Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth for Real Dave Kennedy

Published byMadeline McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth for Real Dave Kennedy"— Presentation transcript:

1 Shibboleth for Real Dave Kennedy davekenn@umd.edu http://usmai.umd.edu/auth

2 Environment Consortium –16 institutions Services –Ex Libris’ Metalib, Aleph, SFX, Digitool –EZproxy –ILLiad –DSpace, Fedora, etc.

3 What is the problem? Multiple logins for multiple services Need to secure flow of data for multiple logins for different applications Username/password embedded in URLs to give appearance of single sign on

4 Why Shibboleth? Other considered solutions: PDS, CAS, Pubcookie Shibboleth –Single sign on –Secure handling of user attributes –Flexibility to use different AuthZ criteria per service –Designed to function across domains –Ability to authenticate for different vendors’ products

5 Shib architecture Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner Service Provider (SP) – resource Identity Provider (IdP) – AuthN source WAYF – Where Are You From WebISO – Web Initial Sign On

6 Shib architecture

7 Investigation Installed generic single institution IdP Installed generic service provider (script that prints out attributes) Proof of concept

8 Implementation Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs EZproxy was already shibboleth-enabled, so easily configured Had to implement multiple identity providers for institutions in the consortium

9 IdP Implementation Multiple institutions in one installation Multiple configurations for attributes and trust settings Multiple ldap settings in WebISO for user verification

10 Multiple Identity Providers – Virtually Separate Totally separate identity providers as far as service providers are concerned Unique access points Separate trust relationships

11 PDS Patron Directory Service Single Sign On between ExLibris applications AuthN and AuthZ

12 Role of PDS in Shib Environment Dual role of WAYF and SP AuthN AuthZ at the application level (Metalib, in our case)

13 PDS as WAYF PDS to present list of institutions (WAYF) Choice of institutions redirects to an institution specific URL within PDS

14 PDS as SP Each URL protected by different institution’s Identity Provider IdP handles authentication and attribute assertion SP receives attributes back from IdP and establishes PDS session

15 Shib SP configuration Shibboleth.xml – settings for SP Multiple applications defined, each with a different Identity Provider RequestMap defined – map URLs to shib applications

16 Logout No logout provided in shibboleth architecture Created a logout for identity provider, with an optional redirect back to service provider

17 Before

18 After

19 Project Details Began investigation – March 2005 1 staff member 16 IdPs, 3 SPs into production, April 2006 Hardware: –Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server) –Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server) Documentation

20 Challenges Technical –Consortia – virtually separate identity providers –Logout –LDAP – hook into our ldap, single ldap for all institutions, only use institution specific attributes Learning curve, needed concentrated chunks of staff time Making shibboleth a priority

21 What’s next? We are rolling out more service providers ILLiad going into production within the month Aleph to be shib service provider by year’s end Online resources Consortial members implementing their own identity providers

22 Dave Kennedy davekenn@umd.edu Shib project page: http://usmai.umd.edu/auth

Download ppt "Shibboleth for Real Dave Kennedy"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.

EVERY CONNECTION has a starting point. EVERY CONNECTION has a starting point. WorldCat Navigator - Authentication Library Hosted Navigator EZproxy and.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
PDS User Management DigiTool Version 3.0. User Management 2 PDS Overview PDS Setup Single Sign On Agenda.

PDS User Management DigiTool Version 3.0. User Management 2 PDS Overview PDS Setup Single Sign On Agenda.
1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.

1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Napster Shibboleth Target PSU/Napster Technical Integration R. Ramos

Napster Shibboleth Target PSU/Napster Technical Integration R. Ramos
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (

UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (
Shibboleth IdP Training: Productionalization January, 2009.

Shibboleth IdP Training: Productionalization January, 2009.
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk An Introduction to Access Management and the UK Federation Simon Cooper.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Similar presentations

Ads by Google