90 likes | 208 Views
Technical Topics for Deployed Campuses: Web SSO. Will Norris University of Southern California. USC Enterprise Directory. Consistent data whether via Shib or LDAP No account data released by default Formal request for data made to Directory Steering Committee
E N D
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California
USC Enterprise Directory • Consistent data whether via Shib or LDAP • No account data released by default • Formal request for data made to Directory Steering Committee • All applications have well-defined population • Technical Details • Two Sun V440, Sun DS 5.2 with replication • active-passive with manual failover
USC Shibboleth IdP • Hardware • Two Sun V240 • active-active load balancing • Authentication via Tomcat > LDAP > Kerberos • Installed Modules • HAShib (enables attribute query & Artifact profile in clustered environment) • USC Resource Handler (Status page and Logout) • USC Session Counter
USC Shibboleth IdP • Simple resolver.xml (logic is in the directory) • LDAP Data Connector configured for failover • List multiple hosts for java.naming.provider.url • All ARP Rules include constraint for application specific entitlement • FERPA privacy handled via constraints
Tools for Service Providers • USC specific documentation for installation and configuration • shibboleth.xml config file generator • Test Identity Provider (a la TestShib.org) • Periodic IdM & Shibboleth crash course • Local support mailing lists • Central IT officially offers “limited support”
Federation Management • All documentation and configuration kept in Subversion repository • New SPs email their shibboleth.xml config file and certificate to IdP admins • Check overall sanity of configuration (/secure/) • Ensure providerID follows conventions • Comment all ARPs and metadata entries • shell script checks metadata every two weeks for expiring certificates
Extending Services to Guests • All users have local LDAP entry (even guests) • Consistent data via Shib & LDAP • Allows for centralized authz management • Applications see no difference between USC members and guests • No custom code, just configuration
Resource Links • HAShib Module https://www.middleware.georgetown.edu/confluence/x/ugE • USC Service Provider Install Documentation https://shibboleth.usc.edu/docs/sp/install/ • USC Service Provider Configuration Builder https://shibboleth.usc.edu/docs/sp/install/cgi-bin/spconfig • USC Test Identity Provider Configuration https://its-subversion.usc.edu/svn/gds/shibboleth/idp-config/test/ • Will Norris (me) wnorris@usc.edu
Quick Questions? (Otherwise, come back for discussion at 10:15)