1 / 17

Shibboleth at the U of M

Shibboleth at the U of M. Christopher A. Bongaarts net-people March 10, 2011. What is Shibboleth?. Software project sponsored by Internet2 Implements SAML auth protocol Two main packages: Identity Provider (IdP – logs users in) Service Provider (SP – gives users something to do).

tannar
Download Presentation

Shibboleth at the U of M

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011

  2. What is Shibboleth? • Software project sponsored by Internet2 • Implements SAML auth protocol • Two main packages: • Identity Provider (IdP – logs users in) • Service Provider (SP – gives users something to do)

  3. How does it work? • User visits application web site (SP) • SP redirects user to IdP with SAML AuthnRequest • IdP authenticates user, if necessary • IdP sends user back to SP with SAML AuthnResponse • Authentication Assertion (data about login) • Attribute Assertion (data about user)

  4. The Gory Details

  5. It’s like CAH… • User never gives credentials to SP • Additional attributes can be returned • Single sign-on

  6. It’s different than CAH… • No shared cookie • Allows non-umn.edu SPs • Logout works differently • SSO still requires a trip to the IdP • No free-for-all WEBCOOKIE method • More complex protocol – need more than cookies + HTTPS to integrate

  7. Our IdPs • OIT/IDM runs production and test IdPs • IdPs use production/test X.500 respectively • Federated with InCommon

  8. Setting up an SP • Choose an implementation • Shibboleth SP (highly recommended) • Includes Apache and IIS server modules • simpleSAMLphp • OpenAM (formerly OpenSSO) • OIOSAML (Java) • ADFSv2 (gateway to WS-*) • Preferred method for Sharepoint 2010

  9. Setting up an SP • Install and configure • Careful – lots of knobs, few need turning • Choose an appropriate entityID (see wiki) • Export metadata (generate/hand edit) • Submit an Access Request Form if you need nonpublic attributes • Ask IDM to add your metadata to our test IdP

  10. Gotchas • Shib signs/encrypts assertions • Uses certs in metadata to carry keys • Shib ONLY looks at keys, not rest of cert • Ignores expiration • Doesn’t validate CA • These are NOT the same certs/keys used for your browser-facing HTTPS port (443)

  11. Gotchas • entityID looks like a URL but isn’t • It’s a URI, being used as a name • Handy to use as URL sometimes (metadata) • Use a domain you control to facilitate self-managed metadata someday

  12. CAH Retirement • CAH slated to go away in October 2011 • Motivation: • IPv6 compatibility • Move to standards-based solution • CAH and Shib will do SSO between them until CAH is gone

  13. Converting from CAH to Shib • Shib SP is drop-in replacement for mod_cookieauth • No ARF needed if you already get data from CAH • Apps requiring M Key can use AuthnContext to ask for and check for it

  14. Federating your SP • Lets your SP allow users to log in from other places • Can do simple bilateral setups or get listed in a federation like InCommon (ask IDM) • Use a federatable identifier instead of Internet ID or umnDID for primary key • eduPersonTargetedID • eduPersonPrincipalName (ID+scope e.g. cab@umn.edu)

  15. Looking Ahead • User consent for attribute release • Self-managed metadata for departments • Single logout support

  16. Resources • U of M Shib wiki: https://wiki.umn.edu/ShibAuth • Official Shib wiki: https://spaces.internet2.edu/display/SHIB2/Home • Shib mailing list: shibboleth-users@internet2.edu • Best place for general questions about Shib SP installation/configuration • Guy who wrote it usually responds within 15 minutes. Not sure when he eats or sleeps.

  17. Questions? • idm@umn.edu • Or call Chris at 5-1809

More Related