Your SlideShare is downloading. ×
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Leverage Drupal, Shibboleth, and OpenSAML to Connect Federated Identity to the Cloud

5,015

Published on

To view a recording of this presentation go to: http://www.acquia.com/resources/acquia-tv/conference/leverage-drupal-shibboleth-and-opensaml-connect-federated-identity-0

To view a recording of this presentation go to: http://www.acquia.com/resources/acquia-tv/conference/leverage-drupal-shibboleth-and-opensaml-connect-federated-identity-0

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,015
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
52
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Speaking on a purely personal basis, and not on behalf of any of my affiliations. My views are entirely my own, and I am very thankful for Acquia hosting this forum.
  • Transcript

    • 1. Using Drupal, SAML, and Shibboleth to bring users to the cloud
      • Nate Klingenstein
      • [email_address]
      • Internet2 / InCommon Federation / Shibboleth Consortium
      • Greg Knaddison
      • Acquia
      • 30 November, 2011
      • Acquia Webinar Series
    • 2. Connecting to the Cloud
      • Two necessary infrastructure components
        • A great network connection
        • Effective Identity Management
      • Two necessary business components
        • Software architected to integrate with you
        • Excellent, professional service
    • 3. A Brief History of Identity Management
      • Isolated Accounts
      • Centralized User Databases
        • LDAP, SQL
      • Single Sign-On
        • Kerberos, Various others like CAS, PKI?
      • Federated Identity
        • SAML, OpenID, OAuth, Shibboleth
    • 4. Federated Identity
      • A generalization of older single sign-on systems
        • No tight coupling between identity sources and applications or services
        • No presumptions about trust or authority
    • 5. Federated Identity
      • Identity Providers (IdP) supply user information and authentication service
        • Generally as a stand-alone service
      • Service Providers (SP) process user information, protect, and supply applications with trusted data
        • Generally integrated tightly into the web environment
    • 6. Federated Identity Benefits
      • Automated provisioning, but deprovisioning requires some thought
      • Provides single sign-on for both local and cloud services
      • Authoritative attributes provide applications with quality, trusted data
      • Applications can be easily shared between many organizations
    • 7.  
    • 8. SAML v2.0
      • Security Assertion Markup Language
      • A set of tokens and a set of protocols used to convey those tokens
        • Tokens may be used independently of the protocols
      • Standardized in March 2005
        • Ongoing spec development for new features continues, but likely never a new, breaking version
    • 9. SAML v2.0 Deployment
      • Widespread Commercial Support
        • Oracle, Microsoft, Novell, CA, PingIdentity, etc.
      • Widespread SaaS Vendor Support
        • Google, Microsoft, Salesforce, ADP, etc.
      • Excellent free, open source solutions
        • Shibboleth, simpleSAMLphp, OpenSSO, etc.
    • 10. SAML 2.0 IdP Deployment
      • Wide-spread deployment and dominant market share in a variety of verticals
        • Education, finance, real estate, justice, defense, conglomerates
      • Approximately 4,000 Research and Education Deployments
        • ~100% coverage in some countries
        • 10+ million vetted accounts
    • 11. Shibboleth
      • Project since ~2001, code since ~2003
      • Dominant market share in academia
        • Thousands of deployments, millions of users
        • Widely used in real estate, justice, and increasingly in financial and corporate verts
      • Transitioning from Internet2 project to consortium & new org for sustainability
    • 12. Shibboleth
      • Free, open-source software
      • Small but global development team
      • Modified Apache-style licensing; no BSD
      • Architected for large-scale multi-lateral identity; easily used for bilateral collaborations too
      • Focus on trusted attributes in addition to providing standard single sign-on
    • 13. Technical Deep Dive Overview
      • Geeking out for a moment – please forgive us…
      • Identity Provider (IdP) implementation and deployment
      • Service Provider (SP) implementation and deployment
    • 14. Shibboleth IdP
      • Java webapp to be deployed into a standard servlet container
        • Apache Tomcat, JBoss, Jetty, etc.
        • Future releases will be distributed with a bundled servlet container; existing packaging will still be available
    • 15. Shibboleth IdP
      • Highly scalable with a variety of clustering options
        • Concurrent login attempts CPU-bound, concurrent sessions RAM-bound
        • Scales easily to hundreds of thousands
      • Designed to integrate with IdM systems, not replace them
        • Authentication and attribute connectors available for common choices; extensible
    • 16. Shibboleth SP
      • Written in C++
      • In-process module loaded by webserver
        • Apache(worker mode preferred) or ISAPI
      • Out-of-process daemon
    • 17. Shibboleth SP
      • No API
      • Application integration at 3 points:
        • Session Creation/Login (automatically enforced, or application triggered)
        • Session Recall/Attributes (environment variables or header variables with IdP info, user attributes)
        • Session Destruction/Logout
    • 18. Shibboleth Trust
      • As promiscuous or as exclusive as you would like
        • Federations are communities of providers that act by the same rules, to reduce the handshake problem
      • We don’t have much faith in commercial certificates
        • Comes from experience
    • 19. Drupal and Shibboleth
      • Drupal plugin developed by the Hungarian Federation (NIIF)
      • Relies on having the Shibboleth SP installed and configured
        • We like this: avoids dangers of homemade security software, incorporates new Shibboleth features easily, no lock-in
    • 20. Drupal and Shibboleth
      • Provides basic login and logout links
        • Integrated with both Drupal and Shibboleth, making session management easier
      • Maps SAML attributes to Drupal roles
      • Since Shibboleth interoperates with many commercial SAML offerings, so too will “Shibbolized Drupal”
    • 21. Shibboleth, SAML & Acquia Cloud
    • 22. Example Drupal Deployments
      • Two San Francisco based higher education institutions
        • Acquia Commons for faculty, staff, student collaboration
        • Second running 21 custom Drupal multi-sites
      • Running in Acquia Managed Cloud
      • Running SP daemon
      • Load balanced with sticky sessions to support Shibboleth
        • Could use SP on single web server or shared database storage
        • Using sticky sessions improve scalability/reliability
    • 23. Example Drupal Deployments
      • Benefits
        • Centralized auditing of logins
        • Provisioning efficiency, de-provisioning completeness
      • Gotchas:
        • shibauth Drupal module always creates Drupal accounts
    • 24. My Thanks to Acquia
      • [email_address]
      • http://www.internet2.edu/
      • http://www.incommon.org/
      • http://shibboleth.net/

    ×