Implementing a production Shibboleth IdP service at Cardiff University
-
Upload
jiscam -
Category
Technology
-
view
5.218 -
download
3
description
Transcript of Implementing a production Shibboleth IdP service at Cardiff University
![Page 1: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/1.jpg)
Implementing a Shibboleth IDP service
Rhys Smith & Zoë Young Cardiff University
![Page 2: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/2.jpg)
Outline
➢ Implementing a production service➢ HA➢ Conforming to Tech' Recommendations➢ Migration to Shib
![Page 3: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/3.jpg)
Implementing a ProdN Service
➢ Institutions planning a realworld production Shib IDP deployment:➢ Think beyond simple technical details➢ Consider higher level issues of design➢ Including HA and resiliency issues
➢ Otherwise:➢ When your IDP server breaks (and it will),
you're (technical terminology coming up) screwed!
![Page 4: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/4.jpg)
Cardiff's setupidp.cardiff.ac.uk
idp1.cf.ac.uk idp2.cf.ac.uk
(NetScaler)
hashibShared Memory
idp3.cf.ac.uk
hashibShared Memory
![Page 5: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/5.jpg)
Cardiff's setup (con't)
➢ idp1 & idp2 Physical servers PowerEdge➢ idp3 VM on VMWareESX infrastructure;
primarily for development, only occasionally in service
➢ All linux RHEL4➢ Server up/down checking via idp.xml:
➢ ...Shibboleth_StatusHandler...<Location>.+/shibbolethidp/Status</Location>
➢ “AVAILABLE” if everything has loaded OK
![Page 6: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/6.jpg)
Cardiff's setup (con't)
➢ Fully monitored via SNMP➢ Standard server stuff (CPU usage, memory
usage, Temperatures, etc)➢ Custom perl scripts parse Shib log files➢ Exposed via custom SNMP OIDs
➢ Cacti (open source) monitoring solution already in place
➢ email me for a copy of scripts/cacti templates, etc.
![Page 7: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/7.jpg)
Cardiff's setup (con't)
![Page 8: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/8.jpg)
Tech' Recommendations
➢ Metadata (the list of who is on the federation:➢ CRON job to update overnight, every night
➢ Attributes:➢ Haven't implemented eduPerson in
directory, use own attributes and map to eduPerson schema using resolver.xml
![Page 9: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/9.jpg)
Tech' Recommendations (con't)
➢ eduPersonScopedAffiliation:➢ Mapped to CardiffFAMAffiliation attribute in
our directory (webauth tree)➢ Provisioned by our IDM sytem➢ “member” if current staff, current student,
current training grade doctor, manually “made” member in IDM web interface
➢ staff/student similarly IDM driven
![Page 10: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/10.jpg)
Tech' Recommendations (con't)
➢ eduPersonTargetedID:➢ Simply using PersistentIDAttributeDefinition,
linked to IDM IdentityNumber➢ Dynamically cryptographically creates an
opaque, consistent TargetedID per user per resource
➢ eduPersonPrincipalName:➢ Mapped to cn attribute in our directory
![Page 11: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/11.jpg)
Tech' Recommendations (con't)
➢ eduPersonEntitlement:➢ Mapped to CardiffFamEntitlements attribute
in our directory➢ Provisioned by our IDM system where
possible➢ Manually administered via IDM web
interface otherwise
![Page 12: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/12.jpg)
Tech' Recommendations (con't)
➢ Attribute Release Policies➢ arp.site.xml➢ Set to release minimum information
(scopedAffiliation and TargetedID) unless specifically set otherwise
➢ Release more if desired on a case by case basis
![Page 13: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/13.jpg)
Authentication Options
➢ Apache vs Tomcat:➢ Apache simpler➢ Tomcat a lot more user friendly for your users➢ Our login page:
![Page 14: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/14.jpg)
![Page 15: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/15.jpg)
Overview
➢ Auditing of resources➢ Promotion and Communication➢ What has happened so far?➢ What’s going to happen next?➢ Questions?
![Page 16: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/16.jpg)
Auditing of resources
➢ Resources tested for shibboleth compliance.
➢ Noncompliant resources ➢ Westlaw – generic usernames and
passwords until new platform released➢ Lexis Nexis Professional – should be moved
to Butterworths ➢ Alerts, Saved Searches and
Personalisation.
![Page 17: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/17.jpg)
Promotion and Communication
➢ Emails about shibboleth/CU Login sent to all Information services staff
➢ Presentation on changes given to all library and helpdesk staff
➢ Documentation sent to all 18 libraries ➢ Web page – Off campus access➢ Changes to databases page➢ Subject Librarians cascaded information to all
new students and staff
![Page 18: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/18.jpg)
What has happened so far?
➢ Went live – Sept 06➢ Users
➢ New Training Grade Doctors➢ New Students➢ New Staff➢ Users with expired accounts or problems
➢ 53.35 % of access to “Athens” eresources is by CU login
![Page 19: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/19.jpg)
What’s going to happen next?
➢ 2nd July – changes to website to encourage remaining Athens users to switch
➢ Email to users with active Athens accounts➢ Monitor use of Athens accounts over the
next year and contact individual users to migrate.
➢ April 08 – All Athens accounts expire
![Page 20: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/20.jpg)
![Page 21: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/21.jpg)
![Page 22: Implementing a production Shibboleth IdP service at Cardiff University](https://reader033.fdocuments.us/reader033/viewer/2022051209/54840d86b47959e70c8b4b01/html5/thumbnails/22.jpg)
the end Any Questions? www.identityproject.org/survey.doc for:
more info a copy of these slides clarification of any points meaningful discussion about shib meaningless discussion about stanley
cup finals... email: [email protected]