Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,

Slides:

Advertisements

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Advertisements

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Attacking Session Management Juliette Lessing

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.

IIS Configuration © N. Ganesan, Ph.D.. Renaming the Default Web.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,

APACHE SERVER By Innovationframes.com »

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.

Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.

IT und TK Training Check Point Authentication Methods A short comparison.

Shibboleth IdP Training: Productionalization January, 2009.

WaveMaker Visual AJAX Studio 4.0 Training Authentication.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Integrating with UCSF’s Shibboleth system

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SE-2840 Dr. Mark L. Hornick1 Web Application Security.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.

1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler

SE-2840 Dr. Mark L. Hornick1 Web Application Security.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Session Objectives How to Debug PTF test case/Script Session-6 DebuggingSlide 2.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

EduGain Federation – Web SSO

© 2006 Cisco Systems, Inc. All rights reserved.1 Connection 7.0 Serviceability Reports Todd Blaisdell.

1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Michael Tinker September 16, 2004

Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.

Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

F5 APM & Security Assertion Markup Language ‘sam-el’

Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.

The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.

Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,

The FederID project The First Identity Management and Federation Free Software.

The LemonLDAP::NG project

IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.

Presented by [Harshit Agrawal] 04/03/2017

Chapter Overview Understanding Windows Name Resolution Using WINS.

Ask the Experts – Building Login-Based Sites in AEM

User Portal Error Messages

Apache web server Quick overview.

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication Interact Cloud.

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

Prime Service Catalog 12.0 Integration Best Practices – LDAP and SAML Settings.

CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi

Welcome to the 20th Anniversary of the IUG

Shibboleth SP Update Spring 2012 Scott Cantor

SSSD and OpenSSH Integration

Shibboleth Implementation in EZproxy

CS320 Web and Internet Programming Cookies and Session Tracking

Mechanisms for Distributed Global Authentication David R Newman.

Access eJournals Form Your Home

Shibboleth and uApprove at University of Michigan

APACHE WEB SERVER.

PCP Super User.

Presentation transcript:

Authentication

2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER, user/pass against LDAP & Kerberos, and IP address based mechanisms.

3 © 2010 SWITCH Terms: Authentication Method An identifier that a relying party may use to stipulate how authentication should be performed. Authentication method identifiers correspond to a prescription of how authentication is done (even if the details are only in someone’s head).

4 © 2010 SWITCH Terms: Login Handler An IdP component that correlates all supported authentication methods with currently configured authentication mechanisms. A login handler may map more than one authentication method to the same authentication mechanism.

5 © 2010 SWITCH Terms: Session State information about the user, currently active authentication methods, and services to which they are signed into. A user’s IdP session is created the first time they authenticate but may outlive the lifetime of all authentication methods.

6 © 2010 SWITCH Authentication: Goals Configure UsernamePassword login handler to authenticate against LDAP.

7 © 2010 SWITCH Login Handler: Configuration Login handlers are configured in handler.xml defines a login handler Every login handler definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options.

8 © 2010 SWITCH Login Handler: Configuration Each must contain at least one which indicates what authentication method the login handler provides.

9 © 2010 SWITCH Login Handler: UsernamePassword Login handler that prompts for a username/password and validates against a JAAS module (LDAP & Kerberos 5 currently supported) Type attribute value: UsernamePassword Configuration attributes: jaasConfigurationLocation path to the JAAS configuration file

10 © 2010 SWITCH Login Handler: UsernamePassword Edit the login.config 1. Uncomment the LDAP login modules 2. Configure it like this: edu.vt.middleware.ldap.jaas.LdapLoginModule required host=” ” port=“10389” base="ou=people,dc=example,dc=org" userField="uid";

11 © 2010 SWITCH Login Handler: UsernamePassword Edit handler.xml 1. Comment out RemoteUser handler 2. Uncomment UsernamePassword handler Turn on debug logging for the LDAP login module by adding the following logger to logging.xml

12 © 2010 SWITCH LoginHandler: UsernamePassword 1. Restart Tomcat 2. Access 3. Select your IdP from the list 4. Use student1/password as the username/password

13 © 2010 SWITCH LoginHandler: UsernamePassword The login page presented to the user is /opt/installfest/distro/identityprovider/resources/webpages/login.jsp You may define more than one UsernamePassword login handler, with different authentication methods. For example one that work with LDAP and another that works with Kerberos You may define more than one LDAP host so that if one is down another is used.

14 © 2010 SWITCH Login Handler: Authentication Duration Each authentication mechanism supports an activity timeout After this timeout expires the mechanism is considered inactive for that user. If the user attempts to access a new service provider that requires that authentication mechanism they must re-authenticate.

15 © 2010 SWITCH Login Handler: Authentication Duration It is configured by the authenticationDuration attribute on the Its value is the number of minutes of inactivity and its default value is 30.

16 © 2010 SWITCH Forced Authentication SAML 2 allows a service provider to force authentication of the user, even if the user has an existing session. Only works with mechanisms that can re-authenticate a user. RemoteUser does not support forced authentication. The service provider will receive an error if the IdP can not support forced authentication

17 © 2010 SWITCH Authentication Method Selection An SP may provide a list of acceptable methods The IdP then checks to see if any active mechanism provides any of those methods, if so, single sign on occurs Otherwise the IdP picks supported, but not yet active, method and uses that.