ADFS in the U.T. System U.S. Federations Call - May 18, 2011 Paul Caskey System-wide Information Services.

Slides:



Advertisements
Similar presentations
Paul Caskey Technology Architect June 21, 2007 The University of Texas System Federated Identity Management Initiative
Advertisements

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Trusted 3 rd Party Authentication & Friends: SSO and IdM NWACC Security Workshop 2013 Portland.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
TF-EMC2 | Lyon - France | February 2011 SAML WORK WITH SHAREPOINT, OWA, … Jean Marie THIA.
Eric Raff. Usergroup up
Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Intra-campus Web SSO Management Topics for Deployed Campuses Nathan Dors, Technology Manager University of Washington CAMP Shibboleth June 25-27, 2007.
March 15, 2011 Active Directory Federation Services 2.0 Overview InCommon Service Provider Training.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
INCOSE.ORG MIGRATION SharePoint 2013 Presented by Betty Morimoto.
Sharepoint Makes daily tasks more efficient and improves internal as well as external collaboration Not just cost savings, but adds business value.
SWITCHaai Team Federated Identity Management.
A case study of Shibboleth deployment within the U.T. System June 26, 2006 Paul Caskey University of Texas System Copyright Paul Caskey 2006 Not Your Father’s.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
BfB: Supporting Collaboration with Infrastructure.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Federations 101: The U.T. System Identity Management Federation Internet2 Member Meeting Fall 2006 Paul Caskey.
Chad La Joie Shibboleth’s Future.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
The Application and the Ecosystem. Acknowledgments Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
The UK Access Management Federation John Chapman Project Adviser – Becta.
Federated Identity in Texas Paul Caskey The University of Texas System HEAnet National Conference Kilkenny, Ireland 13 November 2008.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.
Brown University Leveraging Social Identities Steve Carmody CSG, May 15, 2013.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
Introduction to Shibboleth Attribute Delivery for Campuses New to Shibboleth Paul Caskey The University of Texas System.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
How eduGAIN can help education: a real life story Sabita Behari Product Manager TNC14.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
Web SSO with Cloud Resources using AD Federation Services
SharePoint Authentication and Authorization
Using Your Own Authentication System with ArcGIS Online
Stop Those Prying Eyes Getting to Your Data
LIGO Identity and Access Management
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Analyn Policarpio Andrew Jazon Gupaal
Shibboleth Roadmap
eduTEAMS platform for collaboration Niels Van Dijk
University of Texas System
Géant-TrustBroker Dynamic inter-federation identity management
John O’Keefe Director of Academic Technology & Network Services
GakuNin: Federated Identity Management Activities in Japan
Federated Identity to Support Collaboration in the CIC
Case Study – Novartis, Global Healthcare Company, Switzerland
U.T. System Federated Identity Management Update
Overview of The U.T. System Identity Management Federation
Appropriate Access InCommon Identity Assurance Profiles
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Presentation transcript:

ADFS in the U.T. System U.S. Federations Call - May 18, 2011 Paul Caskey System-wide Information Services

ADFS Usage As a Service Provider (Relying Party) Still in development/testing phase In production, will be used in both the UT System Federation, as well as InCommon Sharepoint 2010 Office365 Any future apps which come with ADFS SSO support built-in

Background – SP2007 We operate a large Sharepoint 2007 installation Used by every member of the UT System Federation Used externally by a variety of entities (most of whom use ProtectNetwork to login)  Legal  Facilities Planning We even sell SP sites to other campuses within the UT System Custom form-based authentication with Shibboleth integration Authorization is a bit painful  Multi-step process for user, validation by site owner  No ‘automatic’ authorization (no attribute-based groups) IdP ‘onboarding’ is still a bit painful (especially as we start to interact with IdPs outside of the UT System Federation) Dual sites for same content DB (internal->ActiveDirectory, external->Shibboleth) Overall, a GREAT collaborative tool and our users are VERY happy!

SP ADFS Everything will be “claims-based” thru ADFS (hopefully)  No more dual sites for same content Better onboarding for IdP  anonymous page to describe process and required/desired attributes  'all authenticated users' page to verify asserted attributes Automatic authZ (group membership) based on attributes/claims  eduPersonAffiliation, eduPersonEntitlement The only custom code is an HttpModule which hooks the ‘OnSignedIn’ event in the ADFS module  pushes asserted personal info attributes into the SP User Profile We also customized the ADFS ‘Home Realm Discovery’ to mimic the Shibboleth Discovery Service (for user familiarity)

SP2010 – ADFS (cont) Current Issues/Concerns:  People picker mode –Claims mode resolves anything (even typos) –Site collection mode resolves only existing users –Might need a custom claims provider  Configuring claims-based groups –People Picker must be in Claims mode (but it remembers what you set)  Possibility for “internal things” maybe still relying on NTLM –Exchange integration –OCS, VoIP, or other similar things? Useful URLs  Shibboleth wiki page on ADFS Interop: –  Microsoft document on InCommon ADFS Interop –

UT System Federation Policy Background UT Federation in production operations since 9/2006 All members are contractually bound Some external participants are inter-federated from InCommon Policy docs at  Federation Operational Practices (FOP)  Member Operational Practices (MOP) We established a quasi-LoA2  Never validated by an external authority, but suitable for our needs  Currently re-writing for Silver/FICAM2 Current effort with system-wide research cyberinfrastructure likely to drive need for LoA3 Working to institutionalize (across the UT System) formal IdM auditing (so far, federation LoA assessments have been self-asserted)

Thank You! Contact Information: Paul Caskey

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.