Michael Ghens Information Systems Specialist Santa Barbara City College.
15
Using Shibboleth to provide authenticated access for CSU Faculty, Staff, and Students on the SBCC campus Wifi network. Michael Ghens Information Systems Specialist Santa Barbara City College
-
Upload
crystal-adams -
Category
Documents
-
view
218 -
download
2
Transcript of Michael Ghens Information Systems Specialist Santa Barbara City College.
Using Shibboleth to provide authenticated access for CSU Faculty, Staff, and Students
on the SBCC campus Wifi network.
Michael GhensInformation Systems SpecialistSanta Barbara City College
The RequestHow do we allow Faculty, Staff and Students from another institution access Santa Barbara City College’s Wi-Fi with verification without creating local accounts.
Both Santa Barbara City College and CSU Channel Islands have Shibboleth Identity Solutions and belong to the InCommon Federation
FederationBoth SBCC and CSUCI belong to Incommon Federation Which allows secure exchange of metadata
The InCommon Federation is the U.S. education and research identity federation, providing a common framework for trusted shared management of access to on-line resources. Through InCommon, Identity Providers can give their users single sign-on convenience and privacy protection, while online Service Providers control access to their protected resources.
Existing EnvironmentOn SBCC’s Side
Aruba Wireless Infrastructure:• Aruba Controller• Active Directory• Shibboleth• LDAP• XML
Tasks• Metadata agreements with CSUCI• What attributes to be provided (UID, SN,
givenName,Mail).• Create Shibbolized Captive Portal for Aruba
Controller• Set up embedded Shibboleth directory
service• Create Backend authentication logic• Log user logins
Setting up Shibboleth SP as Captive Portal
• Apache web server• Shibboleth module• PHP• Embedded Directory Service• Configuring Aruba for external
authentication (XML add_user after user verification)
LoggingUsed Syslog to capture success/failure
• Centralized Syslog server• Graylog2 Log Manager
SyslogMar 8 12:45:15 wfsp FEDAUTH[701]: ************* logged in with role: student from: https://mckinley.csuci.edu/idp/shibbolethMar 8 13:20:22 wfsp FEDAUTH[1428]: ************* logged in with role: student from: https://mckinley.csuci.edu/idp/shibbolethMar 8 13:45:42 wfsp FEDAUTH[2044]: ************* logged in with role: student from: https://mckinley.csuci.edu/idp/shibboleth2013-03-08 12:45:15 INFO Shibboleth-TRANSACTION [120519]: uid (1 values)2013-03-08 12:45:15 INFO Shibboleth-TRANSACTION [120519]: sn (1 values)2013-03-08 12:45:15 INFO Shibboleth-TRANSACTION [120519]: givenName (1 values)2013-03-08 12:45:15 INFO Shibboleth-TRANSACTION [120519]: mail (1 values)2013-03-08 12:45:15 INFO Shibboleth-TRANSACTION [120519]: }2013-03-08 13:20:22 INFO Shibboleth-TRANSACTION [120521]: New session (ID: _7a2287c22a43d1dce53e1fb566fa9b67) with (applicationId: default) for principal from (IdP: https://mckinley.csuci.edu/idp/shibboleth) at (ClientAddress: 10.1.65.53) with (NameIdentifier: _e73e638370aa1e8fe3fa89ae77087838) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from
(AssertionID: _5d8800710f2611c58a7156cefa8e1a83)
Aruba Controller
Captive
Portal
SBCCLogin
CSUCI
IDP
Yes
No
Internet
Issues
• Session Time Outs• Coordination of infrastructure changes• A more relax captive portal rules
Alternatives
• Eduroam• Active Directory Peering• Radius
Questions?
