No, we looked at the JISC managed service when it was first released with full intention of signing up. But found out they didn't do scripted attributes which we absolutely needed for the Talis Aspire Entitlement values. Then we found out about the Overt one. The bridge to authenticate to Azure was an extra bonus! (https://www.overtsoftware.com/adfs-shibboleth-bridge/)
No, you've got the wrong end of the stick - we can't have the Azure IdP registered in the uk federation - they don't like the fact that it's domain is not owned by us - also there is no management of metadata in a file as there is with Shib, effectively the metadata (ACS and entityID) is embedded in the application object. "It's SAML, Jim, just not quite as we know it" . We use the Azure IdP to authenticate SPs we don't have registered in the federation, like Blackboard and eVision, Topdesk etc. (As well as authenticating the Shib IdP there)
If you want to have a chat about this it may be better to drop us a skype appointment.
Cheers
Andy
-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 05 November 2018 10:49
To: [log in to unmask]
Subject: Re: SAML/OIDC auth
Overt isn't the JISC Managed IdP Service then? That's the one I looked at that didn't do scripted attributes and it's in the cloud. Overt seems an interesting option and it even has a glowing quote on the site ;)
Perhaps I'll have a chat with them as we need non LDAP attributes from the SRS too.
By multiple IdP's I mean multiple entry points (the SP needs to know where to send the request). The login screen may be the same but the routes in are different? e.g. for resource X choose Shibboleth IdP, for resource Y and Z choose Azure IdP. Each with their own metadata in the fed?
cheers,
Alistair
________________________________________
From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 05 November 2018 10:15:53
To: [log in to unmask]
Subject: Re: SAML/OIDC auth
The cloud Shibboleth IdP we use does do scripted attributes. You can have anything you had on premise - we just sent our resolver to them and they converted it for V3.
We use https://www.overtsoftware.com/overt-idp/
I'm not sure what you mean by multiple IdPs? Are you meaning having the Shibboleth IdP and also using the Azure IdP? If so, the Shibboleth IdP does all it's authentication through the Azure IdP, the users _only ever see_ the O365/Azure login screen. There is no choice of where you login it's all just the one place. But it doesn't matter whether you go to a shibboleth protected resource or an O365 Azure one, you then get SSO over the whole lot anyway.
Since the desktop folks rolled out the new Windows 10 desktop (fairly recently), these are all Azure joined and you don't even need to do a browser login, at least with Edge, IE and Chrome.
Cheers
Andy
-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 05 November 2018 09:46
To: [log in to unmask]
Subject: Re: SAML/OIDC auth
if you have multiple IdPs, how do you manage the user experience? Do they only see one, or do they need to choose? How do they choose if they see more than one? Or is everything done through WAYFless?
I looked at the cloud offering but it doesn't do scripted attributes and our suppliers have a weird and wonderful set of attribute requirements.
cheers,
Alistair
________________________________________
From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 01 November 2018 14:56:16
To: [log in to unmask]
Subject: Re: SAML/OIDC auth
Azure is _already_ a SAML IdP - you don't need to do anything to make it one!
To use it, for each SP, you need to create an "Enterprise Application" object in portal.azure.com, you put the entityID of the SP and it's ACS in there and you can customize the attributes that are going to be released in there too. There is no place to put metadata like you would in shib. From that object you get a URL for the IdP metadata to give to the SP. Bingo - job done. I was a bit gobsmacked when I was able to hook up the shibboleth SP under my desk to Azure and it all worked just the same as against a shib IdP (that was about 18 months ago and we haven't looked back!).
Attribute transformation isn't as flexible as the shibboleth resolver so there may be some things you want to do that you can't. But it's fine for bog standard things like Blackboard that just want basic authentication and a couple of identifying attributes.
For everything else we've kept the Shib IdP, but it's in the cloud and we don't have to do anything to maintain it any more. As I say - it authenticates against Azure - BUT - it does an ldap lookup through a tunnel to get the attributes from an adlds instance on-prem. We are musing over whether to ship up some more bits to Azure to get rid of that reliance as AIUI the Overt IdP can now get the attributes it needs from Azure too. It would be nice to get rid of any reliance on local infrastructure. Azure does have a fairly limited attribute set for putting things in and you can't extend it - but we reckon there's enough. We reckon we could do a lot of things by Group membership - "if member of X release Y in ePE"
You should have come to our presentation at the Teams event in Nottingham in July, we were talking about this there. You can have the slides if you like (but they aren't very standalone).
Cheers
Andy
-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 01 November 2018 14:38
To: [log in to unmask]
Subject: Re: SAML/OIDC auth
thanks Andy,
that's pretty much what we're working towards. Do you have Azure working as a SAML IdP or is there one of them in the cloud too?
If Azure is an IdP, is it 'easy' to generate attributes from existing ones? e.g. generating entitlements from DNs?
Alistair
________________________________________
From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 01 November 2018 14:32:40
To: [log in to unmask]
Subject: Re: SAML/OIDC auth
Our cloud Shib IdP authenticates against Azure, but not oidc, it does it using SAML . We also have several other things both on-prem and cloud authenticating using SAML against Azure. E.g. our on-prem Blackboard which uses the Shibboleth SP now authenticates against Azure (we moved it from Shibboleth), ditto SITS eVision and a few other things.
When a user authenticates to a shibboleth resource they get redirected to the O365 login screen, but not if the user is already directly authenticated to Azure (O365 etc). Hence we get SSO between Shib resources and Azure resources, it doesn't matter which one you go to first.
They've just rolled out the new windows 10 student desktop and they're all Azure joined - so now there's no browser authentication needed at all - if you login to one of those machines you're into everything by SSO anyway, using either Edge IE or Chrome.
Cheers
Andy
-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 01 November 2018 13:01
To: [log in to unmask]
Subject: SAML/OIDC auth
Has anyone delegated IdP authentication to OIDC? in particular a Micrososft Azure STS? We have two 'SSO' routes, one SAML, the other Azure OIDC and of course they don't talk to each other but they could if the IdP was registered as an Azure tenant app and switched from LDAP to OIDC for authentication.
So in a typical SAML WBSSO flow, there would be an extra redirect to send the user to the STS and back rather than present a login page for local LDAP authentication. SAML would continue once the claims had come back from the STS in the browser.
I was wondering if anyone has seen this before or whether the I2 IdP supports such an 'sso bridge'? I see there's something called Okta which seems to be very complicated and very expensive but I'd prefer if the IdP could just use the Azure STS for its authentication.
thanks,
Alistair
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
The University of Dundee is a registered Scottish Charity, No: SC015096
########################################################################
To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1
|