Your SlideShare is downloading. ×
  • Like
Implementing a production Shibboleth IdP service at Cardiff University
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Implementing a production Shibboleth IdP service at Cardiff University


This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

This joint presentation by Rhys Smith and Zoe Young explains the process of implementing a federated access management infrustructure, based on Shibboleth, at the University of Cardiff.

Published in Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Implementing a Production HA Shibboleth IDP service Rhys Smith, Cardiff University
  • 2. Outline
    • Implementing a production service
    • HA
    • Conforming to Tech' Recommendations
    • Migration to Shib
  • 3. Implementing a ProdN Service
    • Institutions planning a real-world production Shib IDP deployment:
      • Think beyond simple technical details
      • Consider higher level issues of design
      • Including HA and resiliency issues
    • Otherwise:
      • When your IDP server breaks (and it will), you're (technical terminology coming up) screwed!
  • 4. Cardiff's setup (NetScaler) hashib Shared Memory hashib Shared Memory
  • 5. Cardiff's setup (con't)
    • idp1 & idp2 - Physical servers - PowerEdge
    • idp3 - VM on VMWare-ESX infrastructure; primarily for development, only occasionally in service
    • All linux - RHEL4
    • Server up/down checking via idp.xml:
      • ...Shibboleth_StatusHandler... <Location>.+/shibbolethidp/Status</Location>
      • “ AVAILABLE” if everything has loaded OK
  • 6. Cardiff's setup (con't)
    • Fully monitored via SNMP
      • Standard server stuff (CPU usage, memory usage, Temperatures, etc)
      • Custom perl scripts parse Shib log files
      • Exposed via custom SNMP OIDs
    • Cacti (open source) monitoring solution already in place
    • email me for a copy of scripts/cacti templates, etc.
  • 7. Cardiff's setup (con't)
  • 8. Tech' Recommendations
    • Metadata (the list of who is on the federation:
      • CRON job to update overnight, every night
    • Attributes:
      • Haven't implemented eduPerson in directory, use own attributes and map to eduPerson schema using resolver.xml
  • 9. Tech' Recommendations (con't)
    • eduPersonScopedAffiliation:
      • Mapped to CardiffFAMAffiliation attribute in our directory (webauth tree)
      • Provisioned by our IDM sytem
      • “ member” if current staff, current student, current training grade doctor, manually “made” member in IDM web interface
      • staff/student similarly IDM driven
  • 10. Tech' Recommendations (con't)
    • eduPersonTargetedID:
      • Simply using PersistentIDAttributeDefinition, linked to IDM IdentityNumber
      • Dynamically cryptographically creates an opaque, consistent TargetedID per user per resource
    • eduPersonPrincipalName:
      • Mapped to cn attribute in our directory
  • 11. Tech' Recommendations (con't)
    • eduPersonEntitlement:
      • Mapped to CardiffFamEntitlements attribute in our directory
      • Provisioned by our IDM system where possible
      • Manually administered via IDM web interface otherwise
  • 12. Tech' Recommendations (con't)
    • Attribute Release Policies
      • Set to release minimum information (scopedAffiliation and TargetedID) unless specifically set otherwise
      • Release more if desired on a case by case basis
  • 13. Authentication Options
    • Apache vs Tomcat:
      • Apache simpler
      • Tomcat a lot more user friendly for your users
      • Our login page:
  • 14.  
  • 15. Shibboleth at Cardiff University Zoë Young Subject Librarian
  • 16. Overview
    • Auditing of resources
    • Promotion and Communication
    • What has happened so far?
    • What’s going to happen next?
    • Questions?
  • 17. Auditing of resources
    • Resources tested for shibboleth compliance.
    • Non-compliant resources
      • Westlaw – generic usernames and passwords until new platform released
      • Lexis Nexis Professional – should be moved to Butterworths
    • Alerts, Saved Searches and Personalisation.
  • 18. Promotion and Communication
    • Emails about shibboleth/CU Login sent to all Information services staff
    • Presentation on changes given to all library and helpdesk staff
    • Documentation sent to all 18 libraries
    • Web page – Off campus access
    • Changes to databases page
    • Subject Librarians cascaded information to all new students and staff
  • 19. What has happened so far?
    • Went live – Sept 06
    • Users
      • New Training Grade Doctors
      • New Students
      • New Staff
      • Users with expired accounts or problems
    • 53.35 % of access to “Athens” e-resources is by CU login
  • 20. What’s going to happen next?
    • 2 nd July – changes to website to encourage remaining Athens users to switch
    • Email to users with active Athens accounts
    • Monitor use of Athens accounts over the next year and contact individual users to migrate.
    • April 08 – All Athens accounts expire
  • 21.  
  • 22.  
  • 23. the end
    • Any Questions?
    • for:
      • more info
      • a copy of these slides
      • clarification of any points
      • meaningful discussion about shib
      • meaningless discussion about stanley cup finals...
    • email: