Wednesday Jan 16, 2008
Tuesday Jan 15, 2008
By Rohan Pinto on Jan 15, 2008
The Shibboleth System includes two major software components: the Shibboleth Identity Provider (IdP) and the Shibboleth Service Provider (SP). These two components are deployed separately but work together to provide secure access to Web-based resources. A step-by-step description of the Shibboleth sign-on process follows. While the details may vary based on deployment choices, the steps below are typical. The players include the user, who wants to use a protected Web resource; the resource provider Web site, which has installed the Shibboleth SP software; and the user's home organization, which has installed the Shibboleth IdP software.
- The user navigates to the Web resource using her browser. The resource site is protected, hence requires information about the user in order to decide whether access is permitted.
- The Shibboleth SP software redirects the browser to a "navigation" page (called a WAYF, for "where are you from"), which presents the user with a list of the organizations whose users may access the resource.
- The user selects her home organization, and the browser is sent to the home organization's Web site running the Shibboleth IdP software. This site uses a Web sign-on method chosen by the home organization. The user now sees the familiar login Web page of her home organization, enters her username and password, and selects the Login button.
- The Shibboleth IdP software sends the browser back to the original resource site and includes in the message some security information called an "assertion" that proves the user signed on. The Shibboleth SP software on the resource site validates the assertion and then requests additional information (attributes, such as "faculty" or "student in Film327") about the user by making a request to the home organization's Shibboleth IdP service.
- The Shibboleth SP receives the user's attributes from the home organization's IdP and passes them along to the resource provider's Web application. The application uses those attributes and its access policy to decide whether the user's access is permitted or denied, displaying the appropriate page to the user's browser.
By Rohan Pinto on Jan 15, 2008
Saturday Nov 04, 2006
By Rohan Pinto on Nov 04, 2006
There's a lot of buzz around 'user-centric identity' right now the notion of involving users in the management of their personal information and its use, rather than leaving it to some enterprise or other organization. The folks at the Liberty Alliance have written a whitepaper entitled 'Personal Identity' that shows how Liberty's Identity Federation Framework (ID-FF) and its successor SAML 2.0 can be used to implement user-centric identity for example, a user providing their own identity services via a Liberty-enabled device such as a cellphone. It's a good read. it starts from the basics, so you should be able to follow it even if you're new to Liberty and SAML. vOn the same topic, John Kemp of Nokia and my esteemed colleague Hubert Le Van Gong will be presenting a webcast on April 12 2006 at 8am Pacific. PLEASE NOTE: Registration is required and limited to the first 100 respondents! The last webcast on the Liberty People Service 'sold out' very quickly, so get in there straight away if you're interested. If you're too late, don't despair - the webcast will be available in archive form after the event. I'll update this entry with the URL once it's online. To register for the webcast, follow these steps.
Please email Tricia DeHart of the Liberty Alliance Project with any questions.
- Go to http://projectliberty.webex.com
- Under the heading Attend a Meeting, click Register
- Search for centric
- Select User Centric Identity: Success Today and click on the Register Button. (Don't bother clicking on the link - it doesn't lead anywhere useful!)
- Fill out the required information and click Register Now at the bottom of the page.
for everything on Identity, JCAPS, SOA, WebServices, Security, Single Signon, Federation, Provisioning, Virtualization, Optimization, Debugging, Workflows, Compliance, MySQL and more... WAY MORE....
[this is a group blog]
- Moving OnTo Something New...
- OpenSSO Complex Deployment
- Layoffs = Change ?
- WS-Federation is adopting SAML v2 metadata
- Security Awareness Requirement for Web Application Developers
- OpenDS in under 3 minutes
- XACML - Declarative Access Control
- A Googly MySQL Cluster Talk
- What is Identity Management?