GÉANT Shibboleth OIDC plugin
SpeakerHenri Mikkonen
TrackTrack 2 -- Lille Scene
DescriptionDuring the past few years, OpenID Connect (OIDC) has been become a popular choice for implementing single sign-on to Web and native applications via trusted third party. Even though it has many similarities with SAML, especially the trust relationship establishment and validation processes are quite different. The GÉANT 4-2 project's task "Next Generation Trust and Identity Technology Development" has participated in drafting how an identity federation could be built with OIDC around federation operator. The specification draft is called OpenID Connect Federation (OIDCfed).
Even if the OIDCfed would gain popularity very quickly, the SAML will not be disappearing anytime soon. In practise this means that both protocols will need to be supported for quite some time. Ideally same existing software would support both of these technologies, as system administrators are already used to operating identity providers in a federation with their preferred software. In many countries, Shibboleth has been very common choice for running the identity provider in research & education federations: for instance in Finnish Haka
and Swiss SWITCH-AAI almost all IdPs are run on Shibboleth. For the mentioned reasons, we have seen important that Shibboleth IdP would support the OIDC protocol. The implementation project started on Spring 2017 and its main goal has been to implement the standard OICD and OIDCfed support natively on Shibboleth IdP.
This talk will focus on the implementation project: how it all started and how it has been progressing during the past 1.5 years. We will also demonstrate the technical details, including how the OIDC features are configured using the familiar Shibboleth configuration files.
Even if the OIDCfed would gain popularity very quickly, the SAML will not be disappearing anytime soon. In practise this means that both protocols will need to be supported for quite some time. Ideally same existing software would support both of these technologies, as system administrators are already used to operating identity providers in a federation with their preferred software. In many countries, Shibboleth has been very common choice for running the identity provider in research & education federations: for instance in Finnish Haka
and Swiss SWITCH-AAI almost all IdPs are run on Shibboleth. For the mentioned reasons, we have seen important that Shibboleth IdP would support the OIDC protocol. The implementation project started on Spring 2017 and its main goal has been to implement the standard OICD and OIDCfed support natively on Shibboleth IdP.
This talk will focus on the implementation project: how it all started and how it has been progressing during the past 1.5 years. We will also demonstrate the technical details, including how the OIDC features are configured using the familiar Shibboleth configuration files.
Presentation documents
All talks
- A Smart Data Transfer Node
- A more stable Internet in Sweden with the Särimner and Internet Access projects
- A new LMS - not just a system change but a Salsa network!
- AARC Blueprint
- Asian R&E networks racing to 100Gbps connectivity
- Building a flexible framework for advanced security analysis
- CEDIA: The Evolution of the Network in Ecuador
- Campus Network as-a-service
- Can 5G and the Campus Network Play Together?
- Challenges with the Open Science Paradigm
- Closing Remarks
- Commons Conservancy Approach
- DFN-Cloud Federated Community Cloud Services
- Decentralized DDoS Mitigation
- Defining the Nordic contribution to EOSC
- Developing and Ensuring of Joint Best Security Practices and Compliance with Finnish Universities
- EPOC: A Community Hub for Science Engagement
- ESnet and Science Engagement
- Encrypting Data in the Cloud – Challenges and Possibilities
- Enhancing connectivity across the continents with Arctic Connect cable project.
- Entanglement and QKD
- EuWireless: designing a 5G network for research
- FileSender’s practical experiences with open source software sustainability.
- Follow the money: Building partnerships with funding bodies for research engagement
- Functional Stupidity at Work. The Power and Pitfalls of Narrow Thinking in Organizations
- Funet 2020 - The Next Generation Network for Finnish Research and Education
- Funet NFV Firewall Concept
- Funet powered playground for DC-students
- GNA and Future Steps
- GNA: A South African Perspective
- Governance in Clouds
- GÉANT Shibboleth OIDC plugin
- How has the GDPR changed things?
- IRTtools, for a diverse & distributed environment
- Improving your MANRS
- InAcademia. Simple Validation Service
- Indefensible Neighbors
- Introduction - A Pan-European Cloud Service Brokerage Mode
- Irish Experiences with National Cloud Service Brokering
- Legal Aspects of Cloud Computing
- Linking ISMs and Operational Security
- Making Educational Video Interactive
- Managed services for access management
- Measures to Enhance Wireless Networks at Campuses
- Media services - Layers and levels of integration
- Meeting Biological Data Requirements in ELIXIR Finland
- NAV in a Network-Management-as-a-service context
- NREN 3.0 - How to regain the Innovation Edge
- NREN Governance: Let’s Play the Game for the Future of Digital Services
- Natural hazards and ground movements studied by satellite radar interferometry: Iceland results and requirements on data transport, storage and computing
- Networked music performance and education: NTNU and UiO are teaming up
- Networking the SKA: big pipes to remote places
- New federation architecture, software platform, and mode of deployment in WAYF
- Next Steps for the European Network
- OIDC federation
- Opportunities for Baltic ring: results of the Baltic Sea Regional Study
- Programmable Privacy-Preserving Network Measurement for Network Traffic Analytics and Troubleshooting
- Quantum secure optical SDN-enabled networks
- Results of 3 years of Norwegian higher education cloud programme
- Revealing the Truth by Measuring Multimedia Delay
- Scaling Addressing - IPv6/IPv4 prefix slicing for resiliency, topology discovery, dos mitigation and more.
- Supporting FAIR data
- The EISCAT_3D project: Nordic Network Challenge
- The Future of Internet - From Inside the Core, Looking Out
- The Good, the Bad, and the Ugly: Strange and Extreme Research Networking. Moderator: Martin Bech
- The NORDUnet Next Generation Network, the Path Towards a Shared Nordic Infrastructure
- The Pacific Research Platform: Making High-Speed Networking a Reality for the Scientist
- Towards NeIC becoming global role model for cross-border e-Infrastructure collaborations
- Trends in Disaggregation and Open Line Systems
- WebRTC meeting service for educational and research society
- Welcome to Helsingør and to NDN2018
- Welcome to Iceland and NORDUnet2020
- What to Expect of Upcoming Optical Transmission System?
- Why are we still having issues with video
- eIDAS
- eduVPN: a security and privacy enhancement service
- eduroam sucks