Identity and Access Management
(IAM - Shibboleth)
May 26, 2008
Rationale
The university's existing home-grown, cookie-based authentication system (GLAuth) has security problems and must be replaced. In addition, the university needs to support federated authentication services for interaction with contracted service providers. Existing authentication systems do not support the most prevalent web servers on campus, Apache and IIS for Windows and Linux. Finally, the university needs to enable its departments and units to consume enterprise attributes for authorization of access in an efficient, scalable and secure manner. Shibboleth has been identified as an appropriate system for addressing these needs. By integrating Shibboleth with existing credential and attribute stores, we will be able to meet the four identified challenges.
Goals
- Implement Shibboleth 2.0 for single sign on and group-based authorization. Eliminate the practice of local web pages accepting GatorLink credentials.
- Provide extensive support to departments for their conversions from GLAuth to Shibboleth
- Refit enterprise applications to use Shibboleth. These include all those using GLAuth and Cosign as well as PeopleSoft, WebCT, ISIS, WebMail and UF Exchange
- Use Shibboleth for federated identity management for Library providers, Mobile Campus, the Athletic Association and others to be identified.
- Retire GLAuth and Cosign. These are current systems for single sign on.
Project Sponsor
- Dr. Marc Hoit
Impact
End users will see a single place to sign on. All existing cookie-based authentication will be replaced including GLAuth and CoSign. This will impact over 100 departments and units using these technologies. Enterprise system work will be needed on several major systems. This work varies in complexity but will be transparent to the user.
Lab work will begin in February. A working development model will be in place in March. Preliminary assertions will be identified in March. Implementation of assertions will begin in May. Production infrastructure will be in place in July. Testing will be completed in August. Production services will be available in September. An enterprise system roadmap will be developed during the planning phase along with a roadmap for sunsetting GLAuth and CoSign services.
Contacts
- Project Lead: Mike Conlon
- Technical Lead: Eli Ben-Shoshan
- Data and Security Lead: Warren Curry
Presentations
- July 1, Tuesday 2:00 PM in room C1-11. of HSC, IAM and Shibboleth
- June 2 Reitz Union
Early Beta Testing: Shibboleth Training Camp
- Why: The purposes of the camp were to have a few Service Providers (SPs) up and running and also have the participants assist in documentation.
- What: In one afternoon, with no prior Shibboleth experience, each group was able to use Shibboleth IDP services to authorize access to content on their Web server using an attribute release policy.
- Who:
- Apache Group:
- Academic Technologies (AT)
- CNS/Netowrking Services (CNS-NS)
- College of Agricultural and Life Sciences (IFAS, CALS)
- College of Dentistry
- IIS Group:
- College of Business Administration (CBA)
- College of Agricultural and Life Sciences (IFAS, CALS)
- Apache Group:
- When:
- Apache: Wednesday, June 18, 2008 from 10 a.m. to 1:30 p.m.
- IIS: Friday, June 20, 2008 from 10 a.m. to 1:30 p.m.
- Where: CNS Conference Room, Bryant Space Science Center (SSRB)
