{"id":541,"date":"2006-06-27T09:58:57","date_gmt":"2006-06-27T13:58:57","guid":{"rendered":"http:\/\/www.uvm.edu\/~waw\/blog\/?p=541"},"modified":"2006-06-27T09:58:57","modified_gmt":"2006-06-27T13:58:57","slug":"camp-shibboleth-enabling-campus-and-federated-single-sign-on-day-2","status":"publish","type":"post","link":"https:\/\/blog.uvm.edu\/waw\/2006\/06\/27\/camp-shibboleth-enabling-campus-and-federated-single-sign-on-day-2\/","title":{"rendered":"CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 2"},"content":{"rendered":"<h1>Day 2, technical section<\/h1>\n<p>Also see <\/p>\n<ul>\n<li><a href=\"..\/..\/..\/%7Ewaw\/blog\/?p=540\">CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 1<br \/><\/a><\/li>\n<li><a href=\"..\/..\/..\/%7Ewaw\/blog\/?p=542\">CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 3<\/a><\/li>\n<\/ul>\n<h2>Attribute Delivery wwith Shibboleth<\/h2>\n<p><\/p>\n<h3>Attributes are&#8230;<\/h3>\n<ul>\n<li>o fetched by connectors<\/li>\n<li>o connectors transform attributes<\/li>\n<li>o may depend on specific connectors or other attributes<\/li>\n<li>o uniquely named<\/li>\n<li>o may be renamed in config files (map attribute name&nbsp; eduPersonAffiliation to real LDAP attribute uvmPersonSchool)<\/li>\n<li>o may be scoped =&gt; eduPersonScopedAffilaita is derived from uvmPersonSchool and &quot;@uvm.edu&quot;<\/li>\n<li>o composite; ID=&quot;course_entitkedments&quot; sourcenames=&quot;dept_code,term_code,course_number&quot;<\/li>\n<li>o SAML2PersitstantID can be defined: opaque, unique to institution and user_id. and of course, persistent<\/li>\n<li>o can be generated by arbitrary Java code<\/li>\n<\/ul>\n<h3>Attribute relsease policy<\/h3>\n<ul>\n<li>o determines which attributes and values are relased to sevice provider<\/li>\n<li>o does not create attributes<\/li>\n<li>o arp.site.xml describes policy for entire site<\/li>\n<li>o attribute releases evaluated in a deny-override method. If any rule says no, attribute denied<\/li>\n<li>o rules contain human redable description; target: to what SPs are they released; attributes that may be released<\/li>\n<li>o ARP match functions used to determine is a SP or attribute value matches a rule<\/li>\n<li>o release only what is required, follow the standards<\/li>\n<\/ul>\n<p><\/p>\n<h2>ShARPE: Shibboleth Attribute Release Policy Editing Tools (pron sharpee)<\/h2>\n<ul>\n<li>ShaRPE (site and group ARPs) and Autograph GUI (user ARPs, help desk use, do I like what is being released)<\/li>\n<li>ShARPE provides a GUI-baed editor to emnable<\/li>\n<li>o ARP admins to impliment access contracts (site and group)<\/li>\n<li>o users to manage their ARPs<\/li>\n<li>o site admin can import ARPs defined by SPs <\/li>\n<\/ul>\n<p><\/p>\n<h2>Shibboleth Service Provider experience, OSU<\/h2>\n<ul>\n<li>o 65 or so unique service providers<\/li>\n<li>o majority are windows\/iis plus a handful of linux and one osx<\/li>\n<li>o majority of sites were legacy customers, less than 25% new deployments<\/li>\n<li>o vast majority are in-house web applications<\/li>\n<li>o nomandates apart from hreatened discontinuation of legacy SSO<\/li>\n<li>o little central decision making or policies<\/li>\n<li>o any sso you like, as long as it&#8217;s shiboleth<\/li>\n<li>o shib chose &#8217;cause the sysadmin liked it, not institutional will<\/li>\n<li>o controlled pilots to establish reliability<\/li>\n<li>o developed support web site<\/li>\n<li>o uses subjectAltName in opensssl certificate profile<\/li>\n<li>o release of attributes is not firmly regulated<\/li>\n<li>o most appications are in house ASP or Cold Fusion<\/li>\n<li>o https:\/\/authdev.it.ohio-state\/edu\/twiki\/bin\/view\/Shibboleth\/SpoofingBug<\/li>\n<li>p typical attributes are names, course and section entitlments, ssn<\/li>\n<li>o 3rd party apps: Brio; Desire2Learn &#8212; shibboleth protects a front-door script taht invokes the sesion creation process; PathLore &#8212; faked it; PEOPLESOFT ! kereros auth not yet supported, appears to support external authentication through the Java front end, either native SP or front-ending; MediaManager (mediamanager.osu.edu) <\/li>\n<\/ul>\n<p><\/p>\n<h3>Challenges<\/h3>\n<ul>\n<li>o management tools for metadata, certs; contact help desk and materials; convincing site admins to take on responsibilities<\/li>\n<\/ul>\n<p><\/p>\n<h2>Lady from Kansas<\/h2>\n<ul>\n<li>o basic questions: can the AuthN\/AuthZ process be externalizedl do the authenicate.<\/li>\n<li>o release of an attribyte to a SP must be apporved by attributes data steward, some come from multiple source, and thus need multiple approvals<\/li>\n<li>o problem resolution: user =&gt; help line. help line has confidential access (sign agreemnet). if they can&#8217;t solve, escalete the &quot;core middleare&quot; hwo may need to contcat data custodian<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Day 2, technical section Also see CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 1 CAMP Shibboleth: Enabling Campus and Federated Single Sign-On, Day 3 Attribute Delivery wwith Shibboleth Attributes are&#8230; o fetched by connectors o connectors transform attributes &hellip; <a href=\"https:\/\/blog.uvm.edu\/waw\/2006\/06\/27\/camp-shibboleth-enabling-campus-and-federated-single-sign-on-day-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31325,6517],"tags":[],"class_list":["post-541","post","type-post","status-publish","format-standard","hentry","category-professional-development","category-projects"],"_links":{"self":[{"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/posts\/541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/comments?post=541"}],"version-history":[{"count":0,"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/posts\/541\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/media?parent=541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/categories?post=541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.uvm.edu\/waw\/wp-json\/wp\/v2\/tags?post=541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}