1 / 7

UC Irvine’s Pre-Shib Attribute Setup

UC Irvine’s Pre-Shib Attribute Setup. PH / QI Directory Provides Authoritative Attribute Store Had both Faculty / Staff and Student Information UCI’s Campus Wide LDAP was a subset of data from PH / QI Applications used (and still use) LDAP or PH / QI to read user attributes

clifford
Download Presentation

UC Irvine’s Pre-Shib Attribute Setup

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UC Irvine’s Pre-Shib Attribute Setup • PH / QI Directory Provides Authoritative Attribute Store • Had both Faculty / Staff and Student Information • UCI’s Campus Wide LDAP was a subset of data from PH / QI • Applications used (and still use) LDAP or PH / QI to read user attributes • UCI’s PH / QI schema had a much larger set of attributes

  2. WebAuth -- UCI’s Web SSO • Custom built for UCI • Info:http://www.nacs.uci.edu/help/webauth/ • Authenticates a UCInetID • Returns attributes to the application regarding the session • Maps UCInetID to campusID, studentID, employeeID

  3. Changes to the IdM Setup • Shibboleth (Shib) does not come with a PH / QI data connector • LDAP required to be Shib attribute store • LDAP schema needs to be expanded to hold all PH / QI attributes • Attribute names also need change to reflect standard InetOrg naming. • WebAuth Ideal Web SSO for use with Shib • Apache Module already written for use with WebAuth

  4. Creating a Shib Origin • Installation was easy using the guide on Internet2’s website. • Origin runs on tomcat using ModJK connector to Apache • UCI joined InQueue and InCommon Federations • InQueue, Internet2’s test federation is joined very easily • InCommon required documentation about UCI’s identity management practices

  5. Testing • Pilot origins to be tested with UCOP’s UC for Yourself benefits application. • Testing found some things to be aware of: • Attribute Release Policies depend on SSL Client Verify Information • MetaData about federation must be current

  6. Current Status • New LDAP Schema in Production • UCI is a member of InCommon • Production != Use • Currently, zero UCI applications use Shib • WebAuth and expanded attributes in LDAP is sufficient for internal use • External use depends on release policy agreements with other organizations

  7. UCI’s Shib Potential • Administrative Computing interested in Shib as a standard for vendor software authentication / authorization • Library interested in Shib as replacement to VPN to access subscriptions • Some subscriptions already support the InCommon federation already such as Science Direct • UC Wide wireless registration??

More Related