100 likes | 237 Views
Shibboleth 2.0 and Beyond. Chad La Joie Georgetown University Internet2. General Changes. Port existing functionality to OpenSAML2 library Support subset of SAML 2 specification: Single Sign On & Single Logout Attribute Query Artifact Resolution Backwards support for Shibboleth 1.2, 1.3
E N D
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2
General Changes • Port existing functionality to OpenSAML2 library • Support subset of SAML 2 specification: • Single Sign On & Single Logout • Attribute Query • Artifact Resolution • Backwards support for Shibboleth 1.2, 1.3 • Improved documentation
Identity Provider • IdP, not container, managed authentication • Enhanced Attribute Authority • New data connectors and attribute definitions (e.g. SAML2 Persistent Name Identifier) • Enhanced ARP Engine • Release policy semantics for NameIDs • Dynamic attribute constraints • Group ARPs • Improved deployment support: • Additional containers • Cluster support
Service Provider • Java Servlet (2.3+) Service Provider • Improved, and documented, extension points • Integrated IdP discovery mechanism • Better caching and cleaner communication with shibd • Additional name identifiers supported
IdP Discovery Services • Rewrite of existing WAYF code w/ production release • Initial experimentation with: • browser plug-in based discovery services • Microsoft CardSpace (f.k.a. InfoCard)
IdP Managed Authentication • SP may influence authentication process • Require specific, or range of, authN methods • Force re-authentication • Require passive authentication • IdP requires session lifecycle mgmt: • Explicit logout • Session timeouts • AuthN method timeout
IdP Managed Authentication • IdP will map AuthN context to a handler • Form which auth’s against LDAP, RBMS… • HTTP server location handling certs • Servlet accepting Kerberos tokens • AuthN methods ranked (password < Kerberos < client certificate)
Single Logout • Two methods to perform SLO: • Front channel via browser redirect • Easy but unreliable; chain broken is service doesn’t respond • Back channel SOAP messages • More complicated but more reliable • Problem for strictly cookie-session based systems
Future work • More SAML 2 support • NameID management & mapping • Enhanced Client/Proxy support • Initial support for client/server & grid sign-on • Web-services support • Based on the Liberty WSF 2 specifications • N-Tier/Metasearch support • Based heavily on web-services support
Resources • Shibboleth 2 Roadmap • EC/P • Web Services Support • OpenSAML2