campuses new to shibboleth: websso barry johnson
DESCRIPTION
“We aren't doing science here, we're just trying to get people logged on" - Mike MarshallTRANSCRIPT
Campuses New to Shibboleth: WebSSO
Barry [email protected]
Who is this guy?• 18 years with Clemson IT • Director of Services Engineering• Developer and Sysadmin at heart• Creator of Clemson’s current
WebSSO system
“We aren't doing science here, we're just trying to get people logged on"
- Mike Marshall
Overview• Why use Shib?• How does it work?• Getting Started• Installation• The Experience• Info for Developers
Why use Shib for SSO?• Multi-platform• Built on proven technologies• An enabler secure collaboration
How does it work?
What do I need to get started?
• A solid identity store for Authentication
• LDAP• SQL• A good API
• Server Resources for the IDP• Good Sysadmins
Apache, Tomcat, IIS, XML, PKI
Installation
• IDP – Identity Provider• SP – Service Provider
Installation: IDP• Install Apache• Install Tomcat• Front IDP with Apache and
delegate authentication to Apache• Configure trust
• idp.xml, arp.xml, etc...
https://spaces.internet2.edu/display/SHIB/InstallingShibboleth
Installation: SP• LAMP: Apache module and a
daemon• IIS: ISAPI module and service• Configure trust
shibboleth.xml, aap.xml, etc...
https://spaces.internet2.edu/display/SHIB/InstallingShibboleth
Shib: The Experience• Users
• They may thank you, or they may not even notice
• Developers• If they already delegate authentication to the
server, they may not notice either• If they currently handle authentication
themselves, they may love or hate you.• Security & Sysadmins
• They'll thank you later
Developers• Who is logged in?
User information is in the headers
• PHP: $_SERVER['REMOTE_USER']• ASP:
Request.ServerVariables("REMOTE_USER")• JSP: request.getHeader("REMOTE_USER")• Perl: $ENV{"REMOTE_USER"}•
http://shib.kuleuven.be/download/sp/test_scripts/
Again, why Shib?• So much more than WebSSO
Enabler for secure collaboration• sharing web resources beyond your institution
Tool for implementing privacy policies• clearing house for user attributes
Tool for role-based authorization• enables fine-grained control based on user
attributes
Learn more• Come to our next session:
June 26 Tuesday 10:15-11:30Campuses New to Shibboleth: Attribute Delivery
• On-line resources:http://shibboleth.internet2.edu
Questions?