Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

Beispielbild Community Single Sign-on 15 September 2009 Berlin, ISTC meeting Lutz Suhrbier ‏ Networked Information Systems.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

WebFTS as a first WLCG/HEP FIM pilot

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

AAI with simpleSAMLphp

SWITCHaai Team Introduction to Shibboleth.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.

Integrating with UCSF’s Shibboleth system

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Chad La Joie Shibboleth’s Future.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Shibboleth for Local Attribute Delivery 21 June 2007.

Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein

Shibboleth: An Introduction

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Shibboleth A Technical Overview

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Secure Mobile Development with NetIQ Access Manager

Keeping Your Federation in Shape Discussion with InCommon Technical Advisory Committee Members Jim Basney Scott Cantor Tom Barton.

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

Shibboleth Architecture

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

OMG, Another Simple, Lightweight Authentication Service???

Shibboleth Integration Fairfield University

HMA Identity Management Status

CAS and Web Single Sign-on at UConn

Identity Federations - Installation and operation

Shibboleth Implementation in EZproxy

What’s changed in the Shibboleth 1.2 Origin

Overview and Development Plans

Your web application PDI, January 2017

Shibboleth 2.0 IdP Training: Introduction

INTEGRATIONS WITH Single Sign-On

Presentation transcript:

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011

What is Shibboleth? Software project sponsored by Internet2 Implements SAML auth protocol Two main packages: –Identity Provider (IdP – logs users in) –Service Provider (SP – gives users something to do)

How does it work? User visits application web site (SP) SP redirects user to IdP with SAML AuthnRequest IdP authenticates user, if necessary IdP sends user back to SP with SAML AuthnResponse –Authentication Assertion (data about login) –Attribute Assertion (data about user)

The Gory Details

It’s like CAH… User never gives credentials to SP Additional attributes can be returned Single sign-on

It’s different than CAH… No shared cookie –Allows non-umn.edu SPs –Logout works differently SSO still requires a trip to the IdP No free-for-all WEBCOOKIE method More complex protocol – need more than cookies + HTTPS to integrate

Our IdPs OIT/IDM runs production and test IdPs IdPs use production/test X.500 respectively Federated with InCommon

Setting up an SP Choose an implementation –Shibboleth SP (highly recommended) Includes Apache and IIS server modules –simpleSAMLphp –OpenAM (formerly OpenSSO) –OIOSAML (Java) –ADFSv2 (gateway to WS-*) Preferred method for Sharepoint 2010

Setting up an SP Install and configure –Careful – lots of knobs, few need turning –Choose an appropriate entityID (see wiki) –Export metadata (generate/hand edit) Submit an Access Request Form if you need nonpublic attributes Ask IDM to add your metadata to our test IdP

Gotchas Shib signs/encrypts assertions –Uses certs in metadata to carry keys –Shib ONLY looks at keys, not rest of cert Ignores expiration Doesn’t validate CA –These are NOT the same certs/keys used for your browser-facing HTTPS port (443)

Gotchas entityID looks like a URL but isn’t –It’s a URI, being used as a name –Handy to use as URL sometimes (metadata) –Use a domain you control to facilitate self- managed metadata someday

CAH Retirement CAH slated to go away in October 2011 Motivation: –IPv6 compatibility –Move to standards-based solution CAH and Shib will do SSO between them until CAH is gone

Converting from CAH to Shib Shib SP is drop-in replacement for mod_cookieauth No ARF needed if you already get data from CAH Apps requiring M Key can use AuthnContext to ask for and check for it

Federating your SP Lets your SP allow users to log in from other places Can do simple bilateral setups or get listed in a federation like InCommon (ask IDM) Use a federatable identifier instead of Internet ID or umnDID for primary key –eduPersonTargetedID –eduPersonPrincipalName (ID+scope e.g.

Looking Ahead User consent for attribute release Self-managed metadata for departments Single logout support

Resources U of M Shib wiki: Official Shib wiki: Shib mailing list: –Best place for general questions about Shib SP installation/configuration –Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.

Questions? Or call Chris at