Embed Size (px)
Citation preview
Shibboleth 2.0 IdP Training:
Authentication
January, 2009
Terms: Authentication
Mechanism• A mechanism used to authenticate a
user
• Shibboleth 2 supports the following authentication mechanisms:
• Remote User
• Username/Password (LDAP, Kerberos)
• IP Address
Terms: Login Handler
• An IdP component that configures authentication mechanisms
Terms: Session• Contains
• State information about the user
• Active authentication methods
• Services the user is signed into
• Created when user authenticates
• Session termination = user must authenticate again
• Many different sessions in federated identity
Login Handler: Configuration
• Login handlers are defined in handler.xml
• Defined by <LoginHandler>
• Must have a type (xsi:type) and at least one authentication method
• Each type has its own set of configuration attributes
Login Handler: RemoteUser
• Login handler that relies on the web server or servlet container for authentication
• REMOTE_USER is set as the user’s principal name
• Type:
• RemoteUser
• Configuration attributes:
• (none)
Login Handler: UsernamePassword
• Login handler that prompts for a username and password
• Validates against a JAAS module
• LDAP & Kerberos 5 supported
• Type:
• UsernamePassword
• Configuration attributes
• jaasConfigurationLocation
Login Handler: UsernamePassword• A login page is provided and will be
presented to the user• /var/setup/identityprovider/resources/webpages/
login.jsp
• Multiple UsernamePassword login handlers can be defined
• Different authentication methods
• Failover in case a provider is down
Lab: Login Handlers• Modify handler.xml to enable the
UsernamePassword login handler
• Configure login.config to use the training LDAP server
Login Handler: Authentication
Duration• Each authentication mechanism
supports an inactivity timeout
• After this timeout expires the mechanism is considered inactive for that user
• If the user attempts to access a new service provider that requires that authentication mechanism they must re-authenticate
Login Handler: Authentication
Duration• The activity timeout is configured by
setting a value for the authenticationDuration attribute for the <LoginHandler> element
• The value is the number of minutes of inactivity; the default value is 30
Forced Authentication
• SAML 2 allows a service provider to force authentication of the user, even if the user has an existing session.
• This is supported in mechanisms that can re-authenticate a user
• UsernamePassword – yes
• REMOTE_USER – no• The service provider will receive an error if the
IdP cannot support forced authentication
References
•More information on IdP authentication can be found at:
•https://spaces.internet2.edu/display/SHIB2/IdPUserAuthn
