$30 off During Our Annual Pro Sale. View Details »

Shibboleth & SAML: Advanced Topics

Martin Smith
March 03, 2011
0
110

Shibboleth & SAML: Advanced Topics

Martin Smith

March 03, 2011
Tweet

More Decks by Martin Smith

See All by Martin Smith
How HashiCorp SREs Built HCP's Incident Management Program
martinb3
0
25
Writing & Maintaining an Open Source Backup Tool in Python on AWS
martinb3
0
190
DevOps & Remote Work in Gainesville
martinb3
0
190
Reaping the rewards of Remote Friendly DevOps
martinb3
2
190
Cooking Up Elasticsearch with Chef at elastic{on}
martinb3
0
260
Going Serverless with AWS Lambda
martinb3
1
410
Little Brother is Watching Your Live Stream
martinb3
0
170
Spotlight on CoreOS
martinb3
0
180
What is the Chef Development Kit
martinb3
0
250

Featured

See All Featured
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
Building an army of robots
kneath
299
41k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Code Review Best Practice
trishagee
53
14k
[RailsConf 2023] Rails as a piece of cake
palkan
17
3.2k
Testing 201, or: Great Expectations
jmmastey
26
6.1k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Agile that works and the tools we love
rasmusluckow
323
20k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
The Invisible Customer
myddelton
113
12k
Making Projects Easy
brettharned
105
5.2k

Transcript

  1. Advanced Shibboleth topics
    UF IT/CNS/Open Systems Group
    University of Florida
    March 3, 2011
    Eli Ben-Shoshan (ebs@ufl.edu)
    Martin Smith (smithmb@ufl.edu)
    Laura Guazzelli (laura2@ufl.edu)
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  2. Goals
    Discussion format; may include:
    Day-to-day SP management
    SP Securing & Monitoring
    Virtual hosting and multiple IDs
    Application-managed sessions
    Alternate SAML profiles and bindings
    Hard-to-shibbolize applications
    ARP Affiliations and ARP Groups changes and their impact
    on applications
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  3. Discussion topic: Daily tasks
    Keep current with latest releases
    Rotate log files for native.log, shibd.log, transaction.log
    Add new sites, remove old sites
    Dont need to update certs/keys for SAML
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  4. Discussion topic: Securing & Monitoring
    Process check for shibd, ensure webserver config is sound
    HTTP HEAD/GET on /Shibboleth.sso/Status
    Synthetic tests for as much as possible High-availability
    strategies
    Protecting other handler URLs under /Shibboleth.sso/
    Dealing with SE Linux, Logwatch
    Dont use Shibboleth as your only authn...
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  5. Discussion topic: Virtual hosting, multiple entity IDs
    Understand why metadata is FQDN specific
    Understand consistency with SSL
    What you can share (shibd, webserver module)
    What you may not be able to share (entity IDs, URLs,
    keys/certs)
    InCommon SPs and IdPs
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  6. Discussion topic: Application-managed sessions
    Know the various handler URLs
    Understand ShibUseHeaders
    Local Logout...
    Multiple principals & re-authn
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  7. Discussion topic: Alternate SAML profiles and bindings
    HTTP-POST, HTTP-Redirect
    AttributeService (ARS,ACS,etc) via SOAP
    SAML1...
    https://login.ufl.edu/login.ufl.edu.xml
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  8. Discussion topic: Hard to Shibbolize Apps
    Proxy it from Apache
    Java application server support (Oracle, BEA...)
    REMOTE USER is a popular convention
    One-time tokens vended under Shibboleth
    Custom code... eek.
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  9. Discussion topic: Upcoming Service Changes
    IdP is now highly available
    (Mobile) login page changes on Sunday
    All separator characters are now dollar-sign $
    ARP-Affiliations: multivalued, de-duplicated
    ARP-Groups: Full distinguishedName, nested resolution
    Database performance will be improved
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide

  10. Questions?
    Thank you.
    UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp

    View Slide