JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH Archives

JISC-SHIBBOLETH Archives


JISC-SHIBBOLETH@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH Home

JISC-SHIBBOLETH  November 2018

JISC-SHIBBOLETH November 2018

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: SAML/OIDC auth

From:

"Andy Swiffin (Staff)" <[log in to unmask]>

Reply-To:

Discussion list for Shibboleth developments <[log in to unmask]>

Date:

Mon, 5 Nov 2018 11:04:56 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (173 lines)

No, we looked at the JISC managed service when it was first released with full intention of signing up.  But found out they didn't do scripted attributes which we absolutely needed for the Talis Aspire Entitlement values.  Then we found out about the Overt one.  The bridge to authenticate to Azure was an extra bonus!  (https://www.overtsoftware.com/adfs-shibboleth-bridge/)

No, you've got the wrong end of the stick - we can't have the Azure IdP registered in the uk federation - they don't like the fact that it's domain is not owned by us - also there is no management of metadata in a file as there is with Shib, effectively the metadata (ACS and entityID) is embedded in the application object.  "It's SAML, Jim, just not quite as we know it" .   We use the Azure IdP to authenticate SPs we don't have registered in the federation, like Blackboard and eVision, Topdesk etc.  (As well as authenticating the Shib IdP there)

If you want to have a chat about this it may be better to drop us a skype appointment.

Cheers
Andy



-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 05 November 2018 10:49
To: [log in to unmask]
Subject: Re: SAML/OIDC auth

Overt isn't the JISC Managed IdP Service then? That's the one I looked at that didn't do scripted attributes and it's in the cloud. Overt seems an interesting option and it even has a glowing quote on the site ;)

Perhaps I'll have a chat with them as we need non LDAP attributes from the SRS too.

By multiple IdP's I mean multiple entry points (the SP needs to know where to send the request). The login screen may be the same but the routes in are different? e.g. for resource X choose Shibboleth IdP, for resource Y and Z choose Azure IdP. Each with their own metadata in the fed?

cheers,

Alistair

________________________________________
From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 05 November 2018 10:15:53
To: [log in to unmask]
Subject: Re: SAML/OIDC auth

The cloud Shibboleth IdP we use does do scripted attributes.   You can have anything you had on premise - we just sent our resolver to them and they converted it for V3.
We use https://www.overtsoftware.com/overt-idp/

I'm not sure what you mean by multiple IdPs?   Are you meaning having the Shibboleth IdP and also using the Azure IdP?   If so, the Shibboleth IdP does all it's authentication through the Azure IdP, the users _only ever see_ the O365/Azure login screen.  There is no choice of where you login it's all just the one place.  But it doesn't matter whether you go to a shibboleth protected resource or an O365 Azure one, you then get SSO over the whole lot anyway.

Since the desktop folks rolled out the new Windows 10 desktop (fairly recently), these are all Azure joined and you don't even need to do a browser login, at least with Edge, IE and Chrome.

Cheers
Andy



-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 05 November 2018 09:46
To: [log in to unmask]
Subject: Re: SAML/OIDC auth

if you have multiple IdPs, how do you manage the user experience? Do they only see one, or do they need to choose? How do they choose if they see more than one? Or is everything done through WAYFless?

I looked at the cloud offering but it doesn't do scripted attributes and our suppliers have a weird and wonderful set of attribute requirements.

cheers,

Alistair

________________________________________
From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 01 November 2018 14:56:16
To: [log in to unmask]
Subject: Re: SAML/OIDC auth

Azure is _already_ a SAML IdP - you don't need to do anything to make it one!

 To use it, for each SP,  you need to create an "Enterprise Application" object in portal.azure.com,  you put the entityID of the SP and it's ACS in there and you can customize the attributes that are going to be released in there too.   There is no place to put metadata like you would in shib.   From that object you get a URL for the IdP metadata to give to the SP.  Bingo - job done.   I was a bit gobsmacked when I was able to hook up the shibboleth SP under my desk to Azure and it all worked just the same as against a shib IdP (that was about 18 months ago and we haven't looked back!).

Attribute transformation isn't as flexible as the shibboleth resolver so there may be some things you want to do that you can't.  But it's fine for bog standard things like Blackboard that just want basic authentication and a couple of identifying attributes.

For everything else we've kept the Shib IdP, but it's in the cloud and we don't have to do anything to maintain it any more.  As I say - it authenticates against Azure - BUT - it does an ldap lookup through a tunnel to get the attributes from an adlds instance on-prem.   We are musing over whether to ship up some more bits to Azure to get rid of that reliance as AIUI the Overt IdP can now get the attributes it needs from Azure too.   It would be nice to get rid of any reliance on local infrastructure.   Azure does have a fairly limited attribute set for putting things in and you can't extend it - but we reckon there's enough.  We reckon we could do a lot of things by Group membership - "if member of X release Y in ePE"

You should have come to our presentation at the Teams event in Nottingham in July, we were talking about this there.  You can have the slides if you like (but they aren't very standalone).

Cheers
Andy


-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 01 November 2018 14:38
To: [log in to unmask]
Subject: Re: SAML/OIDC auth

thanks Andy,

that's pretty much what we're working towards. Do you have Azure working as a SAML IdP or is there one of them in the cloud too?

If Azure is an IdP, is it 'easy' to generate attributes from existing ones? e.g. generating entitlements from DNs?

Alistair

________________________________________
From: Discussion list for Shibboleth developments <[log in to unmask]> on behalf of Andy Swiffin (Staff) <[log in to unmask]>
Sent: 01 November 2018 14:32:40
To: [log in to unmask]
Subject: Re: SAML/OIDC auth

Our cloud Shib IdP authenticates against Azure, but not oidc, it does it using SAML .  We also have several other things both on-prem and cloud authenticating using SAML against Azure.  E.g. our on-prem Blackboard which uses the Shibboleth SP now authenticates against Azure (we moved it from Shibboleth), ditto SITS eVision and a few other things.

When a user authenticates to a shibboleth resource they get redirected to the O365 login screen, but not if the user is already directly authenticated to Azure (O365 etc).  Hence we get SSO between Shib resources and Azure resources, it doesn't matter which one you go to first.

They've just rolled out the new windows 10 student desktop and they're all Azure joined - so now there's no browser authentication needed at all - if you login to one of those machines you're into everything by SSO anyway, using either Edge IE or Chrome.

Cheers
Andy


-----Original Message-----
From: Discussion list for Shibboleth developments <[log in to unmask]> On Behalf Of Alistair Young
Sent: 01 November 2018 13:01
To: [log in to unmask]
Subject: SAML/OIDC auth

Has anyone delegated IdP authentication to OIDC? in particular a Micrososft Azure STS? We have two 'SSO' routes, one SAML, the other Azure OIDC and of course they don't talk to each other but they could if the IdP was registered as an Azure tenant app and switched from LDAP to OIDC for authentication.

So in a typical SAML WBSSO flow, there would be an extra redirect to send the user to the STS and back rather than present a login page for local LDAP authentication. SAML would continue once the claims had come back from the STS in the browser.

I was wondering if anyone has seen this before or whether the I2 IdP supports such an 'sso bridge'? I see there's something called Okta which seems to be very complicated and very expensive but I'd prefer if the IdP could just use the Azure STS for its authentication.

thanks,

Alistair

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

The University of Dundee is a registered Scottish Charity, No: SC015096

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

The University of Dundee is a registered Scottish Charity, No: SC015096

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

The University of Dundee is a registered Scottish Charity, No: SC015096

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

The University of Dundee is a registered Scottish Charity, No: SC015096

########################################################################

To unsubscribe from the JISC-SHIBBOLETH list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/webadmin?SUBED1=JISC-SHIBBOLETH&A=1

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

November 2023
February 2023
January 2023
November 2022
October 2022
September 2022
June 2022
January 2022
November 2021
October 2021
September 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
June 2019
May 2019
March 2019
February 2019
January 2019
November 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
February 2017
January 2017
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
March 2016
February 2016
January 2016
December 2015
November 2015
September 2015
August 2015
June 2015
April 2015
March 2015
February 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager