Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc.

Published byAdrian Baldwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc."— Presentation transcript:

1 Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc. Dmitriy Kopylenko Unicon, Inc. © Copyright Unicon, Inc., 2008. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/ Internet2 Member Meeting October 5 th 2011

2 2 Agenda 1.Introduction 2.Approach 3.Solution 4.Next Steps

3 3 Introduction

4 4 Shib at UW-Madison ● Couple years production experience with IdP ● UW System: IdPs hosted by UW-Madison for ¾ of the dozen four-year institutions ● UW-Madison, UW Milwaukee, UW Whitewater – running their own IdPs – current or pending InCommon members ● 2 servers for UW-Madison, 2 more for UW System

5 5 Shib at UW-Madison ● Nascent “Wisconsin Federation” – Not just higher ed – The usual evolution: technical federation in place before organizational federation even planned ● 163 Shib SP's across campus ● Shib is now “The SSO service” for all new web apps – 500K logins last week – 300+ legacy PubCookified apps ● 7.3M logins last week

6 6 Recently Shibbed Services at UW-Madison ● CILogon.org (Access to Grid/CI) ● Ebling Medical Library available to UW-Health and Marshfield Clinic ● Wisconsin Institute for Discovery and US Dept. of Energy collaboration on radioisotope research

7 7 Things you might want to do in the course of user log-in ● Informative Display – Terms of Use – Acceptable Use Policy – Privacy Policy – Security Policy ● Accessibility Accommodations ● Any special messaging/notification/click thru requirement based on user attributes

8 8 uApprove as Groundbreaking ● Checking for user consent before releasing identity attributes to a relying party

9 9 Problem Statement ● Example: Google Apps for Education – If your login succeeds you should get your apps, right? – What if you get an inscrutable error message from Google instead? ● Is it just an example of a broken Service Provider installation?

10 10 Goals ● Extensible, customizable login experience that covers: – Course grained AuthZ and UX that helps users – ToU/AUP read/write login flows – User controlled attribute release ● Alignment with SAML2, Shibboleth, InCommon communities

11 11 Approach ● Engage with Shib community early and often – Alignment with future direction – Architecturally sound ● Build for UW, share with the Shib community

12 12 Roadmap ● Phase I (completed July 2011) – Development environment (build/deploy/debug) – Architecture analysis – Community feedback ● Phase II (completed October 2011) – Proof-of-concept Spring Web Flow / IdP integration – Community feedback ● Phase III (target Jan 2012) – Incorporate community feedback – Package and document for production release at UW – Share with the community

13 13 Demonstration

14 14 Solution IdP2 and SWF perfect together!

15 15 Design Goals ● Minimally invasive to the IdP ● Simple but not simplistic ● Easily extended to other login flow use cases ● Easily customized for local needs ● Decoupled from IdP as much as possible

16 16 IdP Integration ● Login flow is extended via SWF outside of and separate from the IdP ● Small and simple filter...inspiration from uApprove ● Filter determines overall flow state and hands offs to SWF when appropriate ● Filter provides access to user attributes and service metatdata in SWF ● Can be selectively applied to profile endpoints via web.xml

17

18

19

20 20 Spring Web Flow ● An extension to Spring MVC that allows you to define Controllers using a domain-specific-language. This language is designed to model user interactions that require several requests into the server to complete, or may be invoked from different contexts. ● Used to meet these design goals: – Simple but not simplistic – Easily extended to other login flow use cases – Easily customized for local needs

21

22

23 23 Solution Dependencies ● Tomcat Cross Context – Forward request server-side to swf post login flow – Shared state to control flow signaling between swf and idp ● emptySessionPath – shares session cookie between servlet contexts. One JSessionId, two session objects. Enables swf to reuse idp session cookie. ● PostLoginFlowFilter and web.xml config ● SWF to suit your needs

24

25

26

27

28 28 Next Steps ● Give it a whirl... – https://github.com/dima767/Shibboleth-IDP-Postlogin-Filter https://github.com/dima767/Shibboleth-IDP-Postlogin-Filter – https://github.com/dima767/Shibboleth-IDP-Postlogin-Flow https://github.com/dima767/Shibboleth-IDP-Postlogin-Flow ● Feedback, help, comments, suggestions,... ● Review, Refactor ● Finalize UW post login flow requirements and implement ● Deploy into production at UW ● Share with the community

29 29 Questions & Answers Keith Hazelton hazelton@doit.wisc.edu University of Wisconsin-Madison William G. Thompson, Jr. wgthom@unicon.net Unicon, Inc.

Download ppt "Improving Extending the Shibboleth Identity Provider User Experience Keith Hazelton University of Wisconsin-Madison William G. Thompson, Jr. Unicon, Inc."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,

(Rev 1/11) UW System Identity and Access Management (IAM) Current Status and Roadmap Tom Jordan, IAM-TAG Chair Ty Letto, IAM Support Team Manager January,
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Similar presentations

Ads by Google