Month: November 2016

From project to service – introducing the SWITCH edu-ID service

Autumn 2013. Big things start small. An interuniversity working group captures floating ideas around user-centric identities, puts those ideas into a roadmap and proposes a name for it: Swiss edu-ID. The resulting document becomes one cornerstone of the national strategy, approved by the Swiss University Conference in April 2014. But it also marks the beginning of SWITCH’s efforts to implement the proposed Swiss edu-ID roadmap. swissuniversities supports this collaborative effort of SWITCH and the Swiss universities including their libraries.

Autumn 2016. The pilot service Swiss edu-ID V1.0 is around for well over a year. It allowed us to gain first operational experience in numerous pilot projects and a much clearer picture of what is yet to come. We also learned that some services start to rely increasingly on the availability of Swiss edu-ID, while others care more for the latest feature. Time is ripe to give both a home.

This is why SWITCH starts to use a new, distinct branding for the operational service emerging from the Swiss edu-ID project. The new branding honors the roots by keeping “edu-ID” in its name, but it also shows its operational home, adheres to the service naming guidelines of SWITCH and receives proper legal protection. The user-centric identity management service of SWITCH will be called the SWITCH edu-ID service.

You might notice in the not so distant future, that a new service will pop in the service catalogue of SWITCH, or that the “edu-ID login window” will look slightly different. But one thing won’t change: in its heart, the SWITCH edu-ID still carries those ideas captured in autumn 2013 by an interuniversity working group.

Real SSO feeling through the SPNEGO/Kerberos Login Flow for the Shibboleth Identity Provider v3

Windows users can now extend their SSO feeling to the SWITCHaai login page, provided their client is a member of a Windows domain. They no longer need to re-enter their username and password they’ve already entered to log in to the Windows desktop. Actually, Kerberos enabled non-Windows clients like Linux or Mac could profit of such enhanced SSO, too.

The Shibboleth Identity Provider (IdP) achieves this through SPNEGO-based Kerberos authentication (i.e. password-less web authentication via Kerberos). While version 2 of the Shibboleth IdP supported this through an extension, the Shibboleth IdP version 3 provides built-in support through the SPNEGO/Kerberos Login Flow authentication mechanism.

The SPNEGO/Kerberos Login Flow module was developed in co-operation by SWITCH and the Fachhochschule Nordwestschweiz (FHNW). As the FHNW already developed the extension for the IdP v2, they brought their existing experience into the project to re-implement the same functionality for IdP v3. Eventually, the SPNEGO/Kerberos Login Flow got an integral part of the Shibboleth Identity Provider version 3.2.0 in November 2015 and has been available since then.

The SPNEGO/Kerberos Login Flow has proven to run successfully on the IdPs of the Fachhochschule Nordwestschweiz and the Pädagogische Hochschule Bern, since these IdPs were migrated to IdP v3.

To use the SPNEGO-based authentication, the following prerequisites must be fulfilled:

  • A Kerberos infrastructure must be available (e. g. a Windows domain).
  • The IdP server must be registered as a Kerberos service at the Kerberos Key Distribution Center (KDC).
  • Kerberos client software must be installed on the IdP server.
  • The Shibboleth Identity Provider software must be configured accordingly.
  • The web browsers on the clients require specific configuration to use this authentication method.

Organisations being interested in using the SPNEGO-based authentication on their own IdP can find comprehensive documentation in the Shibboleth Wiki: SPNEGO/Kerberos Login Flow

SPNEGO-based authentication is also offered as an option to the Identity Provider Hosting service provided by SWITCH.