Transcript Slide 1
Shibboleth
at
Newcastle
Caleb Racey
Webteam
ISS
Shibboleth experiences
Program
Background
What shib has enabled
Benefits of shib
How to do shib
Background
IAMSECT Project - JISC funded
Shib early adopter
2 year project (finished this summer)
VLE focussed
Focus on shared medical students
Collaboration with Durham
One of few practical deployment Projects
What we use shib for
Blogs
Mailing lists
Wikis
Webforms
Course submission
VLEs
Athens
Blogs
Blogs
Ease of installation:
Modify php authentication code
(1 man day)
Benefits:
User account creation automated
Login never exposed to potentially
untrustworthy code
Sympa mailings list
Sympa Mailing lists
Ease of installation:
Supported out of the box,
adjust config file
(1 hour)
Benefits:
SSO
Auto account creation
Allows both shib and local Auth
Mediawiki
Mediawiki
Ease of installation:
Download + install “extension”
tweak config file
(1 hour)
Benefits:
SSO
User accounts creation automated
Login never exposed to potentially
untrustworthy code
Access controlled websites
Quick easy Access Control
Ease of installation:
.htaccess file by users (5 mins)
Benefits:
Web developers don’t need to understand
complexities of secure login
Auto population of info fields (email addresses
etc)
Coursework.cs
Coursework.cs
Ease of installation:
Install shib + configure server
Work out how best to do WAYF
Benefits:
Federated service now possible, Durham
students can now use.
Medical VLE
Medical VLE
Ease of installation:
Hard (Zope based) fast_cgi
complex difficult user base
Large legacy
Benefits:
SSO
Roadmap away from legacy
Reduced admin
Athens
Athens
Athens
Ease of installation:
Hard (at the time) : - easy now?
working out how to join multiple feds
SSL cert incompatibility worries- now gone
Benefits:
SSO
Reduced Admin overhead
What shib is not used for
Blackboard in Newcastle
Blackboard shib support is UNIX based
Windows possible (but not out of the
box)
Durham have test UNIX install
Benefits of shib
International takeup = defacto standard
“out of the box” shibd apps available.
One web login technology to support
Less SysAdmin effort
Less documentation
Less user education
Less burden on web developers, don’t need to
understand:
How to do secure login
How / Where to get user data
How to install
Very brief overview of steps
Prerequisites
IdP
SP
Timescales
See http://iamsect.ncl.ac.uk for details
How to install: prerequisites
Prerequisites:
Identify suitable password store
e.g. Active Directory
Learn how to do https
SSL certs, certificate Authorities
Deploy WebISO or simple sign on
e.g. Pubcookie, CAS, Mod_auth_Ldap
How to install: shib IdP
Install and configure the software:
•
•
•
•
not that hard (anymore)
Java based (java skills not needed)
Follow guide
tweak xml config files
Difficult bits:
• SSL certs (global sign or Thawte)
• Identify institutional data stores
How to Install: shib SP
Linux + Apache:
Prerolled RPMs= install + tweak config file
(couple of hours)
Windows + IIS:
MSI installer= install+tweak config file
(couple of hours)
Java, Python, Ruby, Perl or cgi:
Stick behind linux + apache,
Install + configure connector (mod_jk, fast_cgi)
(couple of days)
Where to get help
https://authdev.it.ohiostate.edu/twiki/bin/view/Shibboleth/Web
Home
http://iamsect.ncl.ac.uk
http://shib.kuleuven.be/
http://www.switch.ch/aai/
Questions?