Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Tomcat Configuration A Very, Very, Very Brief Overview.
Implementation/Acceptance Testing / 1 Implementation and Acceptance Testing Physical Implementation Criteria: 1. Data availability 2. Data reliability.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Designed By: Technical Training Department
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Form Builder Iteration 2 User Acceptance Testing (UAT) Denise Warzel Semantic Infrastructure Operations Team Presented to caDSR Curation Team March.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Windows Server MIS 424 Professor Sandvig. Overview Role of servers Performance Requirements Server Hardware Software Windows Server IIS.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
SWITCHaai Team Introduction to Shibboleth.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Integrating with UCSF’s Shibboleth system
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
1 Thomas Lippert Senior Product Manager - Mobile What’s new in SMC 5.0.
Chad La Joie Shibboleth’s Future.
Mellon Year 1 Review Michael J. Halm Alex Valentine.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
The Mobile CRM Conference 2015 September 14-15, 2015 in Boston, MA Take Your CRM to the Next Level.
Shibboleth: An Introduction
Shibboleth and IIS Integration Tips, Tricks, Alternatives
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Windows Role-Based Access Control Longhorn Update
ABone Architecture and Operation ABCd — ABone Control Daemon Server for remote EE management On-demand EE initiation and termination Automatic EE restart.
SAML 2.0 An InCommon Perspective Scott Cantor The Ohio State University / Internet2
IPSOS / Vodafone / Novartis Kenya 17 December 2014.
Grid Deployment Enabling Grids for E-sciencE BDII 2171 LDAP 2172 LDAP 2173 LDAP 2170 Port Fwd Update DB & Modify DB 2170 Port.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
FriendFinder Location-aware social networking on mobile phones.
GOSS iCM Gary Ratcliffe. 2 Agenda Webinar Programme V10 Overview Version Information Supported Browsers Architectural Changes New Features.
ICM – API Server & Forms Gary Ratcliffe.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Jan Hatje, DESY CSS – Control System Studio EPICS collaboration meeting CSS – Control System Studio Update EPICS collaboration meeting 2008 Shanghai.
Apache Web Server Architecture Chaitanya Kulkarni MSCS rd April /23/20081Apache Web Server Architecture.
Jasig CAS Roadmap Scott Battaglia Rutgers, the State University of New Jersey.
Service Pack 2 System Center Configuration Manager 2007.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
0Copyright 2014 FUJITSU New Zealand Limited FUJITSU CONFIDENTIAL UNLESS SPECIFIED OTHERWISE Microsoft CRM Tablet App for Dynamics CRM 2013 Travis Chen.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Module 6: Administering Reporting Services. Overview Server Administration Performance and Reliability Monitoring Database Administration Security Administration.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
Shibboleth Identity Provider Version 3 Scott Cantor The Ohio State University Marvin Addison Virginia Tech.
Shibboleth Identity Provider V3 Deployment Considerations Scott Cantor (tOSU) Walter Hoehn (U Memphis) David Langenberg (U Chicago)
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Internet Explorer 7 Updated Advice for the NHS 04 February 2008 Version 1.3.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Scribe Technical Workshop Adapter for OLE DB Import-Export Wizard September 13, 2007.
Shibboleth Identity Provider Version 3
Architecture Review 10/11/2004
Lesson 19: Configuring and Managing Updates
Federation made simple
SAML New Features and Standardization Status
Shibboleth SP Update Spring 2012 Scott Cantor
SP Roadmap Identifies “current”, “next”, and possibly “future” releases along with links.
What’s changed in the Shibboleth 1.2 Origin
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC

Roadmap

Committed Work Necessary/expected ongoing functions Funded/staffed projects Planned Work Accepted for prioritization but uncommitted Under Discussion Rejected/Parked Work Lacking in some regard Subject to re-evaluation when circumstances change 3

Committed Project Overhead User Support Supported Release Maintenance SP 2.4 “Embedded” Discovery Service Metadata Aggregator 4

Planned Expanded introductory documentation V3 IdP / OpenSAML-J V2 Discovery Service V3 TestShib Back-channel Single Logout for the IdP Second Factor Authentication via SMS SP Delegation Enhancement (deferred from 2.4) 5

Service Provider

Service Provider V2.4 Release Candidate now available Minor feature update / bug fix rollup Backward compatible per usual Simplified configuration/defaults Metadata- and discovery-related enhancements Security changes Logging/monitoring changes 7

Configuration “Radical” defaulting of rarely-changed settings Reduction of order strictness Factored security policy rules into separate file Consistent message regarding Apache configuration via Apache commands Shorthand syntax for configuring “most” SSO/Logout needs 260+ lines to 120 lines 8

Metadata Background reloading of configuration / metadata resources Caching (incl. across restarts) and compression Delays backup overwrite until filtering completes Rational cacheDuration handling Support for extension drafts: 9

Discovery Supporting role; provide a “usable” view of IdP information extracted from metadata to discovery component Supplies JSON data from each metadata source Name/description/logo derived from metadata extension New handler aggregates and serves JSON to client Discovery scripts may or may not be in 2.4 release, probably not 10

Security Update/bug fix release of xml-security library Whitelisting/blacklisting of crypto algorithms at “application” level Conditional support of ECDSA signatures Dynamic selection of algorithms based on metadata extension: 11

Logging / Monitoring New default logging configuration: Mirrors WARN and higher to a warning log to highlight problems Dedicated debugging log for signature issues Status handler includes local system time and OS- derived platform data 12

Discovery Service

DS: Embedded Make discovery easier for SPs to deploy Consumes data from SP 2.4 Added to a page by: adding a adding two Beta release in November

DS: Centralized Use embedded DS as primary UI Better APIs for filtering and sorting Configuration more aligned with IdP Distributed with configured container

Identity Provider

Profile handlers to accommodate more in-flow extensions e.g. terms of use, attribute consent, holder of key support Rework authentication APIs better support for non-browser clients support for SPNEGO, OTP

Identity Provider Reduced configuration files Support for HA-Shib like clustering: reduced configuration no process to manage & monitor provides a clustered data store

SPNEGO

What is SPNEGO Log in to Kerberos/Windows domain No need to log in to websites

Why is it hard?

403 error page if SPNEGO not configured or user not logged in to domain No way to query the browser to determine if SPNEGO is configured Nothing a user can do once they get a 403

How do we fix it? Provide users a choice to log in with SPNEGO Provide a link to a separate app that: checks if a browser is configured provides browser specific config guides sets a permanent cookie if user/browser can ’ t support SPNEGO

How do we fix it?

One Time Password

Why? Certain use cases want multi-factor authn User certs and time sync tokens are hard and expensive to roll out

How? 1. User logs in 2. SMS with one-time code sent 3. User enters it in the IdP Google recently deployed a similar scheme

Technical Details Requires two log in screens as user has to be identified (by first factor) in order to know to whom to send the SMS Sites deploying will need to provide a way for users to opt-in in to such a method Might need to send a few tokens to users ahead of time in case they don ’ t have cell access