Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material.

Published byLoraine Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material."— Presentation transcript:

1 Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Flexible Access Control: Shibboleth and the InCommon Federation Michael Bolton Xavier Chapa Texas A&M University

3 Why We Are Here Recently installed Shibboleth and joined InCommon. We would like to share with you the experience and let you know it really works. And, it works really well.

4 Our Initial Goals Explore use of Shibboleth Gain experience with Federations Join InCommon Support Texas Digital Library Project

5 Shibboleth Overview Shibboleth is Federated Identity Management Built on the concept of an Identity Provider and a Service Provider Preserves privacy and anonymity

6 Shibboleth Diagram

7 Why We Like Shibboleth Built on standards – implementing standards Secure connections to Service Providers Clear, controlled attribute release Tailored to application Flexible integration with SSO Easy to manage

8 How we use Shibboleth The General Case: CAS is authentication and SSO Shibboleth is attribute release

9 What is InCommon Higher Ed Federation of Identity and Service Providers Growing Number of Participants Common Framework for Accessing Sites

10 InCommon

11 Why This Approach Shibboleth and InCommon are standards in higher education. We have a common framework to build in and on. Can easily leverage existing work and effort.

12 Start with a Plan What do you want to do What do you need to do it Realize what you are doing Integrate with existing infrastructure Wealth of knowledge out there

13 Work the Plan 1.Install and test Shibboleth 2.Add Service Provider 3.Add InCommon Not intended as a rigid plan but adds a little structure for your deployment

14 CAS - Shibboleth

15 Install Shibboleth IdP Started with 1.3 Deployed on Linux and not all Linux’s are the same CAS as SSO Solution LDAP based Use the Web (for help and support)

16 Test Initial Deployment Used Simple application to verify operation of Shibboleth Used our applications for debugging Made sure Shibboleth was running and we knew how to use it

17 Simple ENV Application

18 Customize Site Update and change pages for your institution Read the guide on what needs updating Branding is an ongoing project You are now an operational Shibboleth site

19 Join InCommon Fill out the contract Study the Federation Operating Practices and Procedures Complete the Participant Operational Practices Work with your Legal and Contracts departments

20 POP Participant Operational Practices  Participant Information  Credential Provider Information  Electronic Identity Credentials  …

21

22 Test Connections Build on step One, your local Shibboleth deployment Will be added to InCommon WAYF Use Shibboleth test/reference site

23

24 It Worked!

25 Staying in InCommon Watch the fee schedule Remember your password Vetted process – know the players Keep documentation current (POP, etc.)

26 MetaData MetaData is key for Shibboleth Need to update frequently or better yet, regularly Out of sync MetaData causes a lot of problems

27 Managing MetaData We used virtual hosts for the various federations we plan/are joining Keep your documentation straight Monitor the process – make sure it is running

28 InCommon Metadata

29 Keep up with Sites

30 Build a Production System Added redundancy for Shibboleth Redundant LDAP and Kerberos servers Separated testing and production Use good certificates

31 System Diagram

32 Our Next Goal Make it easy to use WebAssign First pass – authenticate existing ids Second pass – just add classes to WebAssign site

33 Keys To Project Need the data Need a schema Need to negotiate the attribute release Following a naming convention

34 Called WebAssign Worked with Brian Marks @ WebAssign Used Certificate Information from InCommon Federation MetaData Agreed on format of elements released

35 Leverage Existing Data Had course data in Oracle Used for SYMPA mailing lists Maintained on semester basis Had remaining essential data in LDAP Updated nightly

36 Accessing the Data Updated Resolver Added JDBC Connector to Shibboleth Developed ARP for WebAssign Check your logs

37 Have a Schema Deployed EduPerson Deployed EduCourse Researched and used appropriate attributes

38 Update Shibboleth Update the resolver.xml file to add your data sources Update the arp.xml for attribute release Names matter Restrict the access whenever possible

39 Resolver.XML

40 Arp.xml

41 AAP.xml

42 Attribute Release Declared WebAssign valid academic use of data Watch the use of eduPersonTargetedID Need to maintain privacy and protect restricted or confidential data

43 What’s In a Name Sample Course Identifier urn:mace:tamu.edu:crs:2007C:TEST209504

44 Verified System Used our test accounts Worked closely with vendor Great support from WebAssign

45 Customized Login Page Did not use WAYF or InCommon Site for this deployment Had customized WebAssign login page Could be integrated into existing pages fairly easily

46 WebAssign Login

47 Texas A&M Login

48 Market the Service Work with your departments Educate your helpdesk Multiple levels of support Leverage SSO if you have it

49 Texas Digital Library Institutional Repositories Built on DSpace Shibboleth for AuthN/AuthZ Establishing a new Texas-wide Federation Layered authorization model http://www.tdl.org/

50 Schema Part II The local federation needed a different set of attributes Extended the EduPerson schema Used tamuEduPerson extensions TDL Federation attributes Must agree upon names

51 More Applications Departmental use of institutional data For Moodle deployments Allows institution to share applications Wireless network access at UT TAMU Security Awareness Training

52 Even More Applications Grid Computing Sakai LionShare at Penn State

53 The Big Benefit We have a standard More people will adopt it Reach critical mass in implementers Leverage with vendors

54 And we learned … You do not dabble with this You cannot cut corners Be serious about privacy and suppression Be careful with accounts Stay involved with community The more you do, the more you know

55 Philosophy “ I hear and I forget, I see and I remember, I do and I understand.” Confucius

56 Links http://www.incommonfederation.org/ http://shibboleth.internet2.edu/ http://infrastructure.tamu.edu/ http://www.tdl.org/

57 EMail Michael Bolton –Michael.Bolton@tamu.edu Xavier Chapa –XChapa@tamu.edu

Download ppt "Shibboleth and InCommon Copyright Texas A&M University 2008. This work is the intellectual property of the author. Permission is granted for this material."

Similar presentations

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
The Changing Role of the Technologist as Higher Ed Embraces the Cloud Michele Decker, University of Notre Dame Jacob Farmer, Indiana University Derek D.

The Changing Role of the Technologist as Higher Ed Embraces the Cloud Michele Decker, University of Notre Dame Jacob Farmer, Indiana University Derek D.
Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, 2003. This work is the intellectual property of the author.

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Seeing the Forest and the Acorns in the Decision Tree Sandy Burke Computing Center HelpDesk Manager Copyright Sandy Burke, 2003. This work is the intellectual.

Seeing the Forest and the Acorns in the Decision Tree Sandy Burke Computing Center HelpDesk Manager Copyright Sandy Burke, This work is the intellectual.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.

Emory University Case Study I2 Day Camp November 5, 2010 John Ellis & Elliot Kendall.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
The Homegrown Single Sign On (SSO) Project at UM – St. Louis.

The Homegrown Single Sign On (SSO) Project at UM – St. Louis.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
Copyright 2008, Elizabeth A. Evans. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright 2008, Elizabeth A. Evans. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
How Collaboration Created an Online Help Desk and Knowledge Base for the Campus Community EDUCAUSE Mid-Atlantic Regional Conference 2008.

How Collaboration Created an Online Help Desk and Knowledge Base for the Campus Community EDUCAUSE Mid-Atlantic Regional Conference 2008.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, 2004. This work is the intellectual.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
LionShare Presented by Eric Ferrin, Sr Director, Digital Library Technologies Feb 3, 2004 Copyright Penn State University, 2004. This work is.

LionShare Presented by Eric Ferrin, Sr Director, Digital Library Technologies Feb 3, 2004 Copyright Penn State University, This work is.

Similar presentations

Ads by Google