Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Slides:

Advertisements

Similar presentations

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Advertisements

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

ONLINE TEACHING EVALUATION 2.0 Spring 2009 Pilot Instructions for Students DePaul University.

DT211/3 Internet Application Development JSP: Processing User input.

Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

How To Batch Register Your Students

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Introduction: This VCSS training session has been developed to provide : I.A quick overview of VCSS II.A walk through of the main VCSS features III.Solutions.

Session 11: Security with ASP.NET

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Shibboleth IdP Training: Productionalization January, 2009.

Integrating with UCSF’s Shibboleth system

Web Design (5) Navigation (1). Creating a new website called ‘Navigation’ In Windows Explorer, open the folder “CU3A Web Design Group”; and then the sub-folder.

GSA’s Vendor and Customer Self Service (VCSS)

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Identity on Force.com & Benefits of SSO Nick Simha.

In the web address box enter Enter your user ID (first and last initial 7 digit ID number) Select Log in.

New Hire Registration for ADP Self Service

Shibboleth 2.0 IdP Training: Authentication January, 2009.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Browser User Certificate Mail Box VOMS-Admin Host Tomcat TR1) Users Trusts “VOMS-Admin” server identity. step1 TR2) User Trusts data (Data1, HTML response)

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

PHP. $_GET / $_POST / $_SESSION PHP uses predefined variables to provide access to important information about the server and requests from a browser.

Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.

Web Database Programming Week 7 Session Management & Authentication.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.

DataFlow Diagram – Level 0

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

Access control 2/18/2009. TOMCAT Security Model Declarative Security:  the expression of application security external to the application, and it allows.

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

Welcome to Internet Banking Demo. Type (corporate website) in the address bar of your web browser Click on Internet Banking.

Configuring and Deploying Web Applications Lesson 7.

How Web Database Architectures Work CPS181s April 8, 2003.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Using PIV Cards with NIH Login Chris Leggett NIH Login Technical Lead CIT/NIH.

COOKIES AND SESSIONS.

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Cookies Tutorial Cavisson Systems Inc..

Shibboleth Architecture

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication & .htaccess

CAS and Web Single Sign-on at UConn

Cookies and Sessions Charles Severance

First Time Login Process

Using SSL – Secure Socket Layer

Requesting Access to POP on Intel’s Supplier Presence Site - Internal Users Mar 12, 2012.

Agenda Introductions Brief review of our project charge

Web Programming Language

Cookies and sessions Saturday, February 23, 2019Saturday, February 23,

Mary Montoya, CIO Bogi Malecki, Project Manager

Your web application PDI, January 2017

D Guidance 26-Jun: Would like to see a refresh of this title slide

Presentation transcript:

Infrastructure for Multi-Professional Education and Training Using Shibboleth

The setting: A user of 'University A‘ (IDP) wants to access a Shibboleth protected resource ‘Test Resource 1' hosted on ‘ (SP) Shibboleth Demo Overview WAYF – Where Are You From ? IDP – Identity Provider SP – Service Provider

Shibboleth Demo Summary Phase 1: User connects to Resource and is RedirectedUser connects to Resource and is Redirected Phase 2: IDP SelectionIDP Selection Phase 3: User Authentication at Corresponding Home OrganizationUser Authentication at Corresponding Home Organization Phase 4:Access to Resource GrantedAccess to Resource Granted

Phase 1 - User connects to Resource and is Redirected cont’d Click Here for Notes

Phase 2 - IDP Selection cont’d Click Here for Notes

Phase 2 - IDP Selection cont’d Click Here for Notes

Phase 3 - User Authentication at Corresponding Home Organization cont’d Click Here for Notes

Phase 3 - User Authentication at Corresponding Home Organization cont’d Click Here for Notes

Phase 4 - Access to Resource Granted cont’d Click Here for Notes

Phase 4 - Access to Resource Granted cont’d Click Here for Notes

Phase 4 - Access to Resource Granted cont’d Click Here for Notes

Phase 4 - Access to Resource Granted cont’d Click Here for Notes

Transaction Summary

Notes

When the user tries to access the resource one of the following two things could happened. A. The user is granted access to the resource directly: Since the user already had a valid Shibboleth session, the user was granted access directly. This can be the case if the user previously authenticated. B. The user is redirected to the WAYF server: When the user tried to access the resource, the web server on that host detected that the user had not set up a Shibboleth session. Therefore, the user was redirected to the WAYF server. Phase 1 - User connects to Resource and is Redirected

Phase 1 - User connects to Resource and is Redirected cont’d Step 1: When the user tried to access the 'resource', The users web browser sent a HTTP request to 'shibboleth.dmu.ac.uk' for the webpage '/test_resource/resource1.jsp‘ Step 2: The web server answered with a HTTP Redirect to the WAYF server located at 'shibboleth.dmu.ac.uk/shibboleth- wayf/WAYF' because the user was not yet Shibboleth authenticated See Diagram

Phase 2 - IDP Selection Step 3: The WAYF server sent to the users web browser a HTML webpage with the pop-up list with all IDP's available. See Diagram See Screenshot

Phase 3 - User Authentication at Corresponding Home Organization Step 4: The user web browser sent the form data to the WAYF server 'shibboleth.dmu.ac.uk/shibboleth-wayf/WAYF' for the webpage '/test_resource/resource1.jsp'. The data sent, is basically the selection you made for the IDP. Step 5: The WAYF server sent your web browser a HTTP Redirect that made your web browser send a HTTP Request for the tomcat form login page of your IDP. Step 6: The web server Desktop IDP ('idp.shibboleth.dmu.ac.uk') if selected as your IDP answers with its tomcat form login webpage. See DiagramSee Screenshot

Phase 4 - Access to Resource Granted Step 7: When you clicked on 'Log in', your web browser submitted your user ID and password (your 'Credentials') to the web server of your IDP ('idp.shibboleth.dmu.ac.uk') Step 8: The web server checks the validity of user ID and password provided. An HTTP Redirect is sent to your web browser that forwards you to the resource you initially requested. Together with this redirect your web browser receives a handle (some opaque data). The web browser forwards this handle to the web server of the resource. See Diagram

Phase 4 - Access to Resource Granted cont’d Step 9: When the web server of the resource receives a handle from a user, it directly sends an attribute request to the IDP of the user by sending the handle it just received. Step 10: At the Home Organization, the handle received from the resource gets checked. To be valid, it must be presented by the resource it was issued for in step 8 and in time, i.e. before its timeout is reached. If valid, the requested user attributes for the user referred to by the handle are transmitted to the resource and checked against the attribute restraints placed on the resource. If the attributes match the restraint the target resource is shown otherwise a error page is shown stating the user is not authorised. See Diagram