Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Central Authentication Service Roadmap JA-SIG Winter 2004.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Contrail and Federated Identity Management
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service
Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,
WebFTS as a first WLCG/HEP FIM pilot
Widely Distributed Access Management Tom Barton University of Chicago.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
SWITCHaai Team Introduction to Shibboleth.
Integrating with UCSF’s Shibboleth system
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
Michael Ghens Information Systems Specialist Santa Barbara City College.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth: An Introduction
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch
Introduction to Spring Web Flow Andrew Petro Software Developer Unicon, Inc. Jasig 2011 Westminster, CO 23 May 2011 © Copyright Unicon, Inc., Some.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The FederID project The First Identity Management and Federation Free Software.
Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.
Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.
ClearPass A CAS Extension Enabling Credential Replay Andrew Petro Unicon, Inc. Jasig 2010 San Diego, CA 09 March 2010 © Copyright Unicon, Inc.,
Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.
Access Policy - Federation March 23, 2016
David Millman—Columbia January 2005
Shibboleth Architecture
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Identity and Access Management Challenges in uPortal
Federation Systems, ADFS, & Shibboleth 2.0
CAS and Web Single Sign-on at UConn
Identity Federations - Overview
SaaS Application Deep Dive
John O’Keefe Director of Academic Technology & Network Services
Grid accounting system
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Identity Federations - Installation and operation
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
ESA Single Sign On (SSO) and Federated Identity Management
Open Source Web Initial Sign-On Packages
Integrating non web-based services with identity federations
Central Authentication Service
Office 365 Development.
IST346: Namespaces, Identity Management
Presentation transcript:

Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University of Chicago, and Unicon, respectively. Jasig Dallas 03 March 2009 © Copyright the author or authors. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit

2 Agenda 1.Introduction 2.Use Cases 3.Shibbolizing uPortal Today 4.Delegated Shibbolized Authentication... in uPortal 5.… in Shibboleth 6.Conclusion

3 Use Cases Shibbolizing uPortal

4 Authentication and Single Sign On

5 Federated Authentication

6 ● The provider of the identity and the provider of the service (uPortal) may not be the same institution ● Users can authenticate using identities from anywhere in federation, to services anywhere in federation, with a healthy policy layer.

7 Attribute release ● Just in time release of attributes to the portal at the time of user authentication ● Different from querying directories of attributes – Attributes released only in context of actual user authentication – Attributes may be of a federated identity, attribute information not necessarily available to portal in an institutional directory

8 Delegated authentication ● User authenticates to portal ● Portal authenticates to a backing service on behalf of the user ● Data from backing service informs portal WSP /

9 Shibbolizing uPortal Today Authentication Attribute Release

10 Authenticating to uPortal with Shibboleth Authentication

11 Shibboleth for Authentication ● Shibboleth provides a Service Provider Apache module for authentication ● uPortal can delegate to container for authentication ● Ta-da!

12 Shibboleth SP Authentication HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes

13 Shibbolizing CAS? ● uPortal ships with a CAS server and support for using CAS for login ● CAS can be easily Shibbolized ● Shibbolize uPortal by Shibbolizing CAS?

14 Releasing Attributes to uPortal with Shibboleth Attributes

15 User Attributes in uPortal JDBCLDAP Pluggable API User attributes subsystem

16 Shibboleth attribute release HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes

17 User attributes at login ● User attributes in the context of user login ● Not arbitrary queries of directories

18 Capturing user attributes from SP HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes HTTP header capturing filter

19 Declare the filter in web.xml HttpHeaderFilter edu.jhu.services.persondir.support.http.HttpHeaderF ilter personDirectoryDaoName httpHeaderAttributeSource HttpHeaderFilter Login

20 User attributes from Shibboleth JDBCLDAP DAO bridges to filter User attributes subsystem

21 Declare the attribute source

22 Canonical way to do this is in flux ● Not very much in flux, but a little in flux ● In Jira: PERSONDIR-37, PERSONDIR-49 ● The (a) DAO for this ships in Persondir 1.5 RC2 ● For now, if you're interested, please ping me. ●

23 Delegated Shibbolized Authentication... In uPortal

Portal Password Replay Password- Protected Service Channel PW

Look Ma, No Password! ● Without a password to replay, how am I going to authenticate my portal to other applications? ?

Proxy CAS CAS Web Application Web Browser https listener

27 Oh, wait, this is Shibboleth ● Very similar idea. ● Portal presents SAML Assertion to Portlet ● Portlet presents SAML Assertion to IdP ● IdP issues Portlet a new SAML Assertion for purpose of authenticating Portlet to backing Web Service Provider ● Portlet presents Assertion to backing Web Service Provider, authenticating its request to the backing service.

28 Delegated authentication WSP IdP

29 Getting the SAML to the Portlet ● Solution parallel to that for conveying passwords and CAS Proxy Tickets to portlets ● Custom UserInfoService ● Portlets obtain SAML assertions (like passwords and CAS proxy tickets) via callback for a “magic” user attribute

30 SAML to authenticate to a WSP ● Portlet presents SAML to IdP to get more SAML to present to backing WSP ● Wouldn't it be nice if there were a library that automated this? – Abstract away the (re-)authentication part – Present to portlet either simple response from WSP or an API to make further requests – Think adorned Commons HttpClient

31 Library Delegated authentication WSP IdP

32 Delegated Shibbolized Authentication... In Shibboleth

33 Defer to the other slide deck... ● One moment please...

34 Concluding remarks

35 Where to learn more ● Internet2 Wiki Space: ● ● Tom Barton, Scott Cantor, Andrew Petro, Adam Rybicki, and Tamra Valadez at this conference

36 Questions & Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.