Shibboleth and InCommonCopyright Texas A&M University 2008. This work

is the intellectual property of the author. Permission is granted for this material to be

shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish

requires written permission from the author.

Flexible Access Control: Shibboleth and the

InCommon Federation

Michael Bolton

Xavier Chapa

Texas A&M University

Why We Are Here

Recently installed Shibboleth and joined InCommon. We would like to share with you the experience and let you know it really works. And, it works really well.

Our Initial Goals

Explore use of Shibboleth

Gain experience with Federations

Join InCommon

Support Texas Digital Library Project

Shibboleth Overview

Shibboleth is Federated Identity Management

Built on the concept of an Identity Provider and a Service Provider

Preserves privacy and anonymity

Shibboleth Diagram

Why We Like Shibboleth

• Built on standards – implementing standards

• Secure connections to Service Providers

• Clear, controlled attribute release• Tailored to application• Flexible integration with SSO• Easy to manage

How we use Shibboleth

The General Case:

CAS is authentication and SSO

Shibboleth is attribute release

What is InCommon

Higher Ed Federation of Identity and Service Providers

Growing Number of Participants

Common Framework for Accessing Sites

InCommon

Why This Approach

Shibboleth and InCommon are standards in higher education. We have a common framework to build in and on. Can easily leverage existing work and effort.

Start with a Plan

What do you want to do

What do you need to do it

Realize what you are doing

Integrate with existing infrastructure

Wealth of knowledge out there

Work the Plan

1. Install and test Shibboleth

2. Add Service Provider

3. Add InCommon

Not intended as a rigid plan but adds a little structure for your deployment

CAS - Shibboleth

Install Shibboleth IdP

Started with 1.3

Deployed on Linux and not all Linux’s are the same

CAS as SSO Solution

LDAP based

Use the Web (for help and support)

Test Initial Deployment

Used Simple application to verify operation of Shibboleth

Used our applications for debugging

Made sure Shibboleth was running and we knew how to use it

Simple ENV Application

Customize Site

Update and change pages for your institution

Read the guide on what needs updating

Branding is an ongoing project

You are now an operational Shibboleth site

Join InCommon

Fill out the contract

Study the Federation Operating Practices and Procedures

Complete the Participant Operational Practices

Work with your Legal and Contracts departments

POP

Participant Operational Practices

Participant Information Credential Provider Information Electronic Identity Credentials …

Test Connections

Build on step One, your local Shibboleth deployment

Will be added to InCommon WAYF

Use Shibboleth test/reference site

It Worked!

Staying in InCommon

Watch the fee schedule

Remember your password

Vetted process – know the players

Keep documentation current (POP, etc.)

MetaData

MetaData is key for Shibboleth

Need to update frequently or better yet, regularly

Out of sync MetaData causes a lot of problems

Managing MetaData

We used virtual hosts for the various federations we plan/are joining

Keep your documentation straight

Monitor the process – make sure it is running

InCommon Metadata

Keep up with Sites

Build a Production System

Added redundancy for Shibboleth

Redundant LDAP and Kerberos servers

Separated testing and production

Use good certificates

System Diagram

Our Next Goal

Make it easy to use WebAssign

First pass – authenticate existing ids

Second pass – just add classes to WebAssign site

Keys To Project

Need the data

Need a schema

Need to negotiate the attribute release

Following a naming convention

Called WebAssign

Worked with Brian Marks @ WebAssign

Used Certificate Information from InCommon Federation MetaData

Agreed on format of elements released

Leverage Existing Data

Had course data in Oracle

Used for SYMPA mailing lists

Maintained on semester basis

Had remaining essential data in LDAP

Updated nightly

Accessing the Data

Updated ResolverAdded JDBC Connector to Shibboleth

Developed ARP for WebAssign

Check your logs

Have a Schema

Deployed EduPerson

Deployed EduCourse

Researched and used appropriate attributes

Update Shibboleth• Update the resolver.xml file to add

your data sources• Update the arp.xml for attribute

release• Names matter• Restrict the access whenever

possible

Resolver.XML

Arp.xml

AAP.xml

Attribute Release

Declared WebAssign valid academic use of data

Watch the use of eduPersonTargetedID

Need to maintain privacy and protect restricted or confidential data

What’s In a Name

Sample Course Identifier

urn:mace:tamu.edu:crs:2007C:TEST209504

Verified System

Used our test accounts

Worked closely with vendor

Great support from WebAssign

Customized Login Page

Did not use WAYF or InCommon Site for this deployment

Had customized WebAssign login page

Could be integrated into existing pages fairly easily

WebAssign Login

Texas A&M Login

Market the Service

Work with your departments

Educate your helpdesk

Multiple levels of support

Leverage SSO if you have it

Texas Digital Library

• Institutional Repositories• Built on DSpace• Shibboleth for AuthN/AuthZ• Establishing a new Texas-wide

Federation• Layered authorization model

http://www.tdl.org/

Schema Part II

The local federation needed a different set of attributes

Extended the EduPerson schema

Used tamuEduPerson extensions

TDL Federation attributes

Must agree upon names

More Applications

Departmental use of institutional data For Moodle deployments

Allows institution to share applicationsWireless network access at UT

TAMU Security Awareness Training

Even More Applications

Grid Computing

Sakai

LionShare at Penn State

The Big Benefit

• We have a standard• More people will adopt it• Reach critical mass in

implementers• Leverage with vendors

And we learned …

• You do not dabble with this• You cannot cut corners• Be serious about privacy and

suppression• Be careful with accounts• Stay involved with community• The more you do, the more you know

Philosophy

“ I hear and I forget,

I see and I remember,

I do and I understand.”

Confucius

Links

http://www.incommonfederation.org/

http://shibboleth.internet2.edu/

http://infrastructure.tamu.edu/

http://www.tdl.org/

EMail

• Michael Bolton– Michael.Bolton@tamu.edu

• Xavier Chapa– XChapa@tamu.edu