Download presentation
Presentation is loading. Please wait.
Published byBlaze Higgins Modified over 9 years ago
1
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011
2
What is Shibboleth? Software project sponsored by Internet2 Implements SAML auth protocol Two main packages: –Identity Provider (IdP – logs users in) –Service Provider (SP – gives users something to do)
3
How does it work? User visits application web site (SP) SP redirects user to IdP with SAML AuthnRequest IdP authenticates user, if necessary IdP sends user back to SP with SAML AuthnResponse –Authentication Assertion (data about login) –Attribute Assertion (data about user)
4
The Gory Details
5
It’s like CAH… User never gives credentials to SP Additional attributes can be returned Single sign-on
6
It’s different than CAH… No shared cookie –Allows non-umn.edu SPs –Logout works differently SSO still requires a trip to the IdP No free-for-all WEBCOOKIE method More complex protocol – need more than cookies + HTTPS to integrate
7
Our IdPs OIT/IDM runs production and test IdPs IdPs use production/test X.500 respectively Federated with InCommon
8
Setting up an SP Choose an implementation –Shibboleth SP (highly recommended) Includes Apache and IIS server modules –simpleSAMLphp –OpenAM (formerly OpenSSO) –OIOSAML (Java) –ADFSv2 (gateway to WS-*) Preferred method for Sharepoint 2010
9
Setting up an SP Install and configure –Careful – lots of knobs, few need turning –Choose an appropriate entityID (see wiki) –Export metadata (generate/hand edit) Submit an Access Request Form if you need nonpublic attributes Ask IDM to add your metadata to our test IdP
10
Gotchas Shib signs/encrypts assertions –Uses certs in metadata to carry keys –Shib ONLY looks at keys, not rest of cert Ignores expiration Doesn’t validate CA –These are NOT the same certs/keys used for your browser-facing HTTPS port (443)
11
Gotchas entityID looks like a URL but isn’t –It’s a URI, being used as a name –Handy to use as URL sometimes (metadata) –Use a domain you control to facilitate self- managed metadata someday
12
CAH Retirement CAH slated to go away in October 2011 Motivation: –IPv6 compatibility –Move to standards-based solution CAH and Shib will do SSO between them until CAH is gone
13
Converting from CAH to Shib Shib SP is drop-in replacement for mod_cookieauth No ARF needed if you already get data from CAH Apps requiring M Key can use AuthnContext to ask for and check for it
14
Federating your SP Lets your SP allow users to log in from other places Can do simple bilateral setups or get listed in a federation like InCommon (ask IDM) Use a federatable identifier instead of Internet ID or umnDID for primary key –eduPersonTargetedID –eduPersonPrincipalName (ID+scope e.g. cab@umn.edu)
15
Looking Ahead User consent for attribute release Self-managed metadata for departments Single logout support
16
Resources U of M Shib wiki: https://wiki.umn.edu/ShibAuth https://wiki.umn.edu/ShibAuth Official Shib wiki: https://spaces.internet2.edu/display/SHIB2/Home https://spaces.internet2.edu/display/SHIB2/Home Shib mailing list: shibboleth-users@internet2.edu shibboleth-users@internet2.edu –Best place for general questions about Shib SP installation/configuration –Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.
17
Questions? idm@umn.edu Or call Chris at 5-1809
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.