IT Services will migrate spaces.ais.ucla.edu content to the Atlassian Confluence Cloud. Spaces will be in read-only mode after June 22nd.
UCTrust Workgroup
Child pages
  • Meeting Notes - 2008-06-10 at UCD

Versions Compared

Old Version 5

changes.mady.by.user WALKER, DAVID

Saved on

compared with

New Version 6

changes.mady.by.user WALKER, DAVID

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The Burton Group did a study of identity management for UCD in 2006; they are going forward with selected recommendations and increasing the emphasis on Health System issues.
  • The campus is looking at various implementation issues as they migrate from their legacy system.
  • The Health System didn't get much attention in the Burton Group study.
    • Most application do their own identity management.
    • They have mainframe and lost of Windows and Citrix.  There aren't very many web applications, so Shibboleth isn't a major driver.
  • The campus and Health System are merging their Active Directory forests.
  • Next steps are to identify resource needs and to educate departments.

Shibboleth 2.0

Tom Poage and Matt Elder gave an overview of the 2.0 release of Shibboleth.

  • Shibboleth 2.0 uses SAML 2.0, so it should be much more compatible with commercial SAML implementations.   Liberty Alliance, Google Apps for Education, Cardspace, and ADFS have been tested.
  • Installation has been simplified, particularly for IIS.  There is no upgrader from Shibboleth 1.3, however; the differences are too fundamental.
  • New IdP features
    • The installation process now automatically generates keys, certificate requests, metadata, etc.
    • The attribute resolver and filtering are now more flexible.
    • The IdP can now be integrated in JAAS, the Java Authentication and Authorization Service, rather than using the REMOTE_USER web server environment variable.
  • New SP features
    • The installation process now automatically generates keys, certificate requests, metadata, etc.
      • Also, there is a standard URL that can be used to harvest an SP's metadata.
    • Metadata can be filtered.
    • There is support for protocols other than SAML 2.0
    • There is better support for clustering.
  • Discovery services (i.e., WAYF) can now be chained, and SPs can provide their own discovery services, based on metadata.
  • Manageability
    • Much of the metadata can be updated without a restart.
    • The protocol has been simplified.  It no longer requires a "call-back" for attributes.  This should help with firewall interactions.
  • Single Logout has been implemented, but there still a lot of issues.
  • Benefits for UC
    • Broader commercial support for SAML 2.0
    •