Embed Size (px)
Citation preview
Shibboleth and InCommonCopyright Texas A&M University 2008. This work
is the intellectual property of the author. Permission is granted for this material to be
shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish
requires written permission from the author.
Flexible Access Control: Shibboleth and the
InCommon Federation
Michael Bolton
Xavier Chapa
Texas A&M University
Why We Are Here
Recently installed Shibboleth and joined InCommon. We would like to share with you the experience and let you know it really works. And, it works really well.
Our Initial Goals
Explore use of Shibboleth
Gain experience with Federations
Join InCommon
Support Texas Digital Library Project
Shibboleth Overview
Shibboleth is Federated Identity Management
Built on the concept of an Identity Provider and a Service Provider
Preserves privacy and anonymity
Shibboleth Diagram
Why We Like Shibboleth
• Built on standards – implementing standards
• Secure connections to Service Providers
• Clear, controlled attribute release• Tailored to application• Flexible integration with SSO• Easy to manage
How we use Shibboleth
The General Case:
CAS is authentication and SSO
Shibboleth is attribute release
What is InCommon
Higher Ed Federation of Identity and Service Providers
Growing Number of Participants
Common Framework for Accessing Sites
InCommon
Why This Approach
Shibboleth and InCommon are standards in higher education. We have a common framework to build in and on. Can easily leverage existing work and effort.
Start with a Plan
What do you want to do
What do you need to do it
Realize what you are doing
Integrate with existing infrastructure
Wealth of knowledge out there
Work the Plan
1. Install and test Shibboleth
2. Add Service Provider
3. Add InCommon
Not intended as a rigid plan but adds a little structure for your deployment
CAS - Shibboleth
Install Shibboleth IdP
Started with 1.3
Deployed on Linux and not all Linux’s are the same
CAS as SSO Solution
LDAP based
Use the Web (for help and support)
Test Initial Deployment
Used Simple application to verify operation of Shibboleth
Used our applications for debugging
Made sure Shibboleth was running and we knew how to use it
Simple ENV Application
Customize Site
Update and change pages for your institution
Read the guide on what needs updating
Branding is an ongoing project
You are now an operational Shibboleth site
Join InCommon
Fill out the contract
Study the Federation Operating Practices and Procedures
Complete the Participant Operational Practices
Work with your Legal and Contracts departments
POP
Participant Operational Practices
Participant Information Credential Provider Information Electronic Identity Credentials …
Test Connections
Build on step One, your local Shibboleth deployment
Will be added to InCommon WAYF
Use Shibboleth test/reference site
It Worked!
Staying in InCommon
Watch the fee schedule
Remember your password
Vetted process – know the players
Keep documentation current (POP, etc.)
MetaData
MetaData is key for Shibboleth
Need to update frequently or better yet, regularly
Out of sync MetaData causes a lot of problems
Managing MetaData
We used virtual hosts for the various federations we plan/are joining
Keep your documentation straight
Monitor the process – make sure it is running
InCommon Metadata
Keep up with Sites
Build a Production System
Added redundancy for Shibboleth
Redundant LDAP and Kerberos servers
Separated testing and production
Use good certificates
System Diagram
Our Next Goal
Make it easy to use WebAssign
First pass – authenticate existing ids
Second pass – just add classes to WebAssign site
Keys To Project
Need the data
Need a schema
Need to negotiate the attribute release
Following a naming convention
Called WebAssign
Worked with Brian Marks @ WebAssign
Used Certificate Information from InCommon Federation MetaData
Agreed on format of elements released
Leverage Existing Data
Had course data in Oracle
Used for SYMPA mailing lists
Maintained on semester basis
Had remaining essential data in LDAP
Updated nightly
Accessing the Data
Updated ResolverAdded JDBC Connector to Shibboleth
Developed ARP for WebAssign
Check your logs
Have a Schema
Deployed EduPerson
Deployed EduCourse
Researched and used appropriate attributes
Update Shibboleth• Update the resolver.xml file to add
your data sources• Update the arp.xml for attribute
release• Names matter• Restrict the access whenever
possible
Resolver.XML
Arp.xml
AAP.xml
Attribute Release
Declared WebAssign valid academic use of data
Watch the use of eduPersonTargetedID
Need to maintain privacy and protect restricted or confidential data
What’s In a Name
Sample Course Identifier
urn:mace:tamu.edu:crs:2007C:TEST209504
Verified System
Used our test accounts
Worked closely with vendor
Great support from WebAssign
Customized Login Page
Did not use WAYF or InCommon Site for this deployment
Had customized WebAssign login page
Could be integrated into existing pages fairly easily
WebAssign Login
Texas A&M Login
Market the Service
Work with your departments
Educate your helpdesk
Multiple levels of support
Leverage SSO if you have it
Texas Digital Library
• Institutional Repositories• Built on DSpace• Shibboleth for AuthN/AuthZ• Establishing a new Texas-wide
Federation• Layered authorization model
http://www.tdl.org/
Schema Part II
The local federation needed a different set of attributes
Extended the EduPerson schema
Used tamuEduPerson extensions
TDL Federation attributes
Must agree upon names
More Applications
Departmental use of institutional data For Moodle deployments
Allows institution to share applicationsWireless network access at UT
TAMU Security Awareness Training
Even More Applications
Grid Computing
Sakai
LionShare at Penn State
The Big Benefit
• We have a standard• More people will adopt it• Reach critical mass in
implementers• Leverage with vendors
And we learned …
• You do not dabble with this• You cannot cut corners• Be serious about privacy and
suppression• Be careful with accounts• Stay involved with community• The more you do, the more you know
Philosophy
“ I hear and I forget,
I see and I remember,
I do and I understand.”
Confucius
Links
http://www.incommonfederation.org/
http://shibboleth.internet2.edu/
http://infrastructure.tamu.edu/
http://www.tdl.org/
