Shibboleth & SAML: Advanced Topics

9ad2a5355d8cfa842e24b7a4322b2535?s=47 Martin Smith
March 03, 2011
0
31

Shibboleth & SAML: Advanced Topics

9ad2a5355d8cfa842e24b7a4322b2535?s=128

Martin Smith

March 03, 2011
Tweet

Want more?

9ad2a5355d8cfa842e24b7a4322b2535?s=48 martinb3
0
45
9ad2a5355d8cfa842e24b7a4322b2535?s=48 martinb3
0
41
9ad2a5355d8cfa842e24b7a4322b2535?s=48 martinb3
2
49
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
2
170
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
85
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
76
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
5
160
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
5
160
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
2
230
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
2
440
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
120
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
200

Transcript

  1. 1.

    Advanced Shibboleth topics UF IT/CNS/Open Systems Group University of Florida

    March 3, 2011 Eli Ben-Shoshan (ebs@ufl.edu) Martin Smith (smithmb@ufl.edu) Laura Guazzelli (laura2@ufl.edu) UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  2. 2.

    Goals Discussion format; may include: Day-to-day SP management SP Securing

    & Monitoring Virtual hosting and multiple IDs Application-managed sessions Alternate SAML profiles and bindings Hard-to-shibbolize applications ARP Affiliations and ARP Groups changes and their impact on applications UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  3. 3.

    Discussion topic: Daily tasks Keep current with latest releases Rotate

    log files for native.log, shibd.log, transaction.log Add new sites, remove old sites Dont need to update certs/keys for SAML UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  4. 4.

    Discussion topic: Securing & Monitoring Process check for shibd, ensure

    webserver config is sound HTTP HEAD/GET on /Shibboleth.sso/Status Synthetic tests for as much as possible High-availability strategies Protecting other handler URLs under /Shibboleth.sso/ Dealing with SE Linux, Logwatch Dont use Shibboleth as your only authn... UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  5. 5.

    Discussion topic: Virtual hosting, multiple entity IDs Understand why metadata

    is FQDN specific Understand consistency with SSL What you can share (shibd, webserver module) What you may not be able to share (entity IDs, URLs, keys/certs) InCommon SPs and IdPs UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  6. 6.

    Discussion topic: Application-managed sessions Know the various handler URLs Understand

    ShibUseHeaders Local Logout... Multiple principals & re-authn UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  7. 7.

    Discussion topic: Alternate SAML profiles and bindings HTTP-POST, HTTP-Redirect AttributeService

    (ARS,ACS,etc) via SOAP SAML1... https://login.ufl.edu/login.ufl.edu.xml UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  8. 8.

    Discussion topic: Hard to Shibbolize Apps Proxy it from Apache

    Java application server support (Oracle, BEA...) REMOTE USER is a popular convention One-time tokens vended under Shibboleth Custom code... eek. UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  9. 9.

    Discussion topic: Upcoming Service Changes IdP is now highly available

    (Mobile) login page changes on Sunday All separator characters are now dollar-sign $ ARP-Affiliations: multivalued, de-duplicated ARP-Groups: Full distinguishedName, nested resolution Database performance will be improved UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp
  10. 10.

    Questions? Thank you. UF IT/CNS/Open Systems Group Advanced Shibboleth Bootcamp