Versions Compared

Old Version 5

changes.mady.by.user Tom Barton (uchicago.edu)

Saved on

compared with

New Version 6

changes.mady.by.user Scott Cantor (osu.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Enhancements to shibboleth and extensions to the Shibboleth software, and creation of a Delegated SAML Authentication Library have enabled the use of SAML delegationa delegated authentication model among SAML-enabled services. The use case motivating this development was to enable portlets in a uPortal-based portal to proxy access back-end services on behalf of portal users by use of shibboleth and SAML delegationvia Shibboleth and this delegation model. This document will give an orientation and specific configuration guidance to deployers who wish to set up a similar environment.

We'll start with a high level review of the main components and their interactions that make delegation happen.

Shibboleth IdP v2.1.3+ with delegation plug-in

The delegation plug-in can be obtained at <http://svn.middleware.georgetown.edu/view/shib-extension/java-idp-delegation/>. It includes installation instructions < http://svn.middleware.georgetown.edu/view/shib-extension/java-idp-delegation/trunk/doc/INSTALL.txt?revision=174>.in the form of a README file.

Shibboleth SP v2.2+

This version Starting with this version, the SP software contains all of the needed necessary delegation-related enhancements as well as enhancements to integrate with the Delegated SAML Authentication Library. It is typically deployed in two roles in this delegation scenario: one instance protects the portal (or any user-facing web application making use of the library) and the other protects a back-end Web Service Provider (WSP).

...

This library extends the Apache HTTP Client v4 essentially to implement (v4) in Java with an implementation of the SAML ECP profile. It is used by portlets that need delegated access to proxy a user to a WSP using a SAML-based delegation model. It is available at https://www.ja-sig.org/svn/sandbox/ShibbolethuPortalIntegration/trunk/Delegated%20SAML%20Authentication/

...

This version of uPortal contains enhancements enabling it to provide shibbolethShibboleth-delivered attributes, raw SAML response tokens the "delegatable" SAML assertions delivered when users login to the portal, and selected portions of the shibboleth SPrelevant IdP's metadata, for use within the portal environment. Portlets using the Delegated SAML Authentication Library must request these from the portal through the portlet API. The SAML Assertion User Attribute provides this capability to uPortal portlets.

...

Note that the swimming lane labeled "SP A - Portal" sometimes refers to the shibboleth Shibboleth SP itself, and sometimes to an action that uPortal takes. They are considered as one actor. The Portlet is given its own swimming lane to highlight the actions it takes. To simplify the development of delegation capability for this portal use case, it was decided that, from the SAML protocol perspective, the portlet, the portal, and SP A would be treated as a single logical security entity.

Configuration constants

...