TUTORIAL: GÉANT OIDC-Plugin for Shibboleth IdP (Separate Registration Required)
Time 10/15/18 01:00PM-05:00PM
During the past few years, OpenID Connect (OIDC) has become a popular choice for implementing single sign-on to Web and native applications via trusted third party. For SAML2 Shibboleth IdP is one of the most deployed open source identity providers in our communities. Within the GEANT 4-2 project's task "Next Generation Trust and Identity Technology Development" we have set one of our goals to be providing a native-like OpenID Connect extension for Shibboleth IdP. Reaching the goal would benefit the numerous existing SAML2 Shibboleth IdP deployments by turning them also into OIDC Providers (OP).
For the attendees of the tutorial on the OIDC extension, we will provide pre-prepared virtual machines having Shibboleth IdP already installed. The tutorial will be divided to next sections.
OIDC extension project developer resources:
We first introduce project in general, wiki, support channels and access to source code.
We will perform installation of the OIDC extension on top of standard Shibboleth IdP installation.
Trust Management & OP configuration.
The provided virtual machines have a OIDC Relying Party (RP) that needs to establish trust relationship with Shibboleth OP. We first visit dynamic registration options and configure the OP to accept the dynamic registration requests of RP. Then we disable the dynamic registration and establish trust by adding the RP to local metadata file of the OP. In this section we also cover OP configuration.
We configure one or some of the authentication methods in OP to have OIDC specific principals for selecting authentication method based on requested authentication context class reference (acr). This section covers both essential and nonessential acrs.
We introduce OIDC encoders for attribute definitions. We cover also the cases of different response types and their impact on attribute availability and writing robust resolvers.
We introduce new attribute filtering options to be used with OIDC RPs. How to combine OIDC specific options to existing ones and what can be expected from OIDC filtering options.
In this section we introduce how subject identifier is generated. We study the provided configuration files and make modifications to them.
We introduce new JWK signing credentials.
We familiarize attendees with the provided profile configuration options. Profile configuration options may be used to configure RP specific behaviour for OPs such as token lifetimes.
In the end of the tutorial attendees should have knowledge on how OIDC extension is both installed and configured to existing SAML2 Shibboleth IdP deployment.
Speaker Janne Lauros NORDUnet (Nordic Infrastructure for Research and Education)
Speaker Henri Mikkonen NORDUnet (Nordic Infrastructure for Research and Education)
Primary track Trust & Identity
Secondary tracks Information Security