Category: SWITCHaai

Swiss edu-ID Update Event 2017

Save the date: Thursday 29 June 2017

The focus is put this year on an update about the project Swiss edu-ID and the service SWITCH edu-ID, whose deployment starts in 2017.
Note that no SWITCHaai specific topics are foreseen.

The event will take place June 29 , 11:00 – 16:15, in Berne at UniS, Schanzeneckstrasse 1, room A-126.

Preliminary Programme:

11:00 – 12:00   SWITCH edu-ID for beginners (for people not already familiar with SWITCH edu-ID)

12:00 – 13:15   Arrival for afternoon participants and Lunch
(afternoon participants are warmly welcome to take lunch with us)

13:15 – 14:30   Pilots and current project status

14:30 – 14:55  Coffee break

14:55 – 16:15    Status Migration Strategies, roadmap and next steps

16:15                 End of event

 

Update 2016-06-01: Registration site with updated agenda

Real SSO feeling through the SPNEGO/Kerberos Login Flow for the Shibboleth Identity Provider v3

Windows users can now extend their SSO feeling to the SWITCHaai login page, provided their client is a member of a Windows domain. They no longer need to re-enter their username and password they’ve already entered to log in to the Windows desktop. Actually, Kerberos enabled non-Windows clients like Linux or Mac could profit of such enhanced SSO, too.

The Shibboleth Identity Provider (IdP) achieves this through SPNEGO-based Kerberos authentication (i.e. password-less web authentication via Kerberos). While version 2 of the Shibboleth IdP supported this through an extension, the Shibboleth IdP version 3 provides built-in support through the SPNEGO/Kerberos Login Flow authentication mechanism.

The SPNEGO/Kerberos Login Flow module was developed in co-operation by SWITCH and the Fachhochschule Nordwestschweiz (FHNW). As the FHNW already developed the extension for the IdP v2, they brought their existing experience into the project to re-implement the same functionality for IdP v3. Eventually, the SPNEGO/Kerberos Login Flow got an integral part of the Shibboleth Identity Provider version 3.2.0 in November 2015 and has been available since then.

The SPNEGO/Kerberos Login Flow has proven to run successfully on the IdPs of the Fachhochschule Nordwestschweiz and the Pädagogische Hochschule Bern, since these IdPs were migrated to IdP v3.

To use the SPNEGO-based authentication, the following prerequisites must be fulfilled:

  • A Kerberos infrastructure must be available (e. g. a Windows domain).
  • The IdP server must be registered as a Kerberos service at the Kerberos Key Distribution Center (KDC).
  • Kerberos client software must be installed on the IdP server.
  • The Shibboleth Identity Provider software must be configured accordingly.
  • The web browsers on the clients require specific configuration to use this authentication method.

Organisations being interested in using the SPNEGO-based authentication on their own IdP can find comprehensive documentation in the Shibboleth Wiki: SPNEGO/Kerberos Login Flow

SPNEGO-based authentication is also offered as an option to the Identity Provider Hosting service provided by SWITCH.

SWITCHaai Transition to Shibboleth Identity Provider v3 is 80% complete

Back in May 2015, the Shibboleth Consortium announced July 31st 2016 as end-of-life date for the IdPv2 code base. A redesigned IdPv3.1.1 is available since March 2015. One month later, SWITCH announced the initial version of the SWITCHaai specific IdPv3 installation guide. In June and September 2015, SWITCH offered well-attended IdP training courses [4] on how to configure IdPv3. Since then, the number of IdPv3 installations has gradually increased to the 80% level it reached just at the beginning of the autumn semester 2016.

Continue reading “SWITCHaai Transition to Shibboleth Identity Provider v3 is 80% complete”

Trust in federated AAI: with a particular attention to SWITCHaai

SWITCHaai has a long and successful history in enabling access to hundreds of mainly academic web resources by reusing the authentication mechanisms at the heart of participating organisations.

When joining the SWITCHaai team a couple of years ago, I noticed two things about trust: a) it was just there, and b) no one talked about it. “Trust is established when no one talks about it anymore” someone said. It made me wonder how such a unique construction could be there and just work. There must have been many detailed questions that had to be resolved to get to that point! My curiosity was piqued, so, I started delving into this fascinating topic. How come all of these many service providers, identity providers, end users, organisations and federation partners, commercial or not, just do what the others would expect from them and don’t break trust?

Let’s start with an overview of the roles within an identity federation and their particular expectations towards each other and the federation as a whole. Continue reading “Trust in federated AAI: with a particular attention to SWITCHaai”

AAI & Swiss edu-ID Update Event 2016

Thursday 30 June 2016, Berne

Details & Registration

Would you like to know more about the

  • current status of AAI and interfederation
  • OpenID Connect
  • Multi-Factor Authentication
  • Single logout with IdPv3

or more about the

  • Swiss edu-ID architecture
  • new pilots and use cases
  • integration and follow-up project plans ?

Then we would like to invite you to this event with an AAI Update in the morning (10:15 – 12:00)
followed by a Swiss edu-ID Update in the afternoon (13:15 – 16:15).

 

Release Attributes for Science!

LIGO, the Laser Interferometer Gravitational-Wave Observatory, recently announced that their project had detected ripples in the fabric of spacetime, proving a prediction made 100 years ago by Einstein. Many teams collaborated to ensure this result, and behind the scenes, they rely on effective federated identity management.

What this means, in the simplest terms, is scientists rely on the ability of research services to get attributes about their users from their Home Organisations. However, as REFEDS (Research and Education Federations) points out in an important blog entry, this is not at all smooth sailing.

Continue reading “Release Attributes for Science!”

AAI & Swiss edu-ID Update 2016

Save the Date: Thursday 30 June 2016

This year the joint update event of SWITCHaai & Swiss edu-ID will take place for the third time – this year a little bit earlier – already dated June 30, as ever in Berne.

Note the date in your agenda for this all-day event where you will get up-to-date information about SWITCHaai, Swiss edu-ID version 2.0  and migration scenarios, as well as having opportunities for exchange with IdM/IAM specialists and service responsibles of other institutions.

Registration information follows later in this blog, AAI mailinglists and the Swiss edu-ID newsletter (swit.ch/swisseduid-announce).

Bye-bye Guest IdP – Welcome Swiss edu-ID

Since February 2012, SWITCH has operated the Guest Login Identity Provider (Guest IdP), which allowed users without a regular AAI account to access certain services. The Guest IdP has also allowed what was otherwise not possible with SWITCHaai: a quick and easy self-registration to access AAI services.

Continue reading “Bye-bye Guest IdP – Welcome Swiss edu-ID”

New SWITCH story: “Empowering Swiss research”

The Swiss edu-ID project is partly funded through the funding programme P-2 of swissuniversities. The project manager of P-2, Roland Dietlicher, shares his views on the achievements and challenges of the funding programme P-2 in the latest SWITCH story. In doing that, he also covers the importance of the academic identity Swiss edu-ID to the success of the P-2 programme.

Less hassle, less effort

The Swiss edu-ID can help with a range of problems. The latest SWITCH story highlights two examples:

  • Swissbib allows to search most of the Swiss libraries and repositories at once. Users can specify favourite libraries, save reading lists, view their search history and much more besides. Since Swiss edu-ID users can keep their account for an unlimited time, they no longer lose account data when their employment or student status changes as is the case with SWITCHaai.
  • Roberto Mazzoni, Head of User Services in the Central IT Department at the University of Zurich, points out specific advantages of the Swiss edu-ID with respect to the current situation with SWITCHaai: It simplifies identity management processes and reduces the risk to create duplications.

Please follow this link to access the SWITCH story.

Testing Alternatives to Shibboleth

The technical functions of a Swiss edu-ID service consist of two main building blocks: access management (AM) and identity management (IdM). Within the SWITCHaai federation, the core of the AM functionalities are provided by Shibboleth, while the IdM-processes are implemented at the universities with a variety of products.

While it is clear that the Swiss edu-ID has to be compatible with SWITCHaai, it is basically an open question on what product stack it should be based. Between November 2014 and January 2015 SWITCH conducted a request for information (RFI) to get an overview of the current AM (and partly IdM) products on the market. In the RFI it turned out, that both Shibboleth and Forgerock/OpenAM are valid candidates to build the AM functions of the Swiss edu-ID framework. Continue reading “Testing Alternatives to Shibboleth”

How to get the Organisation Display Name of an AAI User as “Free” Attribute

Have you ever wanted to show the organisation name of an authenticated AAI user in the web application protected by a Shibboleth Service Provider? For example on an event registration web page in order to see from which organisations users registered or – like in the screenshot below – to show the authenticated user himself with which – of potentially many – AAI account he has logged in?

LoggedInAAIUser

Continue reading “How to get the Organisation Display Name of an AAI User as “Free” Attribute”