28
Shibboleth at
NewcastleCaleb Racey WebteamISS
Shibboleth experiences
Program Background What shib has enabled Benefits of shib How to do shib
Background
IAMSECT Project - JISC funded Shib early adopter 2 year project (finished this summer) VLE focussed Focus on shared medical students Collaboration with Durham
One of few practical deployment Projects
What we use shib for
Blogs
Mailing lists
Wikis
Webforms
Course submission
VLEs
Athens
Blogs
Blogs
Ease of installation: Modify php authentication code
(1 man day)
Benefits:User account creation automatedLogin never exposed to potentially untrustworthy code
Sympa mailings list
Sympa Mailing lists
Ease of installation: Supported out of the box,
adjust config file(1 hour)
Benefits:SSOAuto account creation Allows both shib and local Auth
Mediawiki
Mediawiki
Ease of installation: Download + install “extension”
tweak config file (1 hour)
Benefits:SSOUser accounts creation automatedLogin never exposed to potentially untrustworthy code
Access controlled websites
Quick easy Access Control
Ease of installation: .htaccess file by users (5 mins)
Benefits: Web developers don’t need to understand
complexities of secure loginAuto population of info fields (email addresses etc)
Coursework.cs
Coursework.cs
Ease of installation: Install shib + configure server
Work out how best to do WAYF
Benefits: Federated service now possible, Durham
students can now use.
Medical VLE
Medical VLE
Ease of installation: Hard (Zope based) fast_cgi complex difficult user base Large legacy
Benefits:SSORoadmap away from legacy
Reduced admin
Athens
Athens
Athens
Ease of installation:
Hard (at the time) : - easy now?
working out how to join multiple feds
SSL cert incompatibility worries- now gone
Benefits:
SSO
Reduced Admin overhead
What shib is not used for
Blackboard in Newcastle Blackboard shib support is UNIX based Windows possible (but not out of the
box) Durham have test UNIX install
Benefits of shib
International takeup = defacto standard“out of the box” shibd apps available.
One web login technology to supportLess SysAdmin effortLess documentationLess user education
Less burden on web developers, don’t need to understand:How to do secure login How / Where to get user data
How to install
Very brief overview of stepsPrerequisitesIdPSP
Timescales
See http://iamsect.ncl.ac.uk for details
How to install: prerequisites
Prerequisites:
Identify suitable password store
e.g. Active Directory
Learn how to do https
SSL certs, certificate Authorities
Deploy WebISO or simple sign on
e.g. Pubcookie, CAS, Mod_auth_Ldap
How to install: shib IdP
Install and configure the software:• not that hard (anymore)• Java based (java skills not needed)• Follow guide • tweak xml config files
Difficult bits:• SSL certs (global sign or Thawte)• Identify institutional data stores
How to Install: shib SP
Linux + Apache:Prerolled RPMs= install + tweak config file (couple of hours)
Windows + IIS:MSI installer= install+tweak config file
(couple of hours)Java, Python, Ruby, Perl or cgi: Stick behind linux + apache, Install + configure connector (mod_jk, fast_cgi) (couple of days)
Where to get help
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/WebHome
http://iamsect.ncl.ac.uk http://shib.kuleuven.be/ http://www.switch.ch/aai/
Questions?
