UF Peer2Peer: Identity Provider update, Shibboleth, and SAML

Shibboleth changes Peer2Peer April 2013 Martin Smith [email protected] www.it.ufl.edu

Quick reference IdP - Identity Provider SP - Service Provider
InC - InCommon www.it.ufl.edu

Background statistics over last year www.it.ufl.edu

Login page (March 2013) www.it.ufl.edu

Other templates (March 2013) www.it.ufl.edu

Other templates (March 2013) https://webservices.it.ufl.edu/ - UF Web Templates -
UF Shibboleth templates Newer service provider packages: - allow you to unpack these anywhere - Have stopped shipping with 'dragonbird' -we recommend /ufl-shibboleth- templates www.it.ufl.edu

Service Provider upgrade (April 2013) - CNS Linux infr. -
4/28 & 5/12 - Simpler configuration - Default to better cookie settings - No more privileged user - NativeSPConfigurationChanges in wiki.shibboleth.net www.it.ufl.edu

- InCommon's Assurance Program Good security and identity practices help
ensure that an individual using an electronic credential is the person you think it is. Once security and practices are put in place, we need some custom code to lookup assurance in our database. IdP silver login handler (2013) www.it.ufl.edu

Research and Scholarship (April 2013) - See InCommon collaborate wiki
- UF will enable this in production on 4/21, beta IdP from 4/15 (Mon.) - Interesting configuration changes on our end... www.it.ufl.edu

IdP credential change (2013) - SAML metadata and federations? -
Best practice: Unify IdP's keypair usage both in InCommon's federation and the local 'UF Federation' - Requires metadata rollover for the IdP, plus later switchover - SP awareness is a critical piece www.it.ufl.edu

UFAD Groups (2013) - Working on a way to pull
these from UFAD using DirSync API - Probably requires some cleanup - Hoping for 15 minute latency - Usual problems of representing a tree structure in a list www.it.ufl.edu

www.it.ufl.edu

InCommon Service Provider (2013) - incommon-sp.login.ufl.edu - SPs that need
to accept credentials from other Institutions - Check out the UX on ours - Requires we put your SP's metadata in the InCommon MD www.it.ufl.edu

IdP upgrade - Currently on v2.3.5 - v2.3.8 is available,
but v2.4 looks like it could come out before we get there - At this point, not a big change www.it.ufl.edu

IAM "big rock" project www.it.ufl.edu

Grouper - "Help collaboration happen" - Factor out duplicated group
data in various systems, then share it - Allow set operations on groups e.g. 'all users in an e-Learning course except students' - Feed this data downstream - Programmatic access www.it.ufl.edu

Grouper www.it.ufl.edu

Questions? www.it.ufl.edu

www.it.ufl.edu

UF Peer2Peer: Identity Provider update, Shibboleth, and SAML

UF Peer2Peer: Identity Provider update, Shibboleth, and SAML

Martin Smith

More Decks by Martin Smith

Featured

Transcript

Shibboleth changes Peer2Peer April 2013 Martin Smith [email protected] www.it.ufl.edu

Quick reference IdP - Identity Provider SP - Service Provider

Background statistics over last year www.it.ufl.edu

Background statistics over last year www.it.ufl.edu

Login page (March 2013) www.it.ufl.edu

Other templates (March 2013) www.it.ufl.edu

Other templates (March 2013) https://webservices.it.ufl.edu/ - UF Web Templates -

Service Provider upgrade (April 2013) - CNS Linux infr. -

- InCommon's Assurance Program Good security and identity practices help

Research and Scholarship (April 2013) - See InCommon collaborate wiki

IdP credential change (2013) - SAML metadata and federations? -

UFAD Groups (2013) - Working on a way to pull

www.it.ufl.edu

InCommon Service Provider (2013) - incommon-sp.login.ufl.edu - SPs that need

IdP upgrade - Currently on v2.3.5 - v2.3.8 is available,

IAM "big rock" project www.it.ufl.edu

Grouper - "Help collaboration happen" - Factor out duplicated group

Grouper www.it.ufl.edu

Questions? www.it.ufl.edu

www.it.ufl.edu