2. Agenda
Introduction
Project Background
Missouri, Oxford & Microsoft
Things we’ll cover:
Overview of Technologies
ADFS/Shibboleth Interoperability Demos
3. Project Background
Based on OCG White Paper:
Achieving interoperability between Active Directory Federation
Services (ADFS) and Shibboleth
Demonstrate interoperability between ADFS and
Shibboleth System 1.3c Release
Using ADFS plug-in for SAML 1.1 Identity and Service Providers
Support for WS-Federation Passive Requestor Interoperability Profile
Demonstrate interoperability with sample applications
- Microsoft Office SharePoint Server 2007 and Windows Live IDs
4. Technology Overview
Shibboleth
Standards-based, Open Source Middleware Software
Project of Internet2/MACE (Middleware Architecture Committee for
Education)
Internet2 – U.S. Advanced Networking Consortium led by the
education and research community
(universities, partners, laboratories, government agencies, etc.)
URL: http://shibboleth.internet2.edu/about.html
Implements the OASIS SAML v1.1 specification
December 2005 - Extension for ADFS support is developed
Implemented in Shibboleth versions 1.3.c and later
Platforms include: UNIX (Solaris, etc.), Linux
(Fedora, Ubuntu, etc.), Mac OS-X
5. Show of Hands
How many schools have a websso?
How many use CAS?
Pubcookie?
Something else?
How many have a Shibboleth?
How many have ADFS?
How many run a websso & Shib or ADFS?
Does anyone run both ADFS & Shib?
6. Project Credits
Project Sponsors
Walter Harp, Microsoft Corporation
John DuBois, Microsoft Corporation
Credits and Contributions
Ryan Woodsmall, University of Missouri
Brian Dourty, University of Missouri
Edward D. McKinzie, University of Missouri
Bryan W. Roesslet, University of Missouri
Randy Wiemer, University of Missouri
Chris Calderon, Oxford Computer Group
Jim Muir, Oxford Computer Group
7. Technology Overview
Active Directory Federation Services (ADFS)
First introduced in Windows Server 2003 R2 to provide “Identity
Federation”
Projecting user identity from a single logon…
Providing single identity based entitlements…
Connecting islands (across security, organizational or platform
boundaries)
Result: Web single sign-on & simplified identity management
Web Services and WS-* Security Standards
Specifically implementing the WS-Federation and WS-Federation
Passive Requestor Profile specifications
9. Demonstration Overview
Establishing Federated Interoperability between ADFS
(Relying Party) and Shibboleth (Identity Provider)
Demonstration 2:
Shib.org User will access MOSS 2007
Extranet Portal.
Demonstration 1:
Shib.org User will access Sample Claims-
App that will display the set of claims,
associated with that user.
10. Configuration Details
ADFS Configuration Policy Requirements
Federation Service URI – This uniquely identifies a federated partner
Federation Service endpoint URL – The URL that partner organizations to send
requests and responses.
Token Signing Certificate – Relying Party requires a signing certificate that is used to
by the Identity Providers to digitally sign message exchanges.
ADFS Management Console - This is the primary management console for
administrative management of Account Partners (Identity Providers)
11. Configuration Details
Shibboleth Configuration Requirements
XML Metadata - Trust Policy Configuration
idp.xml – (The main configuration file for the identity provider.)
Configures the Shibboleth ADFS extension
Provides key information for relying parties
Adds reference mapping support for identity claims (i.e. MS UPNs)
Adds the XML attribute namespace=http://schema.xmlsoap.org/claims to attribute definitions in
resolver.xml for any attributes that should be sent to ADFS providers.
resolver.xml – (Attribute extraction)
Defines the connection to attribute store
arp.site.xml– (Attribute release policy)
Defines which attributes are available to relying parties
Controls (Permits/Denies) attribute release rules
12. Demonstration Overview
Windows Live ID/Passport Interoperability
Demonstration 3:
Shib.org User access Windows Live@edu
by passing WLID through claims to generate
SLT. The Identity Provider (IdP) acts as the
Windows Live Account Store.
13. Configuration Details
Windows Live ID Interoperability
WLIDs (Short-live Tokens) – Can be used to further extending SSO into
Web Applications.
Benefits:
Windows Live ID users can access resources typically only available
only for AD accounts (SharePoint Sites, etc.)
Applications do not need to implement any Windows Live ID code
Single Account Management (instead of AD and Windows Live)
14. Summary
Successfully demonstrated the interoperability between
ADFS and Shibboleth:
Straight forward configurations
No special software or customization required by either party.
Language Translation (Understanding component relations of each
technology)
Lessons learned
Federating with Windows Live IDs
Microsoft Office SharePoint Server 2007 Compatibility
Notas del editor
Walk audience through demonstrations 3Windows Live IDs will be populated as a claim by the IdP. This claims is then transformed to generate a short-lived token and redirected to Windows Live mail.
Walk audience through demonstrations 1 and 2. Demo 1: Show attribute extraction using Sample Claims-Aware ApplicationDemo 2: Show compatibility with MOSS 2007
