IT Services Shibboleth Single Sign-On overview Overview What/where/why?

IT Services Shibboleth Single Sign-On overview Overview What/where/why?

IT Services Shibboleth Single Sign-On overview Overview What/where/why? The UK-Federation/Registration Terminology Configuration

Protecting Content Benefits for Application Developers Setting up Shibboleth on a web server (demo) What/where/why Shibboleth? What? Web Single Sign-On system Separates authentication + authorisation Where? Websites/web applications (+ mobile applications) eJournals Why? Single University username and password Log in once, access everything Lightweight development of personalised content

The UK-Federation/Registration Central store for Shibboleth registrations Automatic integration Federated trust Institutions/organisations sign up Separate registration for each service Enables inter-institutional collaboration

(using University username and password) http://www.ukfederation.org.uk/library/uploads/Documents/overview.pdf Terminology: IdP/SP User types their password once per browser session (or not at all) SPs trust the IdPs assertion of user identity and other information Our gateway login server e.g. Website/webapp/eJournal Terminology: Single Sign-on

Accesses to other SPs go through the same flow but the user doesnt have to login to the IdP again Our gateway login server e.g. Website/webapp/eJournal Terminology: Attributes/SAML Attributes things about a person (forename/department etc.)

Most come from a database on the IdP updated nightly from IDFS Group memberships come from the Active Directory updated live from Grouper Some standard attributes, some custom to us release everything to Newcastle SPs, minimal to external SPs SAML Security Assertion Mark-up Language

https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Terminology: EntityID/Metadata Unique identifier for servers running Shibboleth (IdP or SP) Also referred to as Relying Party Not a valid URL Newcastle standard: https://servicename.ncl.ac.uk/shibboleth/metadata e.g. https://blackboard.ncl.ac.uk/shibboleth/metadata

. . . Service Provider Configuration files shibboleth2.xml

Main Shibboleth service provider configuration file Mostly wont need updating once setup * attribute-map.xml Defines how attributes get turned into web server headers Probably never needs updating Protecting content (mod_shib)

Most web applications require authentication Service Provider software can control who can access the pages Programs/programmers (and users) can personalise content Protecting content: Linux/Apache shibd.conf Apache configuration file

Require (attribute from the attribute-map.xml file) Protecting content: Linux/Apache Any user AuthType shibboleth ShibRequireSession On Require valid-user

User group AuthType shibboleth ShibRequireSession On Require grouper_groups Applications:D-NUIT:Mailing_Lists:NUIT_All_Mailin Protecting content: Windows shibboleth2.xml

Protecting content: Windows Any user authType="shibboleth"/> User group Applications:DECLS:ECLS_Auto_StaffContact_Admin Application Developers No authentication code required

No user credentials stored Access to live accurate user information Server headers contain headers for personalisation Language and platform independent PHP $_SERVER['Shib-affiliation']; Java HttpServletRequest.getHeader("Shibaffiliation") ASP Request.ServerVariables("HTTP_SHIB_AFFILIATIO

N") Setting up a Shibboleth Service Provider 1. Download/install the Shibboleth SP software - instructions at https://wiki.shibboleth.net/confluence/display/SHIB2/Installation 2. Download the attribute-map.xml and shibboleth2.xml files from http://www.ncl.ac.uk/itservice/login-gateway/installing/ ---------------------------------

3. Edit shibboleth2.xml replace servicename.ncl.ac.uk (test at: https://.ncl.ac.uk/secure) 4. Open an NUService ticket telling us the service address you want us to register. Summary Authentication dealt with by the IdP Authorisation dealt with by SPs Removes need for apps to authenticate Passwords entered in one place

SP configuration in XML or Apache files Access based on user attributes/federated trust Personalised content Access to many resources without re-authentication Lightweight personalisation of content Minimal (none identifiable) information released off-campus, by default Any questions? Shibboleth Wiki: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPGettingStarted Our service pages: http://www.ncl.ac.uk/itservice/login-gateway/

Recently Viewed Presentations

  • Behavior Control - Home - Oakton Community College

    Behavior Control - Home - Oakton Community College

    3-Bureaucratic Control. Bureaucratic Control. Control through a system of rules and . standard operating procedures (SOPs) that shape the behavior of divisions, functions, and individuals. 8-Rules and SOPs tell the worker what to do (standardized actions) so outcomes are predictable....
  • Digital Systems: Hardware Organization and Design

    Digital Systems: Hardware Organization and Design

    hGio = GIO_create (name,mode,* status,chanParams,* attrs) 30 March 2017. Dr. Veton Këpuska. MOD_create API all return the handle to the new object. Arguments mirror those from static configuration. Many 'attrs' arguments are 'placeholders' for possible future definition.
  • Protecting Fifth Amendment Rights in Bankruptcy

    Protecting Fifth Amendment Rights in Bankruptcy

    ABA Model Rule 1.1. August 2012 Amendments. Comment [6] of Model Rule 1.1 was changed to Comment [8] and amended to add the phrase beginning with including: To maintain the requisite knowledge and skill, a lawyer should keep abreast of...
  • Chapter 2

    Chapter 2

    Naming Ionic Compounds LiBr lithium bromide MgCl2 magnesium chloride Li2S lithium sulfide Al2O3 aluminum oxide Na3P Mg3N2 Notice that binary ionic compounds with metals having one oxidation state They do not use prefixes or Roman numerals!!!
  • Portable Ladders (with glossary)

    Portable Ladders (with glossary)

    Impacto a la escalera por otros objetos. Datos Step ladders must have a metal spreader bar Never stand on second top or top step! Slip resistant foot pads Step braces Slip resistant steps Pail shelf The parts of a step...
  • TRADITIONS in Slovakia

    TRADITIONS in Slovakia

    Morena. Goddessofdeath and winter. Strawfigurinedressed in women´sclothes. Set on fire, thrown in river. Symbol: welcomingbegginingofspring. Folk music and dresses
  • How do buildings get built - About | Design Computing

    How do buildings get built - About | Design Computing

    Summary: How do buildings get built ? Role of traditional drawings Storage AND communication of design information Potential problem areas Communication, Representation and Comprehension, Change and Consistency, Knowledge Expertise & Skills, Static Are construction companies conservative ?
  • Présentation PowerPoint - Nucleus

    Présentation PowerPoint - Nucleus

    Vocational training and tutoring on assessment in nuclear security, nuclear safety and radiation protection. Calls on European TSO expertise to maximize the transfer of knowledge, practical experience and safety culture. European and International Training & Tutoring