Shibboleth 2.0 IdP Training: Authentication - PowerPoint PPT Presentation

About This Presentation
Title:

Shibboleth 2.0 IdP Training: Authentication

Description:

Title: Shibboleth IdP Training: Authentication Author: Marcus M. Mizushima Last modified by: Nate Klingenstein Document presentation format: Custom – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 14
Provided by: MarcusMM2
Learn more at: http://www.checoweb.org
Category:

less

Transcript and Presenter's Notes

Title: Shibboleth 2.0 IdP Training: Authentication


1
Shibboleth 2.0 IdP TrainingAuthentication
  • January, 2009

2
Terms Authentication Mechanism
  • A mechanism used to authenticate a user
  • Shibboleth 2 supports the following
    authentication mechanisms
  • Remote User
  • Username/Password (LDAP, Kerberos)
  • IP Address

3
Terms Login Handler
  • An IdP component that configures authentication
    mechanisms

4
Terms Session
  • Contains
  • State information about the user
  • Active authentication methods
  • Services the user is signed into
  • Created when user authenticates
  • Session termination user must authenticate
    again
  • Many different sessions in federated identity

5
Login Handler Configuration
  • Login handlers are defined in handler.xml
  • Defined by ltLoginHandlergt
  • Must have a type (xsitype) and at least one
    authentication method
  • Each type has its own set of configuration
    attributes

6
Login Handler RemoteUser
  • Login handler that relies on the web server or
    servlet container for authentication
  • REMOTE_USER is set as the users principal name
  • Type
  • RemoteUser
  • Configuration attributes
  • (none)

7
Login Handler UsernamePassword
  • Login handler that prompts for a username and
    password
  • Validates against a JAAS module
  • LDAP Kerberos 5 supported
  • Type
  • UsernamePassword
  • Configuration attributes
  • jaasConfigurationLocation

8
Login Handler UsernamePassword
  • A login page is provided and will be presented to
    the user
  • /var/setup/identityprovider/resources/webpages/log
    in.jsp
  • Multiple UsernamePassword login handlers can be
    defined
  • Different authentication methods
  • Failover in case a provider is down

9
Lab Login Handlers
  • Modify handler.xml to enable the UsernamePassword
    login handler
  • Configure login.config to use the training LDAP
    server

10
Login Handler Authentication Duration
  • Each authentication mechanism supports an
    inactivity timeout
  • After this timeout expires the mechanism is
    considered inactive for that user
  • If the user attempts to access a new service
    provider that requires that authentication
    mechanism they must re-authenticate

11
Login Handler Authentication Duration
  • The activity timeout is configured by setting a
    value for the authenticationDuration attribute
    for the ltLoginHandlergt element
  • The value is the number of minutes of inactivity
    the default value is 30

12
Forced Authentication
  • SAML 2 allows a service provider to force
    authentication of the user, even if the user has
    an existing session.
  • This is supported in mechanisms that can
    re-authenticate a user
  • UsernamePassword yes
  • REMOTE_USER no
  • The service provider will receive an error if the
    IdP cannot support forced authentication

13
References
  • More information on IdP authentication can be
    found at
  • https//spaces.internet2.edu/display/SHIB2/IdPUser
    Authn
Write a Comment
User Comments (0)
About PowerShow.com