Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,

Published byAileen Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,"— Presentation transcript:

1 Authentication

2 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER, user/pass against LDAP & Kerberos, and IP address based mechanisms.

3 3 © 2010 SWITCH Terms: Authentication Method An identifier that a relying party may use to stipulate how authentication should be performed. Authentication method identifiers correspond to a prescription of how authentication is done (even if the details are only in someone’s head).

4 4 © 2010 SWITCH Terms: Login Handler An IdP component that correlates all supported authentication methods with currently configured authentication mechanisms. A login handler may map more than one authentication method to the same authentication mechanism.

5 5 © 2010 SWITCH Terms: Session State information about the user, currently active authentication methods, and services to which they are signed into. A user’s IdP session is created the first time they authenticate but may outlive the lifetime of all authentication methods.

6 6 © 2010 SWITCH Authentication: Goals Configure UsernamePassword login handler to authenticate against LDAP.

7 7 © 2010 SWITCH Login Handler: Configuration Login handlers are configured in handler.xml defines a login handler Every login handler definition has a xsi:type attribute that defines the type of the handler. Each type has its own set of configuration options. https://spaces.internet2.edu/display/SHIB2/IdPUserAuthn

8 8 © 2010 SWITCH Login Handler: Configuration Each must contain at least one which indicates what authentication method the login handler provides.

9 9 © 2010 SWITCH Login Handler: UsernamePassword Login handler that prompts for a username/password and validates against a JAAS module (LDAP & Kerberos 5 currently supported) Type attribute value: UsernamePassword Configuration attributes: jaasConfigurationLocation path to the JAAS configuration file

10 10 © 2010 SWITCH Login Handler: UsernamePassword Edit the login.config 1. Uncomment the LDAP login modules 2. Configure it like this: edu.vt.middleware.ldap.jaas.LdapLoginModule required host=”127.0.0.1” port=“10389” base="ou=people,dc=example,dc=org" userField="uid";

11 11 © 2010 SWITCH Login Handler: UsernamePassword Edit handler.xml 1. Comment out RemoteUser handler 2. Uncomment UsernamePassword handler Turn on debug logging for the LDAP login module by adding the following logger to logging.xml

12 12 © 2010 SWITCH LoginHandler: UsernamePassword 1. Restart Tomcat 2. Access https://sp#.example.org/cgi-bin/attribute-viewer 3. Select your IdP from the list 4. Use student1/password as the username/password

13 13 © 2010 SWITCH LoginHandler: UsernamePassword The login page presented to the user is /opt/installfest/distro/identityprovider/resources/webpages/login.jsp You may define more than one UsernamePassword login handler, with different authentication methods. For example one that work with LDAP and another that works with Kerberos You may define more than one LDAP host so that if one is down another is used.

14 14 © 2010 SWITCH Login Handler: Authentication Duration Each authentication mechanism supports an activity timeout After this timeout expires the mechanism is considered inactive for that user. If the user attempts to access a new service provider that requires that authentication mechanism they must re-authenticate.

15 15 © 2010 SWITCH Login Handler: Authentication Duration It is configured by the authenticationDuration attribute on the Its value is the number of minutes of inactivity and its default value is 30.

16 16 © 2010 SWITCH Forced Authentication SAML 2 allows a service provider to force authentication of the user, even if the user has an existing session. Only works with mechanisms that can re-authenticate a user. RemoteUser does not support forced authentication. The service provider will receive an error if the IdP can not support forced authentication

17 17 © 2010 SWITCH Authentication Method Selection An SP may provide a list of acceptable methods The IdP then checks to see if any active mechanism provides any of those methods, if so, single sign on occurs Otherwise the IdP picks supported, but not yet active, method and uses that.

Download ppt "Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,"

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.

IdP Basics & Installation. © 2010 SWITCH 2 Current Environment Network Java Tomcat LDAP –Create apacheDS run directory mkdir /var/run/apacheds/default.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.
IIS Configuration © N. Ganesan, Ph.D.. Renaming the Default Web.

IIS Configuration © N. Ganesan, Ph.D.. Renaming the Default Web.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,

Development and Implementation of Multifactor Authentication Motonori Nakamura at National Institute of Informatics and Takuya Matsuhira at Kanazawa University,
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.

Belnet R&E Federation Workshop Shibboleth IdP Deployment Belnet – Mario Vandaele Brussels – 15 March 2012.
Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.

Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.
IT und TK Training Check Point Authentication Methods A short comparison.

IT und TK Training Check Point Authentication Methods A short comparison.
Shibboleth IdP Training: Productionalization January, 2009.

Shibboleth IdP Training: Productionalization January, 2009.

Similar presentations

Ads by Google