Day 3: Rolling out the federation

Also see

• CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 1
  
• CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 2
  

• o Obviously, must sell to stakeholders — including your own IT org, Play the innovation card — use buzz in trades and expert orgs — start small but scalable — sell the flexibility
• o be aware that your initial test install might have to be production service
• o policy stakeholders — risk management, information privacy officer, trademarks and brands, office of general council, internal audit, information security officer
• o do you need a federation?
• o are your apps ready for lonnnnnnng identifiers, fro ‘swl’ to b884773773ty3gg3ttgdhjjya7jjdjlllaiiisij4j4j4@stanford.edu
• o Judges 12:6 — an example of security policy

  The Gileadites took the fords of the Jordan against the Ephraimites. It was so, that when any of the fugitives of Ephraim said, Let me go over, the men of Gilead said to him, "Are you an Ephraimite?" If he said, "No;" then said they to him, "Now say’Shibboleth;’" and he said "Sibboleth;" for he couldn’t manage to pronounce it right: then they laid hold of him, and killed him at the fords of the Jordan. At that time, forty-two thousand of Ephraim fell.

identity meets reality

• identity must exist, but we don’t know what it is (philosophical statement)
• incommon federation: trust federation for US higher education operated by internet2 based on saml (specifically shibboleth). Slow steady growth, lessons learned, legal and liability issues, maturing technical specs
• US E-Authentication (EAI), chartered to support e-government,access to gov apps for citizens, employess, contractors, etc. big legal agreement. SAML for level 1,2; client certs for level 3-4
• EAI/InCommon interfederation, access to USG apps for HE members: grants management, dept of ed, research collaborartions — still in development
• when will apps be federated? blogs and wikis on the way to being webSSO-enabled now, so shib could be easy. vendor apps starting about to talk about it. Key HE aps are Sakai, BB, GridShib
• web services (SOAP) how are these secured? Look up WS_Security, whatever that is. or Liberty WSF. Shib support not well defined
• convergence of identity interests: phishing, ordinary people as resource owners (blogs, wikis, photos/music, RSS, social networks, blogspam); personal privacy. Technical solutions being promoted OpenID (http://openid.net/, developed to fight blogspam) and information cards (Microsoft-promoted) — formerly InfoCard, aka identity metasystem, identities visable to users as cards, user generated or third-party provided, typical signon, creditcard purchase cases, supported by WS-Trust protocol, shib support questionable

Day 2, technical section

Also see

• CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 1
  
• CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 3

Attribute Delivery wwith Shibboleth

Attributes are…

• o fetched by connectors
• o connectors transform attributes
• o may depend on specific connectors or other attributes
• o uniquely named
• o may be renamed in config files (map attribute name  eduPersonAffiliation to real LDAP attribute uvmPersonSchool)
• o may be scoped => eduPersonScopedAffilaita is derived from uvmPersonSchool and "@uvm.edu"
• o composite; ID="course_entitkedments" sourcenames="dept_code,term_code,course_number"
• o SAML2PersitstantID can be defined: opaque, unique to institution and user_id. and of course, persistent
• o can be generated by arbitrary Java code

Attribute relsease policy

• o determines which attributes and values are relased to sevice provider
• o does not create attributes
• o arp.site.xml describes policy for entire site
• o attribute releases evaluated in a deny-override method. If any rule says no, attribute denied
• o rules contain human redable description; target: to what SPs are they released; attributes that may be released
• o ARP match functions used to determine is a SP or attribute value matches a rule
• o release only what is required, follow the standards

ShARPE: Shibboleth Attribute Release Policy Editing Tools (pron sharpee)

• ShaRPE (site and group ARPs) and Autograph GUI (user ARPs, help desk use, do I like what is being released)
• ShARPE provides a GUI-baed editor to emnable
• o ARP admins to impliment access contracts (site and group)
• o users to manage their ARPs
• o site admin can import ARPs defined by SPs

Shibboleth Service Provider experience, OSU

• o 65 or so unique service providers
• o majority are windows/iis plus a handful of linux and one osx
• o majority of sites were legacy customers, less than 25% new deployments
• o vast majority are in-house web applications
• o nomandates apart from hreatened discontinuation of legacy SSO
• o little central decision making or policies
• o any sso you like, as long as it’s shiboleth
• o shib chose ’cause the sysadmin liked it, not institutional will
• o controlled pilots to establish reliability
• o developed support web site
• o uses subjectAltName in opensssl certificate profile
• o release of attributes is not firmly regulated
• o most appications are in house ASP or Cold Fusion
• o https://authdev.it.ohio-state/edu/twiki/bin/view/Shibboleth/SpoofingBug
• p typical attributes are names, course and section entitlments, ssn
• o 3rd party apps: Brio; Desire2Learn — shibboleth protects a front-door script taht invokes the sesion creation process; PathLore — faked it; PEOPLESOFT ! kereros auth not yet supported, appears to support external authentication through the Java front end, either native SP or front-ending; MediaManager (mediamanager.osu.edu)

Challenges

• o management tools for metadata, certs; contact help desk and materials; convincing site admins to take on responsibilities

Lady from Kansas

• o basic questions: can the AuthN/AuthZ process be externalizedl do the authenicate.
• o release of an attribyte to a SP must be apporved by attributes data steward, some come from multiple source, and thus need multiple approvals
• o problem resolution: user => help line. help line has confidential access (sign agreemnet). if they can’t solve, escalete the "core middleare" hwo may need to contcat data custodian