Day 2, technical section

Also see

Attribute Delivery wwith Shibboleth

o fetched by connectors
o connectors transform attributes
o may depend on specific connectors or other attributes
o uniquely named
o may be renamed in config files (map attribute name eduPersonAffiliation to real LDAP attribute uvmPersonSchool)
o may be scoped => eduPersonScopedAffilaita is derived from uvmPersonSchool and "@uvm.edu"
o composite; ID="course_entitkedments" sourcenames="dept_code,term_code,course_number"
o SAML2PersitstantID can be defined: opaque, unique to institution and user_id. and of course, persistent
o can be generated by arbitrary Java code

o determines which attributes and values are relased to sevice provider
o does not create attributes
o arp.site.xml describes policy for entire site
o attribute releases evaluated in a deny-override method. If any rule says no, attribute denied
o rules contain human redable description; target: to what SPs are they released; attributes that may be released
o ARP match functions used to determine is a SP or attribute value matches a rule
o release only what is required, follow the standards

ShaRPE (site and group ARPs) and Autograph GUI (user ARPs, help desk use, do I like what is being released)
ShARPE provides a GUI-baed editor to emnable
o ARP admins to impliment access contracts (site and group)
o users to manage their ARPs
o site admin can import ARPs defined by SPs

o 65 or so unique service providers
o majority are windows/iis plus a handful of linux and one osx
o majority of sites were legacy customers, less than 25% new deployments
o vast majority are in-house web applications
o nomandates apart from hreatened discontinuation of legacy SSO
o little central decision making or policies
o any sso you like, as long as it’s shiboleth
o shib chose ’cause the sysadmin liked it, not institutional will
o controlled pilots to establish reliability
o developed support web site
o uses subjectAltName in opensssl certificate profile
o release of attributes is not firmly regulated
o most appications are in house ASP or Cold Fusion
o https://authdev.it.ohio-state/edu/twiki/bin/view/Shibboleth/SpoofingBug
p typical attributes are names, course and section entitlments, ssn
o 3rd party apps: Brio; Desire2Learn — shibboleth protects a front-door script taht invokes the sesion creation process; PathLore — faked it; PEOPLESOFT ! kereros auth not yet supported, appears to support external authentication through the Java front end, either native SP or front-ending; MediaManager (mediamanager.osu.edu)

o management tools for metadata, certs; contact help desk and materials; convincing site admins to take on responsibilities

o basic questions: can the AuthN/AuthZ process be externalizedl do the authenicate.
o release of an attribyte to a SP must be apporved by attributes data steward, some come from multiple source, and thus need multiple approvals
o problem resolution: user => help line. help line has confidential access (sign agreemnet). if they can’t solve, escalete the "core middleare" hwo may need to contcat data custodian