Technical Topics for Deployed Campuses Web SSO Will
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California
USC Enterprise Directory • Consistent data whether via Shib or LDAP • No account data released by default • Formal request for data made to Directory Steering Committee • All applications have well-defined population • Technical Details • Two Sun V 440, Sun DS 5. 2 with replication • active-passive with manual failover
USC Shibboleth Id. P • Hardware • Two Sun V 240 • active-active load balancing • Authentication via Tomcat > LDAP > Kerberos • Installed Modules • HAShib (enables attribute query & Artifact profile in clustered environment) • USC Resource Handler (Status page and Logout) • USC Session Counter
USC Shibboleth Id. P • Simple resolver. xml (logic is in the directory) • LDAP Data Connector configured for failover • List multiple hosts for java. naming. provider. url • All ARP Rules include constraint for application specific entitlement • FERPA privacy handled via constraints
Tools for Service Providers • USC specific documentation for installation and configuration • shibboleth. xml config file generator • Test Identity Provider (a la Test. Shib. org) • Periodic Id. M & Shibboleth crash course • Local support mailing lists • Central IT officially offers “limited support”
Federation Management • All documentation and configuration kept in Subversion repository • New SPs email their shibboleth. xml config file and certificate to Id. P admins • Check overall sanity of configuration (/secure/) • Ensure provider. ID follows conventions • Comment all ARPs and metadata entries • shell script checks metadata every two weeks for expiring certificates
Extending Services to Guests • All users have local LDAP entry (even guests) • Consistent data via Shib & LDAP • Allows for centralized authz management • Applications see no difference between USC members and guests • No custom code, just configuration
Resource Links • HAShib Module https: //www. middleware. georgetown. edu/confluence/x/ug. E • USC Service Provider Install Documentation https: //shibboleth. usc. edu/docs/sp/install/ • USC Service Provider Configuration Builder https: //shibboleth. usc. edu/docs/sp/install/cgi-bin/spconfig • USC Test Identity Provider Configuration https: //its-subversion. usc. edu/svn/gds/shibboleth/idp-config/test/ • Will Norris (me) wnorris@usc. edu
Quick Questions? (Otherwise, come back for discussion at 10: 15)
- Slides: 9