CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 2

Day 2, technical section

Also see

Attribute Delivery wwith Shibboleth

Attributes are…

  • o fetched by connectors
  • o connectors transform attributes
  • o may depend on specific connectors or other attributes
  • o uniquely named
  • o may be renamed in config files (map attribute name  eduPersonAffiliation to real LDAP attribute uvmPersonSchool)
  • o may be scoped => eduPersonScopedAffilaita is derived from uvmPersonSchool and "@uvm.edu"
  • o composite; ID="course_entitkedments" sourcenames="dept_code,term_code,course_number"
  • o SAML2PersitstantID can be defined: opaque, unique to institution and user_id. and of course, persistent
  • o can be generated by arbitrary Java code

Attribute relsease policy

  • o determines which attributes and values are relased to sevice provider
  • o does not create attributes
  • o arp.site.xml describes policy for entire site
  • o attribute releases evaluated in a deny-override method. If any rule says no, attribute denied
  • o rules contain human redable description; target: to what SPs are they released; attributes that may be released
  • o ARP match functions used to determine is a SP or attribute value matches a rule
  • o release only what is required, follow the standards

ShARPE: Shibboleth Attribute Release Policy Editing Tools (pron sharpee)

  • ShaRPE (site and group ARPs) and Autograph GUI (user ARPs, help desk use, do I like what is being released)
  • ShARPE provides a GUI-baed editor to emnable
  • o ARP admins to impliment access contracts (site and group)
  • o users to manage their ARPs
  • o site admin can import ARPs defined by SPs

Shibboleth Service Provider experience, OSU

  • o 65 or so unique service providers
  • o majority are windows/iis plus a handful of linux and one osx
  • o majority of sites were legacy customers, less than 25% new deployments
  • o vast majority are in-house web applications
  • o nomandates apart from hreatened discontinuation of legacy SSO
  • o little central decision making or policies
  • o any sso you like, as long as it’s shiboleth
  • o shib chose ’cause the sysadmin liked it, not institutional will
  • o controlled pilots to establish reliability
  • o developed support web site
  • o uses subjectAltName in opensssl certificate profile
  • o release of attributes is not firmly regulated
  • o most appications are in house ASP or Cold Fusion
  • o https://authdev.it.ohio-state/edu/twiki/bin/view/Shibboleth/SpoofingBug
  • p typical attributes are names, course and section entitlments, ssn
  • o 3rd party apps: Brio; Desire2Learn — shibboleth protects a front-door script taht invokes the sesion creation process; PathLore — faked it; PEOPLESOFT ! kereros auth not yet supported, appears to support external authentication through the Java front end, either native SP or front-ending; MediaManager (mediamanager.osu.edu)

Challenges

  • o management tools for metadata, certs; contact help desk and materials; convincing site admins to take on responsibilities

Lady from Kansas

  • o basic questions: can the AuthN/AuthZ process be externalizedl do the authenicate.
  • o release of an attribyte to a SP must be apporved by attributes data steward, some come from multiple source, and thus need multiple approvals
  • o problem resolution: user => help line. help line has confidential access (sign agreemnet). if they can’t solve, escalete the "core middleare" hwo may need to contcat data custodian

About Wesley Wright

Born on a mountain top near New York City, Craziest state in the land of the pretty. Raised in the woods so's he knew every tree, Killed him a bear when he was only three.
This entry was posted in Professional Development, Projects. Bookmark the permalink.

Leave a Reply