180 likes | 274 Views
Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign. The I-Trust Federation: Federating the University of Illinois. Goals and Challenges. Goal: retire legacy web sign-on service and replace with Shibboleth
E N D
Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign The I-Trust Federation:Federating the University of Illinois
Goals and Challenges • Goal: retire legacy web sign-on service and replace with Shibboleth • The challenge: U of Illinois’ three campuses maintain their own user and password stores and IDPs. Old Web SO allowed for inter-domain authentication for services used by users from multiple campuses.
The solution • Federate the three campuses. • Use existing IDPs and user/password stores. • Put a Shib SP on each service that currently uses the legacy system. • Services that need to allow access to users from multiple campuses can point to a centralized discovery service.
Why not put everyone in InCommon? • We have over 500 service providers behind the legacy system. • Many allow access to users from more than one campus. • Even with delegated SP administration, this would be costly and labor-intensive. • This is also overkill to get SP data to the university’s three IDPs. • If an SP needs to federate beyond the university, such as with another university, we will work with them to manually enter them in InCommon.
The business case • Initial case was to simply get SSO functional and metadata circulating between the three campuses. • Before we even announced it, our software webstore folks were asking questions. • By adding other universities, community colleges and K-12 users, our software webstore could sell to more users and get larger discounts. • State library consortium is also interested with the value of resource sharing through federation. • We had these cases brought to us. After launch, we expect a lot more.
Planning • Identify technical and management resources from each campus. • Agree that Urbana campus, the largest, will take the lead. • Compare attributes being released by all three IDPs to build and approve a list of common attributes. • Standardize names of federation attributes. • Set up common platform for maintaining and disseminating metadata and attribute release
Nuts and bolts • Discovery Service: Shibboleth project’s centralized discovery service is offered for SPs needing to allow access to all three campuses • Metadata management and dissemination: Australian Access Federation’s Federation Registry. • Metadata signing: Shibboleth project’s xmlsectool
Federation Registry • An extensible, open web application that provides a central point of registration, management and reporting for identity and service providers participating in a standards compliant SAML 2 identity federation. • Management for all aspects of SAML 2 compliant Identity and Service Providers • SAML 2.x compliant metadata generation • Additional assistance for Shibboleth IDP and SP administrators including automated Attribute Filter generation • Public registration for Organizations, Identity Providers and Service Providers that are new to the federation • Organizations can have any number of IDP and SP owned by them (service only organizations are popular with publishers for example) • A personalized dashboard view of the federation for all users • A cross browser (including mobile devices) HTML5 compliant user interface which can be branded for deploying organizations. • Multilingual capable • A fully customizable workflow engine to handle registrations and other critical federation changes • In-depth reporting to gain insight to the workings of the entire federation • Federation integrated, automatically provisioned user accounts with fine grained access control
Future plans • Bring community colleges, K-12 schools and others on-board. • Federation-wide single logout: a big one to attack, but lots of requests already. • Standardizing requests for two-factor authentication when needed.
Resources • Australian Access Federation: wiki.aaf.edu.au/federationregistry2 • Contact for more on I-Trust: Keith Wessel, kwessel@illinois.edu