Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Published byRosaline Fowler Modified over 7 years ago

Similar presentations

Presentation on theme: "Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc."— Presentation transcript:

1 Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc. Dmitriy Kopylenko Unicon, Inc. © Copyright Unicon, Inc., 2008. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Internet2 Member Meeting October 5 th 2011

2 2 Agenda 1.Introduction 2.Approach 3.Solution 4.Next Steps

3 3 Introduction

4 4 Shib at UW-Madison ● Overview of current UW shib deployment

5 5 Problem Statement ● How to extend the Shib IdP with local behavior for the following needs: – Inform users of options when they don't have authZ for a particular service. – User controlled attribute release – Terms of Use, Acceptable Use, Security, Privacy, or any ol' policy a user must click through.

6 6 Google Apps for HE ● Description of failure mode and what we'd like instead.

7 7 Broken SP? ● Why “fixing the SP” is not enough...

8 8 Terms of Use... ● Terms of Use ● Acceptable Use Policy ● Privacy Policy ● Security Policy ● Any special messaging/notification/click thru requirement based on user attributes

9 9 Attribute Release ● uApprove redux

10 10 Goals ● Extensible, customizable login experience that covers: – Course grained AuthZ and UX that helps users – ToU/AUP read/write login flows – User controlled attribute release ● Alignment with SAML2, Shibboleth, InCommon communities

11 11 Approach ● Engage with Shib community early and often – Alignment with future direction – Architecturally sound ● Build for UW, share with the Shib community

12 12 Roadmap ● Phase I (completed July 2011) – Development environment (build/deploy/debug) – Architecture analysis – Community feedback ● Phase II (completed October 2011) – Proof-of-concept Spring Web Flow / IdP integration – Community feedback ● Phase III (target Jan 2012) – Incorporate community feedback – Package and document for production release at UW – Share with the community

13 13 Demonstration

14 14 Solution IdP2 and SWF perfect together!

15 15 Design Goals ● Minimally invasive to the IdP ● Simple but not simplistic ● Easily extended to other login flow use cases ● Easily customized for local needs ● Decoupled from IdP as much as possible

16 16 IdP Integration ● Login flow is extended via SWF outside of and separate from the IdP ● Small and simple filter...inspiration from uApprove ● Filter determines overall flow state and hands offs to SWF when appropriate ● Filter provides access to user attributes and service metatdata in SWF ● Can be selectively applied to profile endpoints via web.xml

17

18

19

20 20 Spring Web Flow ● An extension to Spring MVC that allows you to define Controllers using a domain-specific-language. This language is designed to model user interactions that require several requests into the server to complete, or may be invoked from different contexts. ● Used to meet these design goals: – Simple but not simplistic – Easily extended to other login flow use cases – Easily customized for local needs

21

22

23 23 Solution Dependancies ● Tomcat Cross Context – Forward request server-side to swf post login flow – Shared state to control flow signaling between swf and idp ● emptySessionPath – shares session cookie between servlet contexts. One JSessionId, two session objects. Enables swf to reuse idp session cookie. ● PostLoginFlowFilter and web.xml config ● SWF to suit your needs

24 24 Next Steps ● Give it a whirl... – https://github.com/dima767/Shibboleth-IDP-Postlogin-Filter https://github.com/dima767/Shibboleth-IDP-Postlogin-Filter – https://github.com/dima767/Shibboleth-IDP-Postlogin-Flow https://github.com/dima767/Shibboleth-IDP-Postlogin-Flow ● Feedback, help, comments, suggestions,... ● Review, Refactor ● Finalize UW post login flow requirements and implement ● Deploy into production at UW ● Share with the community

25 25 Questions & Answers Keith Hazelton hazelton@doit.wisc.edu University of Wisconsin-Madison William G. Thompson, Jr. wgthom@unicon.net Unicon, Inc.

Download ppt "Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc."

Similar presentations

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
AJAC Systems Hotel Reservation System

AJAC Systems Hotel Reservation System
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –

Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Chad La Joie Shibboleth’s Future.

Chad La Joie Shibboleth’s Future.

Similar presentations

Ads by Google