Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Slides:

Advertisements

Similar presentations

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

AJAC Systems Hotel Reservation System

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Shibboleth and uApprove at University of Michigan Luke Tracy – Ken Hammer –

SWITCHaai Team Introduction to Shibboleth.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Integrating with UCSF’s Shibboleth system

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Chad La Joie Shibboleth’s Future.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

© Blackboard, Inc. All rights reserved. Blackboard Learning System™ Vista Enterprise License The PowerLinks™ Kit Scott Stanley Washington DC 2006.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Shibboleth for Real Dave Kennedy

Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.

A bad case of content reuse Validator Website to Validate License Violations Validator – Only requires the URI of the site to check for a license violation.

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Navigating the Standards Landscape Andrew Owen SEARCH.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Shibboleth: An Introduction

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Feedback Enhanced Environment for Learning (FEEL) May 3 rd, 2004 DLC Hands-on Project.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Fidelity Feedback on SAML 1.X and ID-FF 1.X Patrick Harding Enterprise Architecture Fidelity Investments.

CAS 3 Introduction and Overview. CAS2 is simple to understand 6 servlets and fewer than 10 JSPs 6 servlets and fewer than 10 JSPs auth package – where.

Apache Struts Technology A MVC Framework for Java Web Applications.

F5 APM & Security Assertion Markup Language ‘sam-el’

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.

Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Shibboleth Identity Provider Version 3

Access Policy - Federation March 23, 2016

David Millman—Columbia January 2005

Portals: Background, Development & Conversion

Software Engineering Management

Shibboleth Roadmap

OMG, Another Simple, Lightweight Authentication Service???

Identity Management and Authorization

John O’Keefe Director of Academic Technology & Network Services

Federated Identity to Support Collaboration in the CIC

Identity Federations - Installation and operation

My Oracle Support (The next generation Metalink experience) lynn

Ashish Pandit, Louis Zelus, Jonathan Whitman

Overview and Development Plans

Open Source Web Initial Sign-On Packages

Shibboleth and uApprove at University of Michigan

CEF e-Invoicing Readiness Checker

Shibboleth Deployment Overview

Ex Libris Leganto : Sharing the Love of Reading Lists

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc. Dmitriy Kopylenko Unicon, Inc. © Copyright Unicon, Inc., Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit Internet2 Member Meeting October 5 th 2011

2 Agenda 1.Introduction 2.Approach 3.Solution 4.Next Steps

3 Introduction

4 Shib at UW-Madison ● Overview of current UW shib deployment

5 Problem Statement ● How to extend the Shib IdP with local behavior for the following needs: – Inform users of options when they don't have authZ for a particular service. – User controlled attribute release – Terms of Use, Acceptable Use, Security, Privacy, or any ol' policy a user must click through.

6 Google Apps for HE ● Description of failure mode and what we'd like instead.

7 Broken SP? ● Why “fixing the SP” is not enough...

8 Terms of Use... ● Terms of Use ● Acceptable Use Policy ● Privacy Policy ● Security Policy ● Any special messaging/notification/click thru requirement based on user attributes

9 Attribute Release ● uApprove redux

10 Goals ● Extensible, customizable login experience that covers: – Course grained AuthZ and UX that helps users – ToU/AUP read/write login flows – User controlled attribute release ● Alignment with SAML2, Shibboleth, InCommon communities

11 Approach ● Engage with Shib community early and often – Alignment with future direction – Architecturally sound ● Build for UW, share with the Shib community

12 Roadmap ● Phase I (completed July 2011) – Development environment (build/deploy/debug) – Architecture analysis – Community feedback ● Phase II (completed October 2011) – Proof-of-concept Spring Web Flow / IdP integration – Community feedback ● Phase III (target Jan 2012) – Incorporate community feedback – Package and document for production release at UW – Share with the community

13 Demonstration

14 Solution IdP2 and SWF perfect together!

15 Design Goals ● Minimally invasive to the IdP ● Simple but not simplistic ● Easily extended to other login flow use cases ● Easily customized for local needs ● Decoupled from IdP as much as possible

16 IdP Integration ● Login flow is extended via SWF outside of and separate from the IdP ● Small and simple filter...inspiration from uApprove ● Filter determines overall flow state and hands offs to SWF when appropriate ● Filter provides access to user attributes and service metatdata in SWF ● Can be selectively applied to profile endpoints via web.xml

20 Spring Web Flow ● An extension to Spring MVC that allows you to define Controllers using a domain-specific-language. This language is designed to model user interactions that require several requests into the server to complete, or may be invoked from different contexts. ● Used to meet these design goals: – Simple but not simplistic – Easily extended to other login flow use cases – Easily customized for local needs

23 Solution Dependancies ● Tomcat Cross Context – Forward request server-side to swf post login flow – Shared state to control flow signaling between swf and idp ● emptySessionPath – shares session cookie between servlet contexts. One JSessionId, two session objects. Enables swf to reuse idp session cookie. ● PostLoginFlowFilter and web.xml config ● SWF to suit your needs

24 Next Steps ● Give it a whirl... – – ● Feedback, help, comments, suggestions,... ● Review, Refactor ● Finalize UW post login flow requirements and implement ● Deploy into production at UW ● Share with the community

25 Questions & Answers Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.