Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Similar documents
P U R D U E U N I V E R S I T Y

Feide Technical Guide. Technical details for integrating a service into Feide

Getting Started with Single Sign-On

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Single Sign On at Colorado State. Ron Splittgerber

Shibboleth User Verification Customer Implementation Guide Version 3.5

Standalone SAML Attribute Authority With Shibboleth

Getting Started with Single Sign-On

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

Best Practices for Libraries and Library Service Providers

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

MACE-Dir SAML Attribute Profiles

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

IAM Application Integration Guide

Shibboleth Architecture

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

SAML Single-Sign-On (SSO)

Federating with Web Applications

Copyright: WhosOnLocation Limited

AD FS 2.0 Step-by-Step Guide: Federation with Shibboleth 2 and the InCommon Federation

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Web Single Sign-On Authentication using SAML

IBM WebSphere Application Server

National Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

HP Software as a Service. Federated SSO Guide

Integration of Office 365 with existing faculty SSO

How To Use Saml 2.0 Single Sign On With Qualysguard

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Authentication Methods

Computer Services Documentation

Web Access Management and Single Sign-On

Introducing Shibboleth

MLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications

SAML Authentication within Secret Server

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Federated Identity Management

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Configuring. Moodle. Chapter 82

DocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Single Sign on Using SAML

Section 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Simple Cloud Identity Management (SCIM)

Canadian Access Federation: Trust Assertion Document (TAD)

HP Software as a Service

VMware Identity Manager Integration with Active Directory Federation Services 2.0

Egnyte Single Sign-On (SSO) Installation for OneLogin

Active Directory Federation Services

Single Sign-On Implementation Guide

Web based single sign on. Caleb Racey Web development officer Webteam, customer services, ISS

Merit Cloud Media User Guide

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

SAML single sign-on configuration overview

Authentic2 Documentation

T his feature is add-on service available to Enterprise accounts.

IAM, Enterprise Directories and Shibboleth (oh my!)

SAML Federated Identity at OASIS

Single Sign-on to Salesforce.com with CA Federation Manager

It is I, SAML. Ana Mandić Development Five Minutes Ltd

Integrating Web Applications with Shibboleth

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide

SAML Privacy-Enhancing Profile

Single Sign-On Implementation Guide

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

VETUMA SAML SAMPLE MESSAGES

Integrating a Shibboleth IdP with Microsoft Active Directory

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Authentication and Single Sign On

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

ORACLE TALEO BUSINESS EDITION SINGLE SIGN ON SERVICE PROVIDER REFERENCE GUIDE RELEASE 15.A2

Configuring Parature Self-Service Portal

Qualtrics Single Sign-On Specification

Lifesize Cloud Table of Contents

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Authentication Integration

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Microsoft Office 365 Using SAML Integration Guide

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

Transcription:

Shibboleth Authentication Information Systems & Computing Identity and Access Management May 23, 2014

For every question an answer: Why should I care about SAML? What is a Shibboleth? What is a Federation? Are we in one? How does it (Shibboleth) work? How do I get one of those? PennGroups!

[1] https://www.oasis-open.org/committees/security/ [2] https://shibboleth.net/ SAML Security Assertion Markup Language A data format for exchanging authentication and authorization information. There are many flavors of SAML. Shibboleth is one of those flavors. Why is SAML important? - It provides web application single sign-on (SSO). - It allows an organization to exchange identity information with a trusted 3rd party.

You are already using Shibboleth

Shib bo leth noun \ˈshi-bə-ləth A word or way of speaking or behaving which shows that a person belongs to a particular group. After speaking to multiple support technicians that can not help you... [1] https://xkcd.com/806/

Federations A federation is a group of providers that agree upon a standard (of operations, interactions, frameworks, goals etc...).

Federations - InCommon The InCommon Federation is the U.S. education and research identity federation, providing a common framework for trusted shared management of access to online resources. Through InCommon, Identity Providers can give their users single sign-on convenience and privacy protection, while online Service Providers control access to their protected resources. There are 432 higher education participants. There are > 2,000 services currently offered through InCommon. We like InCommon members. We will find out why soon! [1] http://www.incommon.org/federation/

So Far... We have discussed... - SAML is a way to exchange identity information. - Shibboleth is an implementation of SAML. Penn uses Shibboleth. - InCommon is an Internet2 federation. Penn is a member of InCommon.

Shibboleth How does it work? IdP Identity Provider SP Service Provider

Shibboleth - User Attributes Attribute Suppressible Source Definition Example Basic Attributes that are available to all Service Providers edupersonprincipalname No PennCommunity PennKey/PennName jbreen@upenn.edu surname (sn) 1 2 3 Yes Penn Directory Surname Breen givenname 1 2 3 Yes Penn Directory Given Name John displayname 2 3 Yes Penn Directory Display Name John Breen Mail 3 Yes Penn Directory E-mail Address jbreen@isc.upenn.edu edupersonaffiliation No PennGroups Affiliation edupersonscopedaffiliation No PennGroups Affiliation (scoped) Attributes that are available only by request staff alumni staff@upenn.edu alumni@upenn.edu employeenumber No PennCommunity PennID 10123072 edupersonentitlement No PennGroups Wait for it (1) This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name. (2) Other institutions may send more than 1 value for these attributes. We send only 1 value for each as provided by the user in Penn Directory. (3) Service providers should be aware this is user provided data and is not verified. [1] http://www.upenn.edu/computing/weblogin/shibboleth/attribute.html

Shibboleth Metadata Metadata is configuration information for Identity Providers and Service Providers. It is required so Identity Providers and Service Providers know how to talk to each other. <EntityDescriptor entityid="https://idp.pennkey.upenn.edu/idp/shibboleth" xmlns="urn:oasis:names:tc:saml:2.0:metadata"> <IDPSSODescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <ds:x509certificate> MIIDQDCCAiigAwIBAgIVAIW7U17BF4OIuf7KKeJ2n7iZo4sLMA0GCSqGSIb3DQEB Y/REplQZ1ZwSoTxRxPhDa/Hflq+6mzWGdyCYDdq2Nn4Qk0bMnsNvZj3svVJeBfiG iwe0xy1ro5prb/x5xli9fgaudwe= </ds:x509certificate> </ds:x509data> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.pennkey.upenn.edu/idp/profile/SAML2/POST/SSO"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.pennkey.upenn.edu/idp/profile/SAML2/Redirect/SSO"/> </IDPSSODescriptor> </EntityDescriptor>

Shibboleth SAMLRequest <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" AssertionConsumerServiceURL="https://service.upenn.edu/Shibboleth.sso/SAML2/POST" Destination="https://idp.pennkey.upenn.edu/idp/profile/SAML2/Redirect/SSO" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:issuer xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> https://service.upenn.edu/shibboleth </saml:issuer> </samlp:authnrequest> The requesting service provider must identity itself, and let the identity provider know where to send the response to. The issuer must be a unique name to identify the service provider, it is the entityid that defines the requesting service. An entityid must be a URI, it is strongly recommended that it is a URL. [1] https://spaces.internet2.edu/display/incfederation/entity+ids

Shibboleth SAMLResponse <saml2:attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"> <saml2:attributevalue xsi:type="xs:string">jbreen@upenn.edu</saml2:attributevalue> </saml2:attribute> <saml2:attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"> <saml2:attributevalue xsi:type="xs:string">staff</saml2:attributevalue> <saml2:attributevalue xsi:type="xs:string">employee</saml2:attributevalue> </saml2:attribute> <saml2:attribute FriendlyName="eduPersonEntitlement" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"> <saml2:attributevalue xsi:type="xs:string">businessservices:apps:qualtrics:qualtricsisc</saml2:attributevalue> </saml2:attribute> edupersonprincipalname (EPPN) - EPPN is the eduperson equivalent of a username. It is not an e-mail address. edupersonaffiliation - high-level expression of the relationship of the user to the university. edupersonentitlement - Entitlements represent an assertion of authorization to something. Generally, they should be simply compared as strings to access-control expressions in the application [1] http://www.incommon.org/federation/attributesummary.html

Shibboleth Why We Love InCommon Members The integration is usually easier! We most likely already have your metadata, or will shortly after it is published. InCommon Members have a common understanding of affiliation data. We can get metadata in an automated way including updates (metadata refresh). This makes maintenance and key rollover easier. Respect for Privacy of Identity Information Members must adhere to the participation agreement.

Shibboleth Process for Integrating E-Mail us. weblogin-help@isc.upenn.edu We will point you towards our online documentation: http://www.upenn.edu/computing/weblogin/shibboleth/attribute.html We will usually setup a phone call to discuss (~30 minutes). We want your metadata, and you will need ours! We will set things up in our staging environment and test. We want the stakeholders to test as well. We will push things to production. And test again! +24-48 hours after we receive confirmation that things are well in staging.

Shibboleth Things to think about When will users lose access to the service? This is dependent on affiliation changes in Penn Community. Make sure your choices are informed by long-term use of the resource. Be careful which data you are using for authorization. Some data is: suppressible, and/or user controllable. Keep your vendor honest. Make sure your vendor does not allow hijacking of accounts on the basis of user controlled attributes. No matter how you integrate you must consider privacy.

Shibboleth Things to think about Authorization Choices - Use affiliation Data. Affiliation data changes quickly/automatically. - Use PennGroups (edupersonentitlement). Consider the coarseness of your entitlement group in regards to privacy. - Use a Vendor supplied interface to load user data (side load).

Shibboleth - User Attributes Attribute Suppressible Source Definition Example Basic Attributes that are available to all Service Providers edupersonprincipalname No PennCommunity PennKey/PennName jbreen@upenn.edu surname (sn) 1 2 3 Yes Penn Directory Surname Breen givenname 1 2 3 Yes Penn Directory Given Name John displayname 2 3 Yes Penn Directory Display Name John Breen Mail 3 Yes Penn Directory E-mail Address jbreen@isc.upenn.edu edupersonaffiliation No PennGroups Affiliation edupersonscopedaffiliation No PennGroups Affiliation (scoped) Attributes that are available only by request staff alumni staff@upenn.edu alumni@upenn.edu employeenumber No PennCommunity PennID 10123072 edupersonentitlement No PennGroups Wait for it (1) This information is pulled from Penn Directory. Users should update Penn Directory if they wish to correct the presentation of their name. (2) Other institutions may send more than 1 value for these attributes. We send only 1 value for each as provided by the user in Penn Directory. (3) Service providers should be aware this is user provided data and is not verified. [1] http://www.upenn.edu/computing/weblogin/shibboleth/attribute.html

Next Up: PennGroups

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information