Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth SSO and Drupal

Published byHillary Patterson Modified over 6 years ago

Similar presentations

Presentation on theme: "Shibboleth SSO and Drupal"— Presentation transcript:

1 Shibboleth SSO and Drupal
Presented by Justin Ludwig (jludwig) at BADCAMP 2013

2 Who is Justin Ludwig? Jludwig on drupal.org Tech Virtuoso
Software BioRAFT Drupal for about 6 years, when D5 was new. Resides in South Bay w/beautiful wife and adorable fur-baby. Musical family: lovers of Early Music, weird music of today and everything in between.

3 What is ? “Preventing the next zombie apocalypse”
Entirely built using Drupal, SaaS model Lab Safety, Compliance & Training Software Comprehensive and efficient hazard tracking, compliance management, & training delivery In use at top tier research institutions, and at top ten biotech & pharmaceutical companies

4 Shibboleth: A Brief History
A shibboleth (/ˈʃɪbəlɛθ/[1] or /ˈʃɪbələθ/)[2] is a word, sound, or custom that a person unfamiliar with its significance may not pronounce or perform correctly relative to those who are familiar with it. It is used to identify foreigners or those who do not belong to a particular class or group of people. It also refers to features of language, and particularly to a word or phrase whose pronunciation identifies a speaker as belonging to a particular group. Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say "Shibboleth" (שבלת).' If anyone said, "Sibboleth" (סבלת), because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. —Judges 12:5–6, NJB During World War II, some United States soldiers in the Pacific theater used the word lollapalooza as a shibboleth to challenge unidentified persons, on the premise that Japanese people often pronounce the letter L as R or confuse Rs with Ls; the word is also an American colloquialism that even a foreign person fairly well-versed in American English would probably mispronounce or be unfamiliar with. For the next 45 minutes, I’ll be lecturing on Shibboleths throughout history, from Biblical times all the way up to current pop culture references, like on the West Wing.

5 JK, Rowling

6 A peek into the future What is single sign-on?
What is Shibboleth? How does it work? SAML? IdP? SP? WTF? Leveraging Drupal & Shib_Auth.module Resources

7 What is Single Sign-On and WHY?
Single sign-on (SSO) allows a user to use a single username and password for multiple services. Easier for the end user. Easier integration for staff. Better security (when used properly). The biggest reason… Once it’s done, developers can integrate easily with new sites Help desk gets less calls about passwords; have a one-size-fits-all template on response Sales people can use it for potential clients - Better security

8 Your Client Needs It! Higher Education, they use it.
Government, they use it. Big corporations, they use it. Non-Profits, they should be using it. Have another slide: From a single federation: InCommon has list, mostly higher ed Other federations that focus on business

9 Your Client Needs It!

10 Just a little Jargon… Security Assertion Markup Language (SAML): Fast, secure, robust XML-based open-standard for SSO. Identity Provider (IdP): Authentication service; provide the user data. Shibboleth is just an implementation of SAML, a specification of a protocol that deals w/assertions. It ranfers the attributes, such as username and , that allow SSO to happen. Service Provider (SP): Hosts the application that users wish to access.

11 Why Shibboleth? The most robust SAML implementation. Tried and tested.
Easy to use. Big community. Open source. Shib_Auth module.

12 How Shibboleth Works 1. User accesses protected resource.

13 How Shibboleth Works 2. The SP sends an authentication request to the IdP.

14 How Shibboleth Works 3. User authenticates to the IdP – Format of the request determined by config.

15 How Shibboleth Works 4. The IdP’s response is picked up at the ACS (Assertion Consumer Service) on the SP, which decodes it, does security checks, then creates a session for the user. Drupal then takes over.

16 POST Binding and Artifact Binding
POST Binding: IdP returns POST that contains SAML Assertion to SP. No direct communication between IdP & SP. Artifact Binding: IdP saves SAML Assertion to session and redirects user to SP w/Artifact in query string. SP requests SAML Assertion for Artifact from IdP IdP returns Assertion w/matching Artifact. SP validates assertion Intent of artifact to reduce amount of SAML messages to the browser and possibly improve the security since sensitive data is never even passed through the browser. In reality, I tend to go for POST because it’s just as secure and if the IdP is acting up, it’s easier for them to understand that it’s the IdP.

17 Install and Configure Shibboleth
Learn XML! Other Prerequisites Root access to the machine. Network Time Protocol (NTP) Basic understanding of SSL Basic understanding of server configuration

18 Install and Configure Shibboleth
Follow an installation guide. ;) If not using an officially supported distro, check package management repo. As always, Google is your friend.

19 A Little Configuration Jargon…
EntityID: String used to identify your application across federation interactions. Metadata: What makes SAML work. Attributes: Info provided by the IdP. Configured in attribute-map.xml - The automatically generated metadata for shibboleth works pretty well.

20 Federations: No, you don’t need to wear the jumpsuit
A group of IdPs and SPs that agree on a set of policies. Not 100% necessary, but greatly simplifies Scale better. Making agreeements like this once helps a community cale integration w/other federation members, management decisions, etc.

21 Config Files Overview /etc/shibboleth: Base directory for Shib config
shibboleth2.xml: Most of the SP’s config opts. attribute-map.xml: Used to translate attributes from SAML assertions. Metadata: SP and IdP/Federaltion exchange metadata and this makes SAML work. Usually generated to /Shibboleth.sso/Metadata. A good base; invest in understanding contents. - /opt/shibboleth-sp/etc/shibboleth/shibboleth2.xml attribute can be in any nameformat you want, uris recommended b/c uniqueness and namespace control

22 Leveraging Drupal Shibboleth authentication module
Big ‘Thank you’ to shafter, bajnokk, dorion, niff, and everyone else involved in the project. 14,955 downloads, thousands report using it. 4.x Branch for Drupal 6 and Drupal 7. Backported to D5 if anyone needs it.

23 What shib_auth gives you
Automatic user creation and user login.

24 What shib_auth gives you
Automatic role assignment. Let’s make sure everyone knows who to whom that role belongs/

25 What shib_auth gives you
Account linking Let’s make sure everyone knows who to whom that role belongs/

26 What shib_auth gives you
Logout Handling

27 Advanced Features in Shib_Auth
User-defined usernames/ s Auto-Login Pre-creating Users User Consent Forms forceAuthn

28 Resources https://wiki.shibboleth.net/confluence/dashboard.action

29 A look to the past What is single sign-on?
What is Shibboleth? How does it work? SAML? IdP? SP? WTF? Leveraging Drupal & Shib_Auth.module Resources

30 Questions, comments, etc

Download ppt "Shibboleth SSO and Drupal"

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
25 1 st St., Suite 104, Cambridge, MA 02141 | www.BioRAFT.com Shibboleth SSO and Drupal Presented by Justin Ludwig (jludwig) at BADCAMP 2013.

25 1 st St., Suite 104, Cambridge, MA | Shibboleth SSO and Drupal Presented by Justin Ludwig (jludwig) at BADCAMP 2013.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Similar presentations

Ads by Google