Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.

Published byBlaze Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011."— Presentation transcript:

1 Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011

2 What is Shibboleth? Software project sponsored by Internet2 Implements SAML auth protocol Two main packages: –Identity Provider (IdP – logs users in) –Service Provider (SP – gives users something to do)

3 How does it work? User visits application web site (SP) SP redirects user to IdP with SAML AuthnRequest IdP authenticates user, if necessary IdP sends user back to SP with SAML AuthnResponse –Authentication Assertion (data about login) –Attribute Assertion (data about user)

4 The Gory Details

5 It’s like CAH… User never gives credentials to SP Additional attributes can be returned Single sign-on

6 It’s different than CAH… No shared cookie –Allows non-umn.edu SPs –Logout works differently SSO still requires a trip to the IdP No free-for-all WEBCOOKIE method More complex protocol – need more than cookies + HTTPS to integrate

7 Our IdPs OIT/IDM runs production and test IdPs IdPs use production/test X.500 respectively Federated with InCommon

8 Setting up an SP Choose an implementation –Shibboleth SP (highly recommended) Includes Apache and IIS server modules –simpleSAMLphp –OpenAM (formerly OpenSSO) –OIOSAML (Java) –ADFSv2 (gateway to WS-*) Preferred method for Sharepoint 2010

9 Setting up an SP Install and configure –Careful – lots of knobs, few need turning –Choose an appropriate entityID (see wiki) –Export metadata (generate/hand edit) Submit an Access Request Form if you need nonpublic attributes Ask IDM to add your metadata to our test IdP

10 Gotchas Shib signs/encrypts assertions –Uses certs in metadata to carry keys –Shib ONLY looks at keys, not rest of cert Ignores expiration Doesn’t validate CA –These are NOT the same certs/keys used for your browser-facing HTTPS port (443)

11 Gotchas entityID looks like a URL but isn’t –It’s a URI, being used as a name –Handy to use as URL sometimes (metadata) –Use a domain you control to facilitate self- managed metadata someday

12 CAH Retirement CAH slated to go away in October 2011 Motivation: –IPv6 compatibility –Move to standards-based solution CAH and Shib will do SSO between them until CAH is gone

13 Converting from CAH to Shib Shib SP is drop-in replacement for mod_cookieauth No ARF needed if you already get data from CAH Apps requiring M Key can use AuthnContext to ask for and check for it

14 Federating your SP Lets your SP allow users to log in from other places Can do simple bilateral setups or get listed in a federation like InCommon (ask IDM) Use a federatable identifier instead of Internet ID or umnDID for primary key –eduPersonTargetedID –eduPersonPrincipalName (ID+scope e.g. cab@umn.edu)

15 Looking Ahead User consent for attribute release Self-managed metadata for departments Single logout support

16 Resources U of M Shib wiki: https://wiki.umn.edu/ShibAuth https://wiki.umn.edu/ShibAuth Official Shib wiki: https://spaces.internet2.edu/display/SHIB2/Home https://spaces.internet2.edu/display/SHIB2/Home Shib mailing list: shibboleth-users@internet2.edu shibboleth-users@internet2.edu –Best place for general questions about Shib SP installation/configuration –Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.

17 Questions? idm@umn.edu Or call Chris at 5-1809

Download ppt "Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.
Beispielbild Community Single Sign-on 15 September 2009 Berlin, ISTC meeting Lutz Suhrbier ‏ Networked Information Systems.

Beispielbild Community Single Sign-on 15 September 2009 Berlin, ISTC meeting Lutz Suhrbier ‏ Networked Information Systems.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.

UC Irvine’s Pre-Shib Attribute Setup PH / QI Directory Provides Authoritative Attribute Store –Had both Faculty / Staff and Student Information UCI’s Campus.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Similar presentations

Ads by Google