP) OIOSAML (Java) ADFSv2 (gateway to WS-*) –Preferred method for Sharepoint 2010 WIF SAML extension (for.NET apps) –MSDN blog entry: OpenAM - formerly OpenSSO

Federating your application Lets your app allow users to log in from other places Can do simple bilateral setups or get listed in a federation like InCommon (ask us) Use a federatable identifier instead of Internet ID or umnDID for primary key –eduPersonTargetedID –eduPersonPrincipalName (ID+scope e.g.

Looking Ahead Single logout support User consent for attribute release Self-managed metadata for departments

Resources U of M Shib wiki: Official Shib wiki: Shib mailing list: –Best place for general questions about Shib SP installation/configuration –Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.

Questions? Identity Management - Or call Chris at