1 / 20

Shibboleth at the U of M

Shibboleth at the U of M. Christopher A. Bongaarts code-people June 2, 2011. CAH Retirement. CAH slated to go away in October 2011 Motivation: IPv6 compatibility Move to standards-based (SAML) solution CAH and Shib will do SSO between them until CAH is gone. What is Shibboleth?.

ashlyn
Download Presentation

Shibboleth at the U of M

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011

  2. CAH Retirement • CAH slated to go away in October 2011 • Motivation: • IPv6 compatibility • Move to standards-based (SAML) solution • CAH and Shib will do SSO between them until CAH is gone

  3. What is Shibboleth? • Software project sponsored by Internet2 • Implements SAML Web SSO Profile • Two main packages: • Identity Provider (IdP – logs users in) • Service Provider (SP – uses login to do something useful)

  4. How does it work? • User visits application web site (SP) • SP redirects user to IdP with SAML AuthnRequest • IdP authenticates user, if necessary • IdP sends user back to SP with SAML AuthnResponse • Authentication Assertion (data about login) • Attribute Assertion (data about user)

  5. The Gory Details

  6. It’s like CAH… • User never gives credentials to SP • Additional attributes can be returned • Single sign-on

  7. It’s different than CAH… • No shared cookie • Allows non-umn.edu SPs • Logout works differently • SSO still requires a trip to the IdP • No free-for-all WEBCOOKIE method • More complex protocol – need more than cookies + HTTPS to integrate

  8. Our IdPs • OIT/IDM runs production and test IdPs • IdPs use production/test X.500 respectively • Federated with InCommon

  9. Integrating your application • Best strategy: use Shib SP • Requires Apache or IIS • Usually easier to front app with Apache than to directly embed SAML support in your app • Can protect files, directories, or locations via server config or .htaccess

  10. Integrating your application • Best strategy: use Shib SP • Lazy sessions allow unauthenticated browsing until login needed • Shib session can bootstrap app session • Standard builds available for Windows and several Linux distros • Preinstalled on OIT Red Hat Linux VMs

  11. Integrating your application • Install and configure the Shib SP • Careful – lots of knobs, few need turning • Choose an appropriate entityID (see wiki) • Export metadata (generate, then hand edit) • Submit an Access Request Form if you need nonpublic attributes • Ask us to add your metadata to our test IdP

  12. Integrating your application • Access attributes • Environment variables (Apache) • HTTP headers (IIS or Apache) • REMOTE_USER

  13. Converting from CAH to Shib • Shib SP is drop-in replacement for mod_cookieauth • sets REMOTE_USER • No ARF needed if you already get data from CAH • Apps requiring M Key can use AuthnContext to ask for and check for it

  14. Gotchas • Shib signs/encrypts assertions • Uses certs in metadata to carry keys • Shib ONLY looks at keys, not rest of cert • Ignores expiration • Doesn’t validate CA • These are NOT the same certs/keys used for your browser-facing HTTPS port (443)

  15. Gotchas • entityID looks like a URL but isn’t • It’s a URI, being used as a name • Handy to use as URL sometimes (metadata) • Use a domain you control to facilitate self-managed metadata someday

  16. Other SAML Implementations • simpleSAMLphp (PHP) • OIOSAML (Java) • ADFSv2 (gateway to WS-*) • Preferred method for Sharepoint 2010 • WIF SAML extension (for .NET apps) • MSDN blog entry: http://z.umn.edu/3n3 • OpenAM - formerly OpenSSO

  17. Federating your application • Lets your app allow users to log in from other places • Can do simple bilateral setups or get listed in a federation like InCommon (ask us) • Use a federatable identifier instead of Internet ID or umnDID for primary key • eduPersonTargetedID • eduPersonPrincipalName (ID+scope e.g. cab@umn.edu)

  18. Looking Ahead • Single logout support • User consent for attribute release • Self-managed metadata for departments

  19. Resources • U of M Shib wiki: https://wiki.umn.edu/ShibAuth • Official Shib wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/Home • Shib mailing list: shibboleth-users@internet2.edu • Best place for general questions about Shib SP installation/configuration • Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.

  20. Questions? • Identity Management - idm@umn.edu • Or call Chris at 5-1809

More Related