Brown University Shibboleth at Brown University James Cramton April 2, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
© 2006 Open Grid Forum OGF19 Federated Identity Rule-based data management Wed 11:00 AM Mountain Laurel Thurs 11:00 AM Bellflower.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
CHECK 2012 Bridging the Gap for Mobile Devices: Eager Adoption v. Practical Support Emporia State University The Faculty & Staff Support Perspective Cory.
WebISO PanelEducause SAC Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
The Academic Computing Assessment Data Repository: A New (Free) Tool for Program Assessment Heather Stewart, Director, Institute for Technology Development,
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
Brown University Shibboleth at Brown University James Cramton May 28, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
Brown University Shibboleth at Brown University James Cramton March 5, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the.
Shibboleth and InCommon Copyright Texas A&M University This work is the intellectual property of the author. Permission is granted for this material.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
The InCommon Federation The U.S. Access and Identity Management Federation
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Group Management at Brown James Cramton Brown University April 24, 2007.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Integrating with UCSF’s Shibboleth system
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Openness and Extending Blackboard Software Asbed Bedrossian Otto Khera USC.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Master Data Management & Microsoft Master Data Services Presented By: Jeff Prom Data Architect MCTS - Business Intelligence (2008), Admin (2008), Developer.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Shibboleth for Middle Schools James Burger -
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Open-Source Identity Management MACE Grouper, Shibboleth and OpenRegistry Benjamin Oshrin Rutgers University Copyright © James Cramton Benjamin Oshrin.
Seminar: Security / Identity Management Presentation: Elke Weber
David Millman—Columbia January 2005
Shibboleth Architecture
Federated Identity Management at Virginia Tech
LIGO Identity and Access Management
Federation Systems, ADFS, & Shibboleth 2.0
An authorization service for Virtual Organizations (VO)
Data and Applications Security Developments and Directions
John O’Keefe Director of Academic Technology & Network Services
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Federated Identity to Support Collaboration in the CIC
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
Overview and Development Plans
myIS.neu.edu – presentation screen shots accompany:
Shibboleth 2.0 IdP Training: Introduction
Enabling Applications to Use Your IdMS
Presentation transcript:

Brown University Shibboleth at Brown University James Cramton April 2, 2009 Copyright © James Cramton 2009 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Gilead then cut Ephraim off from the fords of the Jordan, and whenever Ephraimite fugitives said, 'Let me cross,' the men of Gilead would ask, 'Are you an Ephraimite?' If he said, 'No,' they then said, 'Very well, say Shibboleth.' If anyone said, 'Sibboleth', because he could not pronounce it, then they would seize him and kill him by the fords of the Jordan. Forty-two thousand Ephraimites fell on this occasion. Judges 12:5-6, NJB

2 Topics Shibboleth terminology & use at Brown WebAuth vs. Shibboleth Shibboleth-enabled services Attribute release policies and ARPviewer Installation and configuration Federation Logout Considerations

Shibboleth at Brown Standards-based web Single Sign On (SSO) service Can operate across domain boundaries Will replace WebAuth as Brown’s intra-campus SSO Currently supported by more than 100 applications Allows granular control of personal attribute release Provides access to many more attributes than WebAuth Can allow external federated users to access Brown resources without Brown credentials Can allow Brown users to access federated resources outside Brown using their Brown credentials 3

Shibboleth Terminology Identity Provider (IDP) –Performs user authentication for SP –Provides a customized set of attributes for each SP Service Provider (SP) –Runs on application host as an Apache OR IIS module or other interface –Authorizes user based on authentication & attributes from the IDP Attribute –A property describing a user within the system Human-friendly examples: brownType, brownStatus, displayName, isMemberOf Minimal identifier: an opaque (gibberish) identifier unique to each user at each SP –Typically used for authorization or UI customization Federation –A group of organizations who share a common trust framework 4

WebAuth vs. Shibboleth Brown’s WebAuth Proprietary, and compatible only with Apache and IIs (sort of) 10 years old, unsupported Dependent on Brown Grouper –Also proprietary and unsupported Limited and arbitrary set of attributes released to apps Limited to Brown users Not load balanced Not redundant Internet2’s Shibboleth Standards-based –LDAP, SQL, SAML 1.1 and 2.0, ADFS Actively supported by community source model, Internet2 and partners Used by more than 100 applications Policy driven attribute release User-controlled attribute release Supports federation with 15M users –Use of Brown resources by external users –Use of external resource by Brown users Load balanced and redundant 5

Shibboleth-capable Services Currently in use at Brown All Apache web servers –Webpub –LAMP –WebApps All IIs web servers WebCT Brown Confluence Wiki University Tickets Dining Service’s Interphaze Coeus Planned or Possible Sympa list manager People Admin Outsourced NIH, NSF, NASA Grants Mgmt Microsoft Dreamspark Free MS software for students Discount student airline tickets caBIG Cancer grid computing TerraGrid grid computing Cern Large Hadron Collider Virtual Organizations (VOs) Many more… 6

Attribute Release Policies Protect user identity by releasing only necessary attributes to SP Attribute release policies are configurable per SP, and per attribute Default attribute release policies –External SP sees only a unique, opaque identifier (gibberish) –Trusted Brown SPs see a more useful set of attributes, including: brownShortId, brownNetID, brownBruID, brownUUID, eduPersonPrincipalName mail, mailRoutingAddress DisplayName, givenName, sn, LOA (Level of Assurance) brownType, eduPersonPrimaryAffiliation, eduPersonAffiliation, eduPersonScopedaffiliation isMemberOf (full list of group memberships) –Default policies at SP owners may request exceptions to default policies Users can be required to manually approve attribute release –ARPViewer to present user an approval form –Approval or denial is audited 7

ARPViewer Example 8 ARPViewer can be triggered for each SP, or for a particular attribute condition for an SP When triggered, a user must confirm that they approve the release of the displayed information before the attributes are released to the SP. This process puts the attribute release decision in users’ hands. All responses are auditable.

Federation Shibboleth can leverage the federation’s trust relationships –Authenticate users at their local institution’s IDP –Pass attributes to a remote SP according to local attribute release policies –Grant access to remote resources based on released attributes Brown is a member of the InCommon federation, along with 2.2M users from more than 100 US higher ed institutions Inter-federation agreements can extend user base up to 15M A supportable solution to requests to grant access to Brown resources to non-Brown users –No need to establish Brown affiliate or guest accounts –External user’s home institution must belong to InCommon federation –Or user must use a credential from a supported provider like Protect Network Also allows Brown users to access external systems using Brown credentials: NIH grants, MS DreamSpark, University Tickets, etc. 9

Service Provider Installation If not using a CIS-supported application server, application admins can install and configure the Service Provider (SP) Typically, Linux SP installations use rpms; Solaris requires build CIS is available to assist, and has built known Solaris platforms SP configuration templates come from Subversion Once configured, notify Shibboleth administrator of SP metadata Complete details at 10

Example.htaccess ACLs # use Shibboleth to authenticate and authorize access AuthType shibboleth # Set ShibRequireAll to On to perform an AND operation for require statements # set ShibRequireAll to Off to perform an OR operation for require statements ShibRequireAll On # valid-user is minimum require statement to restrict access—use if handling authorization within application require valid-user # Usually better to limit access at least to active members of BROWN:COMMUNITY:ALL group require Shibboleth-isMemberOf BROWN:COMMUNITY:ALL require Shibboleth-brownStatus active # examples of course-specific ACLs to add to active members of brown:community:all ACL # allow members of Chem 1060 L01 Fall 2008 require Shibboleth-isMemberOf COURSE:CHEM:1060:2008-Fall:L01:All # allow members of Chem 1060 Fall 2008 all sections and labs require Shibboleth-isMemberOf ~ COURSE:CHEM:1060:2008-Fall:.+:All # allow students of Chem 1060 Fall 2008 all sections and labs require Shibboleth-isMemberOf ~ COURSE:CHEM:1060:2008-Fall:.+:Student # allow instructors of Chem 1060 Fall 2008 all sections and labs require Shibboleth-isMemberOf ~ COURSE:CHEM:1060:2008-Fall:.+:Instructor 11

Additional Information Brown’s Shibboleth project wiki: –Project schedule –Technical documentation for IDP and SP owners and administrators –Full attribute release policies and procedures for exception requests –Links to background information on Shibboleth Internet2’s Shibboleth wiki: –Background information on Shibboleth –Lists of Shibboleth-enabled software and services –Links to Shibboleth user list and other support options InCommon federation website: –Lists of participating institutions and vendors Protect Network website: –Information about obtaining InCommon-compatible credentials from Protect Network 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.