Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2006 by the University of Kansas Providing Intra-campus SSO Service Kathryn Huxtable Identity Management/Core Middleware Information Technology,

Published byErnest Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2006 by the University of Kansas Providing Intra-campus SSO Service Kathryn Huxtable Identity Management/Core Middleware Information Technology,"— Presentation transcript:

1 Copyright © 2006 by the University of Kansas Providing Intra-campus SSO Service Kathryn Huxtable Identity Management/Core Middleware Information Technology, A division of Information Services The University of Kansas khuxtable@ku.edu

2 Copyright © 2006 by the University of Kansas Intra-campus Service Provider Provides a service to local campus community Should integrate with campus SSO Can do so using campus SSO or via Shibboleth, assuming that Shibboleth is integrated with campus SSO We discourage direct LDAP authentication or attribute queries

3 Copyright © 2006 by the University of Kansas KU’s campus SSO (Argus) Implemented in 1999 –Inspired by UIUC’s Bluestem system –Attribute based; very similar to Shibboleth –Uses its own XML — pre-SAML Downside: for historical reasons it only supports Perl and Java applications http://www.aims.ku.edu/argus

4 Copyright © 2006 by the University of Kansas Shibboleth or Campus SSO? Is a logout button necessary? Is it static pages, or non-Java or -Perl? Could there potentially be intercampus use? Is it on a system not supported by Shibboleth, e.g. standalone Tomcat? Is it on a system not supported by campus SSO, e.g. IIS?

5 Copyright © 2006 by the University of Kansas Attribute Release Policies Policy structure was already in place, thanks to our campus SSO Not completely formalized, but is well understood. Will be formalized for ISO 27001 certification in the next few months Each attribute has one or more data custodians

6 Copyright © 2006 by the University of Kansas Where Do Attributes Come From? (Basic “Join” Outline)

7 Copyright © 2006 by the University of Kansas Basic Questions for SP owner Can the AuthN/AuthZ be externalized? –How does the Service Provider (SP) authenticate a user? –How does the Service Provider authorize a user? –What attributes does the Service Provider need to authorize a user?

8 Copyright © 2006 by the University of Kansas Data Stewards Own Release Release of an attribute to a Service Provider MUST be approved by that attribute’s data steward Some attributes come from multiple data sources, e.g. displayName may come from HR or student data; may require multiple sign-off

9 Copyright © 2006 by the University of Kansas Release Approval Process

10 Copyright © 2006 by the University of Kansas What About Problems? User fails to authorize in SP –Help Desk has access to directory information –Help Desk employees (including students) sign confidential use statement –If they don’t understand the problem, they contact Core Middleware –Core Middleware figures out the problem May require data change in database of record Core Middleware contacts data custodian

11 Copyright © 2006 by the University of Kansas Conclusions We’ve been handling these issues for several years now with our campus SSO; Shibboleth is not different for us Maintaining two SSOs is annoying; we would like to standardize on Shibboleth Where’s my *#&@ logout? KU Identity Management/Core Middleware web site: http://www.aims.ku.edu

Download ppt "Copyright © 2006 by the University of Kansas Providing Intra-campus SSO Service Kathryn Huxtable Identity Management/Core Middleware Information Technology,"

Similar presentations

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Peter Deutsch Director, I&IT Systems July 12, 2005

Peter Deutsch Director, I&IT Systems July 12, 2005
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.

Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Similar presentations

Ads by Google