Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.

Slides:



Advertisements
Similar presentations
SIP Servlets. SIP Summit SIP Servlets Problem Statement Want to enable construction of a wide variety of IP telephony.
Advertisements

Introducing Apache Tomcat 6 Mladen Turk Red Hat, Inc.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
UPortal Authentication Options: Design and Application Shawn Bayern Research programmer, Yale University Author, Web Development with JavaServer Pages.
CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
UPortal Security and CAS Susan Bramhall ITS Technology & Planning Yale University.
Tomcat Configuration A Very, Very, Very Brief Overview.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Web Applications Basics. Introduction to Web Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that.
Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.
APACHE SERVER By Innovationframes.com »
Tomcat Celsina Bignoli History of Tomcat Tomcat is the result of the integration of two groups of developers. – JServ, an open source.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
1 Lecture 5 George Koutsogiannakis/ Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
CSCI 6962: Server-side Design and Programming
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
The DSpace Course Module – DSpace Installation. Module objectives  By the end of this module you will:  Understand the platforms DSpace can be hosted.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Shibboleth Possible Features – Version 2 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Presentation 8: SOAP in a distributed object framework, Application Servers & AXIS SOAP.
Presentation: SOAP in a distributed object framework, Application Servers & AXIS SOAP.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
Presentation: SOAP/WS in a distributed object framework, Application Servers & AXIS SOAP.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
Contents 1.Introduction, architecture 2.Live demonstration 3.Extensibility.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
Presentation: SOAP/WS in a distributed object framework, Application Servers & AXIS SOAP.
Shibboleth for Local Attribute Delivery 21 June 2007.
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth and IIS Integration Tips, Tricks, Alternatives
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Apache Web Server Quick and Dirty Evelyn NAMARA for AfNOG 2014 (Originally by Joel Jaeggli for AfNOG 2007) ‏
US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Shibboleth: OSU Early Adoption Scenarios Scott Cantor April 10, 2003 Scott Cantor April 10, 2003.
DGC Paris WP2 Summary of Discussions and Plans Peter Z. Kunszt And the WP2 team.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
DSpace System Architecture 11 July 2002 DSpace System Architecture.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Shibboleth Project at GSU
Tomcat Celsina Bignoli
Outline SOAP and Web Services in relation to Distributed Objects
Outline SOAP and Web Services in relation to Distributed Objects
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
IBM Certified WAS 8.5 Administrator
Introducing Apache Tomcat 6 Mladen Turk Red Hat, Inc.
What’s changed in the Shibboleth 1.2 Origin
Overview and Development Plans
Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright.
Shibboleth Architecture and Requirements
Presentation transcript:

Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002

2 Installation: Packaging Alpha 1 and 2 are binary distributions. Source was made public in late July: Alpha 2.5 will probably be binary with source. Beta 1 should support “./configure; make; make install” for autoconf platforms and Visual Studio on Windows. Even with better packaging, manual installation of servlets and Apache modules will be needed.

3 Installation: General Solaris 2.x and Linux Current Basic Requirements: Apache , mod_ssl , OpenSSL 0.9.6, Sun JDK 1.3.1, Jakarta Tomcat Binaries distributed as a tarball: $ cd /usr/local $ tar xvfz shib_alpha2_linux_rh72.tar.gz Deploy Guide:

4 Installation: General Both origins and targets need: SSL-enabled Apache server, equipped with a certificate signed by a club-approved CA Jakarta Tomcat servlet engine with AJP 1.3 connector (mod_jk) All the servlets are packaged together in a single deployment archive (shibboleth.war) that can be copied into tomcat/webapps, auto-expanded, and configured

5 Installation: Origin Site Install additional supporting components: User handles can be stored in-memory or in MySQL User attributes can be accessed in LDAP or a restricted set (EPPN and affiliation=member) can be “echoed” by the AA Back-end interfaces will be refined over time to simplify pluggable implementations, and use standard Java APIs like JNDI when possible

6 Deployment: Origin Site Choose a name for your site, probably your best known top-level domain. This name will be part of your club application and is configured into the HS and AA servlets (web.xml). Special Note: Alpha-2 targets will reject attributes like EPPN if the “scope” doesn’t match the site name. This will be more flexible later.

7 Deployment: Origin Site PKI Requirements The web server’s SSL certificate will protect both the HS and AA servlets. The AA servlet path is configured to support client certificate authentication: SSLVerifyClient optional SSLOptions +ExportCertData The allowable client CAs are specified: SSLCACertificateFile /usr/local/shib/etc/ca-bundle.crt

8 Deployment: Origin Site PKI Requirements The HS servlet must digitally sign its messages using a key and certificate valid for digital signature creation, signed by a club-approved CA. Alpha-2 uses a Java keystore, which allows self- generation of a key and certificate request with the keytool command (see deploy guide). The hostname of your HS is the first field in the certificate request. Using the SSL server key is possible, but requires some custom Java code to import/export a private key.

9 Deployment: Origin Site Club Application Target sites are given a “registry” of trusted origin sites to protect them from rogue users. Once names are chosen, provide the following in an (address in deploy guide): Site Name Complete Handle Service servlet URL The HS hostname (went into the certificate CN) Aliases/shorthand for your institution (used by WAYF)

10 Shibbolization Cookbook for Origin Sites Apply to the club as an origin site currently an message with basic site information Choose any web server that can host Java Servlet and JSP applications via Tomcat Deploy a HS behind web initial sign-on requires a club-trusted certificate usable for signing web server must also use SSL if handling passwords can store handles in-memory or in MySQL beta version should use a “handle in cookie” design

11 Shibbolization Cookbook for Origin Sites Deploy an AA in conjunction with the HS supports two attribute “contexts”, LDAP and Echo Install AA plugins for attributes (Java API) preconfigured with classes for eduPerson attributes Establish default ARPs for community alpha-2 comes preconfigured to release everything, hides ARP tools alpha-2.5 expected to begin exposing ARP interface early GUI development beginning

12 Shibbolization Cookbook for Destination Sites Choose any web server (as long as it’s Apache 1.3.x, but others to follow) Equip it with the SHIRE and SHAR modules SHIRE is a Java servlet for the time being, so Tomcat is required SHAR/RM are combined into mod_shib Install SHAR plugins for attributes (C++ API) mod_eduPerson provided

13 RM and Application Integration mod_shib currently provides flexible.htaccess processing. Attributes can be mapped to Require rules and to HTTP headers, including REMOTE_USER. Existing basic-auth sites can be “hijacked” to use Shibboleth.

14 Existing Applications (from most to least integrated) Shibbolize the application and unify intra-campus and inter-campus users Add a second URL tree for inter- campus users Use a Shibbolized proxy server (The latter two might also require code changes or attribute mapping. This is all much simpler for static content.)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.