Beruflich Dokumente
Kultur Dokumente
CAH Retirement
CAH slated to go away in October 2011 Motivation:
IPv6 compatibility Move to standards-based (SAML) solution
CAH and Shib will do SSO between them until CAH is gone
What is Shibboleth?
Software project sponsored by Internet2 Implements SAML Web SSO Profile Two main packages:
Identity Provider (IdP logs users in) Service Provider (SP uses login to do something useful)
SSO still requires a trip to the IdP No free-for-all WEBCOOKIE method More complex protocol need more than cookies + HTTPS to integrate
Our IdPs
OIT/IDM runs production and test IdPs IdPs use production/test X.500 respectively Federated with InCommon
Submit an Access Request Form if you need nonpublic attributes Ask us to add your metadata to our test IdP
No ARF needed if you already get data from CAH Apps requiring M Key can use AuthnContext to ask for and check for it
Gotchas
Shib signs/encrypts assertions
Uses certs in metadata to carry keys Shib ONLY looks at keys, not rest of cert
Ignores expiration Doesnt validate CA
These are NOT the same certs/keys used for your browser-facing HTTPS port (443)
Gotchas
entityID looks like a URL but isnt
Its a URI, being used as a name Handy to use as URL sometimes (metadata) Use a domain you control to facilitate selfmanaged metadata someday
Looking Ahead
Single logout support User consent for attribute release Self-managed metadata for departments
Resources
U of M Shib wiki: https://wiki.umn.edu/ShibAuth Official Shib wiki:
https://wiki.shibboleth.net/confluence/display/SHIB2/Home
Questions?
Identity Management - idm@umn.edu Or call Chris at 5-1809