Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University.

Published byHubert Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University."— Presentation transcript:

1 Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University of Chicago, and Unicon, respectively. Jasig Dallas 03 March 2009 © Copyright the author or authors. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/

2 2 Agenda 1.Introduction 2.Use Cases 3.Shibbolizing uPortal Today 4.Delegated Shibbolized Authentication... in uPortal 5.… in Shibboleth 6.Conclusion

3 3 Use Cases Shibbolizing uPortal

4 4 Authentication and Single Sign On

5 5 Federated Authentication

6 6 ● The provider of the identity and the provider of the service (uPortal) may not be the same institution ● Users can authenticate using identities from anywhere in federation, to services anywhere in federation, with a healthy policy layer.

7 7 Attribute release ● Just in time release of attributes to the portal at the time of user authentication ● Different from querying directories of attributes – Attributes released only in context of actual user authentication – Attributes may be of a federated identity, attribute information not necessarily available to portal in an institutional directory

8 8 Delegated authentication ● User authenticates to portal ● Portal authenticates to a backing service on behalf of the user ● Data from backing service informs portal WSP http://www.flickr.com/photos/ntr23/730371240 /

9 9 Shibbolizing uPortal Today Authentication Attribute Release

10 10 Authenticating to uPortal with Shibboleth Authentication

11 11 Shibboleth for Authentication ● Shibboleth provides a Service Provider Apache module for authentication ● uPortal can delegate to container for authentication ● Ta-da!

12 12 Shibboleth SP Authentication HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes

13 13 Shibbolizing CAS? ● uPortal ships with a CAS server and support for using CAS for login ● CAS can be easily Shibbolized ● Shibbolize uPortal by Shibbolizing CAS? http://www.flickr.com/photos/javaturtle/117152990/

14 14 Releasing Attributes to uPortal with Shibboleth Attributes

15 15 User Attributes in uPortal JDBCLDAP Pluggable API User attributes subsystem

16 16 Shibboleth attribute release HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes

17 17 User attributes at login ● User attributes in the context of user login ● Not arbitrary queries of directories

18 18 Capturing user attributes from SP HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes HTTP header capturing filter

19 19 Declare the filter in web.xml HttpHeaderFilter edu.jhu.services.persondir.support.http.HttpHeaderF ilter personDirectoryDaoName httpHeaderAttributeSource HttpHeaderFilter Login

20 20 User attributes from Shibboleth JDBCLDAP DAO bridges to filter User attributes subsystem

21 21 Declare the attribute source

22 22 Canonical way to do this is in flux ● Not very much in flux, but a little in flux ● In Jira: PERSONDIR-37, PERSONDIR-49 ● The (a) DAO for this ships in Persondir 1.5 RC2 ● For now, if you're interested, please ping me. ● apetro@unicon.net

23 23 Delegated Shibbolized Authentication... In uPortal

24 Portal Password Replay Password- Protected Service Channel PW

25 Look Ma, No Password! ● Without a password to replay, how am I going to authenticate my portal to other applications? ?

26 Proxy CAS CAS Web Application Web Browser https listener

27 27 Oh, wait, this is Shibboleth ● Very similar idea. ● Portal presents SAML Assertion to Portlet ● Portlet presents SAML Assertion to IdP ● IdP issues Portlet a new SAML Assertion for purpose of authenticating Portlet to backing Web Service Provider ● Portlet presents Assertion to backing Web Service Provider, authenticating its request to the backing service.

28 28 Delegated authentication WSP IdP

29 29 Getting the SAML to the Portlet ● Solution parallel to that for conveying passwords and CAS Proxy Tickets to portlets ● Custom UserInfoService ● Portlets obtain SAML assertions (like passwords and CAS proxy tickets) via callback for a “magic” user attribute

30 30 SAML to authenticate to a WSP ● Portlet presents SAML to IdP to get more SAML to present to backing WSP ● Wouldn't it be nice if there were a library that automated this? – Abstract away the (re-)authentication part – Present to portlet either simple response from WSP or an API to make further requests – Think adorned Commons HttpClient

31 31 Library Delegated authentication WSP IdP

32 32 Delegated Shibbolized Authentication... In Shibboleth

33 33 Defer to the other slide deck... ● One moment please...

34 34 Concluding remarks

35 35 Where to learn more ● Internet2 Wiki Space: ● https://spaces.internet2.edu/x/TTM ● Tom Barton, Scott Cantor, Andrew Petro, Adam Rybicki, and Tamra Valadez at this conference

36 36 Questions & Answers

Download ppt "Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.

UPortal and the Yale Central Authentication Service Drew Mazurek ITS Technology & Planning Yale University JA-SIG Summer Conference ‘04 Denver, CO June.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service https://aai.csc.fi/

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service
Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,

Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google