Shibboleth and InCommon
Copyright Texas A&M University 2008. This work is the
intellectual property of the author. Permission is granted
for this material to be shared for non-commercial,
educational purposes, provided that this copyright
statement appears on the reproduced materials and
notice is given that the copying is by permission of the
author. To disseminate otherwise or to republish
requires written permission from the author.
Flexible Access Control:
Shibboleth and the InCommon
Federation
Michael Bolton
Xavier Chapa
Texas A&M University
Why We Are Here
Recently installed Shibboleth and joined
InCommon. We would like to share with
you the experience and let you know it
really works. And, it works really well.
Our Initial Goals
Explore use of Shibboleth
Gain experience with Federations
Join InCommon
Support Texas Digital Library Project
Shibboleth Overview
Shibboleth is Federated Identity
Management
Built on the concept of an Identity Provider
and a Service Provider
Preserves privacy and anonymity
Shibboleth Diagram
Why We Like Shibboleth
• Built on standards – implementing
standards
• Secure connections to Service Providers
• Clear, controlled attribute release
• Tailored to application
• Flexible integration with SSO
• Easy to manage
How we use Shibboleth
The General Case:
CAS is authentication and SSO
Shibboleth is attribute release
What is InCommon
Higher Ed Federation of Identity and
Service Providers
Growing Number of Participants
Common Framework for Accessing Sites
InCommon
Why This Approach
Shibboleth and InCommon are standards in
higher education. We have a common
framework to build in and on. Can easily
leverage existing work and effort.
Start with a Plan
What do you want to do
What do you need to do it
Realize what you are doing
Integrate with existing infrastructure
Wealth of knowledge out there
Work the Plan
1. Install and test Shibboleth
2. Add Service Provider
3. Add InCommon
Not intended as a rigid plan but adds a little
structure for your deployment
CAS - Shibboleth
Install Shibboleth IdP
Started with 1.3
Deployed on Linux and not all Linux’s are
the same
CAS as SSO Solution
LDAP based
Use the Web (for help and support)
Test Initial Deployment
Used Simple application to verify operation
of Shibboleth
Used our applications for debugging
Made sure Shibboleth was running and we
knew how to use it
Simple ENV Application
Customize Site
Update and change pages for your
institution
Read the guide on what needs updating
Branding is an ongoing project
You are now an operational Shibboleth site
Join InCommon
Fill out the contract
Study the Federation Operating Practices
and Procedures
Complete the Participant Operational
Practices
Work with your Legal and Contracts
departments
POP
Participant Operational Practices




Participant Information
Credential Provider Information
Electronic Identity Credentials
…
Test Connections
Build on step One, your local Shibboleth
deployment
Will be added to InCommon WAYF
Use Shibboleth test/reference site
It Worked!
Staying in InCommon
Watch the fee schedule
Remember your password
Vetted process – know the players
Keep documentation current (POP, etc.)
MetaData
MetaData is key for Shibboleth
Need to update frequently or better yet,
regularly
Out of sync MetaData causes a lot of
problems
Managing MetaData
We used virtual hosts for the various
federations we plan/are joining
Keep your documentation straight
Monitor the process – make sure it is
running
InCommon Metadata
Keep up with Sites
Build a Production System
Added redundancy for Shibboleth
Redundant LDAP and Kerberos servers
Separated testing and production
Use good certificates
System Diagram
Our Next Goal
Make it easy to use WebAssign
First pass – authenticate existing ids
Second pass – just add classes to
WebAssign site
Keys To Project
Need the data
Need a schema
Need to negotiate the attribute release
Following a naming convention
Called WebAssign
Worked with Brian Marks @ WebAssign
Used Certificate Information from
InCommon Federation MetaData
Agreed on format of elements released
Leverage Existing Data
Had course data in Oracle
Used for SYMPA mailing lists
Maintained on semester basis
Had remaining essential data in LDAP
Updated nightly
Accessing the Data
Updated Resolver
Added JDBC Connector to Shibboleth
Developed ARP for WebAssign
Check your logs
Have a Schema
Deployed EduPerson
Deployed EduCourse
Researched and used appropriate
attributes
Update Shibboleth
•
•
•
•
Update the resolver.xml file to add your
data sources
Update the arp.xml for attribute release
Names matter
Restrict the access whenever possible
Resolver.XML
Arp.xml
AAP.xml
Attribute Release
Declared WebAssign valid academic use of
data
Watch the use of eduPersonTargetedID
Need to maintain privacy and protect
restricted or confidential data
What’s In a Name
Sample Course Identifier
urn:mace:tamu.edu:crs:2007C:TEST209504
Verified System
Used our test accounts
Worked closely with vendor
Great support from WebAssign
Customized Login Page
Did not use WAYF or InCommon Site for
this deployment
Had customized WebAssign login page
Could be integrated into existing pages
fairly easily
WebAssign Login
Texas A&M Login
Market the Service
Work with your departments
Educate your helpdesk
Multiple levels of support
Leverage SSO if you have it
Texas Digital Library
•
•
•
•
•
Institutional Repositories
Built on DSpace
Shibboleth for AuthN/AuthZ
Establishing a new Texas-wide Federation
Layered authorization model
http://www.tdl.org/
Schema Part II
The local federation needed a different set
of attributes
Extended the EduPerson schema
Used tamuEduPerson extensions
TDL Federation attributes
Must agree upon names
More Applications
Departmental use of institutional data
For Moodle deployments
Allows institution to share applications
Wireless network access at UT
TAMU Security Awareness Training
Even More Applications
Grid Computing
Sakai
LionShare at Penn State
The Big Benefit
•
•
•
•
We have a standard
More people will adopt it
Reach critical mass in implementers
Leverage with vendors
And we learned …
•
•
•
•
•
•
You do not dabble with this
You cannot cut corners
Be serious about privacy and suppression
Be careful with accounts
Stay involved with community
The more you do, the more you know
Philosophy
“ I hear and I forget,
I see and I remember,
I do and I understand.”
Confucius
Links
http://www.incommonfederation.org/
http://shibboleth.internet2.edu/
http://infrastructure.tamu.edu/
http://www.tdl.org/
EMail
• Michael Bolton
– [email protected]
• Xavier Chapa
– [email protected]