shibboleth for real dave kennedy [email protected]
TRANSCRIPT
![Page 1: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/1.jpg)
Shibboleth for Real
Dave Kennedy
http://usmai.umd.edu/auth
![Page 2: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/2.jpg)
Environment
• Consortium– 16 institutions
• Services– Ex Libris’ Metalib, Aleph, SFX, Digitool– EZproxy– ILLiad– DSpace, Fedora, etc.
![Page 3: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/3.jpg)
What is the problem?
• Multiple logins for multiple services
• Need to secure flow of data for multiple logins for different applications
• Username/password embedded in URLs to give appearance of single sign on
![Page 4: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/4.jpg)
Why Shibboleth?
• Other considered solutions: PDS, CAS, Pubcookie
• Shibboleth– Single sign on– Secure handling of user attributes– Flexibility to use different AuthZ criteria per service– Designed to function across domains– Ability to authenticate for different vendors’ products
![Page 5: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/5.jpg)
Shib architecture
• Shibboleth – an architecture for handling authentication and attribute assertion in a secure and controlled manner
• Service Provider (SP) – resource
• Identity Provider (IdP) – AuthN source
• WAYF – Where Are You From
• WebISO – Web Initial Sign On
![Page 6: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/6.jpg)
Shib architecture
![Page 7: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/7.jpg)
Investigation
• Installed generic single institution IdP
• Installed generic service provider (script that prints out attributes)
• Proof of concept
![Page 8: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/8.jpg)
Implementation
• Chose EZproxy and Ex Libris’ Metalib/PDS as initial SPs
• EZproxy was already shibboleth-enabled, so easily configured
• Had to implement multiple identity providers for institutions in the consortium
![Page 9: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/9.jpg)
IdP Implementation
• Multiple institutions in one installation
• Multiple configurations for attributes and trust settings
• Multiple ldap settings in WebISO for user verification
![Page 10: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/10.jpg)
Multiple Identity Providers – Virtually Separate
• Totally separate identity providers as far as service providers are concerned
• Unique access points
• Separate trust relationships
![Page 11: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/11.jpg)
PDS
• Patron Directory Service
• Single Sign On between ExLibris applications
• AuthN and AuthZ
![Page 12: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/12.jpg)
Role of PDS in Shib Environment
• Dual role of WAYF and SP
• AuthN
• AuthZ at the application level (Metalib, in our case)
![Page 13: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/13.jpg)
PDS as WAYF
• PDS to present list of institutions (WAYF)
• Choice of institutions redirects to an institution specific URL within PDS
![Page 14: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/14.jpg)
PDS as SP
• Each URL protected by different institution’s Identity Provider
• IdP handles authentication and attribute assertion
• SP receives attributes back from IdP and establishes PDS session
![Page 15: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/15.jpg)
Shib SP configuration
• Shibboleth.xml – settings for SP
• Multiple applications defined, each with a different Identity Provider
• RequestMap defined – map URLs to shib applications
![Page 16: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/16.jpg)
Logout
• No logout provided in shibboleth architecture
• Created a logout for identity provider, with an optional redirect back to service provider
![Page 17: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/17.jpg)
Before
![Page 18: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/18.jpg)
After
![Page 19: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/19.jpg)
Project Details
• Began investigation – March 2005• 1 staff member• 16 IdPs, 3 SPs into production, April 2006• Hardware:
– Test – Sun Fire V480, 2x900MHz UltraSparc III, 8GB RAM (shared server)
– Production – Sun Fire V880, 4x900MHz UltraSparc III+, 16GB RAM (shared server)
• Documentation
![Page 20: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/20.jpg)
Challenges
• Technical– Consortia – virtually separate identity providers– Logout– LDAP – hook into our ldap, single ldap for all
institutions, only use institution specific attributes
• Learning curve, needed concentrated chunks of staff time
• Making shibboleth a priority
![Page 21: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/21.jpg)
What’s next?
• We are rolling out more service providers
• ILLiad going into production within the month
• Aleph to be shib service provider by year’s end
• Online resources
• Consortial members implementing their own identity providers
![Page 22: Shibboleth for Real Dave Kennedy davekenn@umd.edu](https://reader036.vdocuments.net/reader036/viewer/2022062422/56649edc5503460f94becef3/html5/thumbnails/22.jpg)
Dave Kennedy
Shib project page: http://usmai.umd.edu/auth