Shibboleth IdP Training: Productionalization January, 2009.

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
In Production Juan Marin. Agenda Introduction Reliability Availability Performance Data optimizations Runtime optimizations Measuring your environment.
Sun Identity Manager Evaluation An exploration by the Advanced Systems Team, ICSD, Academic Services.
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
A Short Tutorial for Dandelion Confluence. In Confluence, you can do more than working with your collaborators on editing documents... Our system allows.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.
DBI405. Agenda Reporting Services Scale Out Architecture Report Catalog Best Practices Scale Out Deployment Best Practices Performance Optimization.
Session-01. What is a Servlet? Servlet can be described in many ways, depending on the context: 1.Servlet is a technology i.e. used to create web application.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 8: Network Load Balancing (NLB)
1 Enabling Secure Internet Access with ISA Server.
Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.
Grouper UI Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Module 1 Introduction to Managing Microsoft® Windows Server® 2008 Environment.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.
Securing Microsoft® Exchange Server 2010
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
Integrating with UCSF’s Shibboleth system
Windows Azure Conference 2014 Deploy your Java workloads on Windows Azure.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Phone: Mega AS Consulting Ltd © 2007  CAT – the problem & the solution  Using the CAT - Administrator  Mega.
Michael Ghens Information Systems Specialist Santa Barbara City College.
Shibboleth for Real Dave Kennedy
Shibboleth 2.0 IdP Training: Authentication January, 2009.
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
MSF Design Example Conceptual Design Logical Design Physical Design.
KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED INTERSTAGE BPM ARCHITECTURE BPMS.
Migrating Single Sign On to CAS and Shibboleth George Hosler Information Technology 5/29/2013.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
Jhong Catane Exchange Hybrid Deployment PRD34 2.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
Web and Proxy Server.
David Millman—Columbia January 2005
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
LIGO Identity and Access Management
Apache web server Quick overview.
Tomcat Celsina Bignoli
CAS and Web Single Sign-on at UConn
Identity Federations - Installation and operation
IBM WEBSPHERE MESSAGE QUEUE online Training | IBM WEBSPHERE MQ Training
Common Security Mistakes
Software Architecture in Practice
CompTIA Server+ Certification (Exam SK0-004)
What’s changed in the Shibboleth 1.2 Origin
8.1 Active Directory Rights Management Services (AD RMS)
Shibboleth Deployment Overview
About us Gmail is a famous service which we use on a daily basis for sending s, getting promotional messages of certain products, receiving.
Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.
Shibboleth 2.0 IdP Training: Introduction
Everything you need to know about implementing AD FS
Presentation transcript:

Shibboleth IdP Training: Productionalization January, 2009

Java Virtual Machine Tuning For Sun JVM 5/6 Server option Heap space settings Varies with available memory Min/Max settings Garbage collection Multi-CPU core option Disable explicit garbage collection

Protecting your IdP Web application listening on ports 443/8443 by default General Apache HTTPD & Tomcat hardening will work with Shibboleth

Logging SHIB_HOME/logs/idp-process.log Default logging configuration splits logs on a daily basis – can be changed based on need Can be configured to send notifications on certain message levels, such as ERROR g g

Redundant Data Sources Define connections to redundant data sources Authentication – Login Handler Attribute resolver – Data Connector

Redundant Login Handlers Define an additional <LoginHandler xsi:type="UsernamePassword" login1.config jaasConfigurationLocation="file:///opt/shibbolet h-idp/conf/login1.config">... <LoginHandler xsi:type="UsernamePassword" login2.config jaasConfigurationLocation="file:///opt/shibbolet h-idp/conf/login2.config">...

Redundant Data Connectors Use <resolver:DataConnector id="ldap1" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldap://ldap1.example.org ldapURL="ldap://ldap1.example.org"...>... ldap2 <resolver:DataConnector id="ldap2" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldap://ldap2.example.org ldapURL="ldap://ldap2.example.org"...

Certificates Some federations operate their own CA End user browsers may not recognize the federation CA Use a different certificate for the authentication page

Certificates

Metadata Signature Validation Metadata… should be signed by the publisher signatures should be validated InCommon does publish signed metadata Metadata provider definition

Metadata Signature Validation Download the InCommon signing certificate Add a metadata trust engine definition Add a metadata provider filter aProvider aProvider

High Availability/Clustering Clustering is supported, limited documentation Different types of clustering solutions Failover Load balancing Concerns Session state preservation Different architectures

High Availability/Clustering Configuration of Terracotta, an open source clustering solution, is provided Load-balancing is sufficient for most deployments 2/IdPCluster

Troubleshooting SHIB_HOME/logs/idp-process.log Common errors are documented in the wiki Time synchronization is important monErrors

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.