Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC



Similar documents
Authentication Methods

Shibboleth Identity Provider (IdP) Sebastian Rieger

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Logout Support on SP and Application

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Standalone SAML Attribute Authority With Shibboleth

Integration of Shibboleth and (Web) Applications

Shibboleth SP Simple Installation Guide For Windows and IIS

Computer Services Documentation

AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation

IAM Application Integration Guide

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

Shibboleth N-Tier Support. Chad La Joie

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

SAML-Based SSO Solution

Section 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5

Using Shibboleth for Single Sign- On

SAML Authentication Quick Start Guide

Integration of Office 365 with existing faculty SSO

Federating with Web Applications

ShibboLEAP Project. Final Report: School of Oriental and African Studies (SOAS) Colin Rennie

Federated Identity Management

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Set-up an Identity Provider

Steve Chan

Federated Identity Management Checklist

Shibboleth SP Simple Installation Guide For LINUX

CRASH IDP Hardware/Software Recommendation

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

SD Departmental Meeting November 28 th, Ale de Vries Product Manager ScienceDirect Elsevier

Authentication and Single Sign On

Integrating Multi-Factor Authentication into Your Campus Identity Management System

IBM WebSphere Application Server

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

SAML Authentication with BlackShield Cloud

Federated AAA middleware and the QUT SSO environment

Shibboleth 2: A Guide for Deployers. Scott Cantor cantor.2@osu.edu Internet2 / The Ohio State University

Toward campus portal with shibboleth middleware

Feide Technical Guide. Technical details for integrating a service into Feide

Web Single Sign-On Authentication using SAML

Shibboleth Architecture

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Web Access Management and Single Sign-On

Three Case Studies in Access Management

Logout in Single Sign-on Systems

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

SAML Privacy-Enhancing Profile

Single Sign on Using SAML

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

IAM, Enterprise Directories and Shibboleth (oh my!)

Configuring IBM Cognos Controller 8 to use Single Sign- On

SAML-Based SSO Solution

Single Sign-On for the UQ Web

Running Multiple Shibboleth IdP Instances on a Single Host

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

SSO Plugin. Release notes. J System Solutions. Version 3.6

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

AAI: SAP NETWEAVER INTEGRATION. André Hunziker and André Wahlig, ETH Zürich ID-BI Februar 2010

Getting Started with Single Sign-On

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Perceptive Experience Single Sign-On Solutions

Configuring EPM System for SAML2-based Federation Services SSO

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

PingFederate. Identity Menu Builder. User Guide. Version 1.0

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Identity Federation For Authenticating and Authorizing Researchers

Policy on ARCS eresearch Services Firewall Configuration Requests

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Federated Identity Management and Shibboleth: Policy and Technology for Collaboration

Merit Cloud Media User Guide

Shibboleth Development and Support Services. OpenID and SAML. Fiona Culloch, EDINA. EuroCAMP, Stockholm, 7 May 2008

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Authentication Integration

Federated Identity Management

Using Kerberos tickets for true Single Sign On

SAML Single-Sign-On (SSO)

TRUST AND IDENTITY EXCHANGE TALK

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

Setup Guide Access Manager 3.2 SP3

Install a Shibboleth v3 IdP on Ubuntu Linux (version LTS)

Multi-Factor Authentication, Assurance, and the Multi-Context Broker

Integrating Web Applications with Shibboleth

User Guide for VMware Adapter for SAP LVM VERSION 1.2

Issues in federated identity management

Globus Research Data Management: Introduction and Service Overview. Steve Tuecke Vas Vasiliadis

Single Sign On at Colorado State. Ron Splittgerber

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Upgrading VMware Identity Manager Connector

Introducing Shibboleth

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Overcoming Barriers to Federation and Making IdPs Easier

DEPLOYMENT ROADMAP March 2015

Technical White Paper - JBoss Security

Crawl Proxy Installation and Configuration Guide

Spring Security SAML module

SAML Profile for Privacy-enhanced Federated Identity Management

Transcription:

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

Helpful Skill Sets Include Basic Knowledge Of: Your OS: Linux or Windows Experience using command line on your OS Know how to find and use log files to troubleshoot issues with applications on your OS Tomcat / Apache / Java XML LDAP, specifically your LDAP Authentication, how it works at your campus, and familiarity with single sign-on concepts Virtual Machine environment (such as VMware)

IdP and SP Software Components - Lots of Distributed Pieces!

High Level Flow Among SP / DS / IdP Source: https://spaces.internet2.edu/display/shibinstallfest/shibboleth+workshop+series+-+linux+identity+provider+%28centos+6.2%29

SP Recognizes IdPs Via Metadata Source: https://spaces.internet2.edu/display/shibinstallfest/shibboleth+workshop+series+-+linux+service+provider+%28centos+6.2%29

IdP Recognizes SPs Via Metadata relying-party.xml MetadataProvider Source: https://spaces.internet2.edu/display/shibinstallfest/shibboleth+workshop+series+-+linux+service+provider+%28centos+6.2%29

Example from InCommon Metadata : : glosizf1o435/+ckfwxqsmbihvv5tma3zrcycri1chgezqrcxl0fmzlsr+vady/tfbvojqi8psub SMxNkZectePTBjVj1Qeb4hmG8jRv/fwy1Iw6OFH8RKny8nQaO5mOe/fF/swEsMVU9TDpvLIgbhTw np7nhfotgaxf5wg8wa== </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <!-- The Ohio State University --> <EntityDescriptor entityid="https://carmenwiki.osu.edu/shibboleth" xmlns="urn:oasis:names:tc:saml:2.0:metadata"> <Extensions xmlns:mdattr="urn:oasis:names:tc:saml:metadata:attribute"> <mdattr:entityattributes xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> <saml:attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:attributevalue>http://id.incommon.org/category/research-and-scholarship</saml:attributevalue> </saml:attribute> <saml:attribute Name="http://id.incommon.org/attribute/entity/category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:attributevalue>http://id.incommon.org/category/research-and-scholarship</saml:attributevalue> </saml:attribute> </mdattr:entityattributes> </Extensions> <SPSSODescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:1.1:protocol urn:oasis:names:tc:saml:2.0:protocol"> <md:extensions xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.osu.edu/Shibboleth.sso/Login" index="1"/> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.it.ohio-state.edu/Shibboleth.sso/ Login" index="2"/> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.osu.edu/Shibboleth.sso/Clear" index="3"/> <DiscoveryResponse xmlns="urn:oasis:names:tc:saml:profiles:sso:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://carmenwiki.it.ohio-state.edu/Shibboleth.sso/ Clear" index="4"/> <mdui:uiinfo xmlns:mdui="urn:oasis:names:tc:saml:metadata:ui"> : : <mdui:displayname xml:lang="en">carmenwiki</mdui:displayname> <mdui:description xml:lang="en">enterprise Wiki Service at the Ohio State University.</mdui:Description> <mdui:informationurl xml:lang="en">http://cio.osu.edu/services/getbusinessservice.php?id=f8f7fc290a0a3c0501c355b8e1430015</mdui:informationurl> <mdui:privacystatementurl xml:lang="en">https://carmenwiki.osu.edu/x/jyleaq</mdui:privacystatementurl> <mdui:logo height="85" width="141" xml:lang="en">https://carmenwiki.osu.edu/download/attachments/9666561/global.logo</mdui:logo> </mdui:uiinfo> </md:extensions> Source: http://wayf.incommonfederation.org/incommon/incommon-metadata.xml

Identity Provider Config Files login.config: Configuration for the Username/Password authentication mechanism. Does incoming user have valid credential? relying-party.xml: Configures how the IdP processes messages that are received. Who do you recognize, and who do you want to trust? attribute-resolver.xml: Configures attribute collection, transformation, and encoding. Where do you find a user's attribute values? attribute-filter.xml: Configures the release of attributes to SP's. Who do you share which attributes with? logging.xml: Configuration of the IdP's logging system. Why the heck is my IdP not working? etc.

Service Provider Config Files shibboleth2.xml - the main Shibboleth config file o o o o What protocols does the SP support? What address(es) to find SP at Who do I recognize, who do I trust? How to handle IdP Discovery problem attribute-map.xml Which attributes is SP looking for? shibd.conf Tells Apache which content on your site to protect by Shib etc.

Config File Confusion The Little Details Matter! (and can drive you batty) Source: Bill French's post on the "Stop Reinventing The Wheel" Blog <http:// www.stopreinventingthewheel. com/srtw/viewfullpost.aspx? PostPK=40> <http:// www.stopreinventingthewheel. com/srtw/uploadedimages/ Shibboleth/ FileRelationships.pdf>

A Couple Examples MCNC's Test SP https://sp-test-01.mcnc.org Rockingham Unique UserIds https://cacti.mcnc.org/cacti/graph.php?action=view&local_graph_id=8808&rra_id=all

2013 Shibboleth Training Workshop? InCommon is planning on four two-day training workshops during 2013 o Covers IdP and SP o Hands-on lab exercises InCommon is seeking host venues Is there any interest among this audience?

For Further Information To find course content, Google "spaces shibboleth workshop series" To learn about InCommon's upcoming Shibboleth workshops: http:// www.incommon.org/educate/shibboleth/

Questions/Comments? Please visit the MCNC Table at IIPS Steve Thorpe thorpe@mcnc.org 919-248-1161

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information