1 / 18

The I-Trust Federation: Federating the University of Illinois

Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign. The I-Trust Federation: Federating the University of Illinois. Goals and Challenges. Goal: retire legacy web sign-on service and replace with Shibboleth

laszlo
Download Presentation

The I-Trust Federation: Federating the University of Illinois

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign The I-Trust Federation:Federating the University of Illinois

  2. Goals and Challenges • Goal: retire legacy web sign-on service and replace with Shibboleth • The challenge: U of Illinois’ three campuses maintain their own user and password stores and IDPs. Old Web SO allowed for inter-domain authentication for services used by users from multiple campuses.

  3. The solution • Federate the three campuses. • Use existing IDPs and user/password stores. • Put a Shib SP on each service that currently uses the legacy system. • Services that need to allow access to users from multiple campuses can point to a centralized discovery service.

  4. Why not put everyone in InCommon? • We have over 500 service providers behind the legacy system. • Many allow access to users from more than one campus. • Even with delegated SP administration, this would be costly and labor-intensive. • This is also overkill to get SP data to the university’s three IDPs. • If an SP needs to federate beyond the university, such as with another university, we will work with them to manually enter them in InCommon.

  5. The business case • Initial case was to simply get SSO functional and metadata circulating between the three campuses. • Before we even announced it, our software webstore folks were asking questions. • By adding other universities, community colleges and K-12 users, our software webstore could sell to more users and get larger discounts. • State library consortium is also interested with the value of resource sharing through federation. • We had these cases brought to us. After launch, we expect a lot more.

  6. Planning • Identify technical and management resources from each campus. • Agree that Urbana campus, the largest, will take the lead. • Compare attributes being released by all three IDPs to build and approve a list of common attributes. • Standardize names of federation attributes. • Set up common platform for maintaining and disseminating metadata and attribute release

  7. Nuts and bolts • Discovery Service: Shibboleth project’s centralized discovery service is offered for SPs needing to allow access to all three campuses • Metadata management and dissemination: Australian Access Federation’s Federation Registry. • Metadata signing: Shibboleth project’s xmlsectool

  8. Federation Registry • An extensible, open web application that provides a central point of registration, management and reporting for identity and service providers participating in a standards compliant SAML 2 identity federation. • Management for all aspects of SAML 2 compliant Identity and Service Providers • SAML 2.x compliant metadata generation • Additional assistance for Shibboleth IDP and SP administrators including automated Attribute Filter generation • Public registration for Organizations, Identity Providers and Service Providers that are new to the federation • Organizations can have any number of IDP and SP owned by them (service only organizations are popular with publishers for example) • A personalized dashboard view of the federation for all users • A cross browser (including mobile devices) HTML5 compliant user interface which can be branded for deploying organizations. • Multilingual capable • A fully customizable workflow engine to handle registrations and other critical federation changes • In-depth reporting to gain insight to the workings of the entire federation • Federation integrated, automatically provisioned user accounts with fine grained access control

  9. Federation Manager Dashboard

  10. Create Service Provider

  11. Create Service Provider:description

  12. Create Service Provider:SAML configuration

  13. Create Service Provider:certificate

  14. Create Service Provider:attributes

  15. Create Service Provider:submit

  16. Approving a new Service Provider

  17. Future plans • Bring community colleges, K-12 schools and others on-board. • Federation-wide single logout: a big one to attack, but lots of requests already. • Standardizing requests for two-factor authentication when needed.

  18. Resources • Australian Access Federation: wiki.aaf.edu.au/federationregistry2 • Contact for more on I-Trust: Keith Wessel, kwessel@illinois.edu

More Related