1 / 7

ADFS in the U.T. System U.S. Federations Call - May 18, 2011

ADFS in the U.T. System U.S. Federations Call - May 18, 2011. Paul Caskey System-wide Information Services. ADFS Usage. As a Service Provider (Relying Party) Still in development/testing phase In production, will be used in both the UT System Federation, as well as InCommon

dwight
Download Presentation

ADFS in the U.T. System U.S. Federations Call - May 18, 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ADFS in the U.T. SystemU.S. Federations Call - May 18, 2011 Paul Caskey System-wide Information Services

  2. ADFS Usage • As a Service Provider (Relying Party) • Still in development/testing phase • In production, will be used in both the UT System Federation, as well as InCommon • Sharepoint 2010 • Office365 • Any future apps which come with ADFS SSO support built-in

  3. Background – SP2007 • We operate a large Sharepoint 2007 installation • Used by every member of the UT System Federation • Used externally by a variety of entities (most of whom use ProtectNetwork to login) • Legal • Facilities Planning • We even sell SP sites to other campuses within the UT System • Custom form-based authentication with Shibboleth integration • Authorization is a bit painful • Multi-step process for user, validation by site owner • No ‘automatic’ authorization (no attribute-based groups) • IdP ‘onboarding’ is still a bit painful (especially as we start to interact with IdPs outside of the UT System Federation) • Dual sites for same content DB (internal->ActiveDirectory, external->Shibboleth) • Overall, a GREAT collaborative tool and our users are VERY happy!

  4. SP2010 - ADFS • Everything will be “claims-based” thru ADFS (hopefully) • No more dual sites for same content • Better onboarding for IdP • anonymous page to describe process and required/desired attributes • 'all authenticated users' page to verify asserted attributes • Automatic authZ (group membership) based on attributes/claims • eduPersonAffiliation, eduPersonEntitlement • The only custom code is an HttpModule which hooks the ‘OnSignedIn’ event in the ADFS module • pushes asserted personal info attributes into the SP User Profile • We also customized the ADFS ‘Home Realm Discovery’ to mimic the Shibboleth Discovery Service (for user familiarity)

  5. SP2010 – ADFS (cont) • Current Issues/Concerns: • People picker mode • Claims mode resolves anything (even typos) • Site collection mode resolves only existing users • Might need a custom claims provider • Configuring claims-based groups • People Picker must be in Claims mode (but it remembers what you set) • Possibility for “internal things” maybe still relying on NTLM • Exchange integration • OCS, VoIP, or other similar things? • Useful URLs • Shibboleth wiki page on ADFS Interop: • https://wiki.shibboleth.net/confluence/display/SHIB2/MicrosoftInterop • Microsoft document on InCommon <-> ADFS Interop • http://technet.microsoft.com/en-us/library/gg317734(WS.10).aspx

  6. UT System Federation Policy Background • UT Federation in production operations since 9/2006 • All members are contractually bound • Some external participants are inter-federated from InCommon • Policy docs at https://idm.utsystem.edu/utfed • Federation Operational Practices (FOP) • Member Operational Practices (MOP) • We established a quasi-LoA2 • Never validated by an external authority, but suitable for our needs • Currently re-writing for Silver/FICAM2 • Current effort with system-wide research cyberinfrastructure likely to drive need for LoA3 • Working to institutionalize (across the UT System) formal IdM auditing (so far, federation LoA assessments have been self-asserted)

  7. Thank You! • Contact Information:Paul Caskey (pcaskey@utsystem.edu)

More Related