2019 Technology Exchange

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

TUTORIAL: GÉANT Shibboleth IdP OIDC Plugin (Separate Registration Required)

Time 12/09/19 08:30AM-04:30PM

Room Napoleon Ballroom A1 (3rd)

Session Abstract

During the past few years, OpenID Connect (OIDC) has become a popular choice for implementing single sign-on to Web and native applications via trusted third party. For SAML2 Shibboleth IdP is one of the most deployed open source identity providers in our communities. Within the GEANT 4-2 project we first developed a native-like OpenID Connect extension for Shibboleth IdP. Now in the GEANT 4-3 project we have set a goal to maintain the extension and have it integrated upstream into the Shibboleth IdP codebase. Reaching the goal would benefit the numerous existing SAML2 Shibboleth IdP deployments by turning them also into OIDC Providers (OP).

For the attendees of the tutorial on the OIDC extension we will provide pre-prepared virtual machines having Shibboleth IdP already installed. The tutorial will cover:

- Introduction to OIDC -- We will have a short introduction to protocol.
- Installation -- We will perform installation of the OIDC extension on top of standard Shibboleth IdP 3.4 installation.
- Trust Management & OP configuration -- We will visit both dynamic and static registration.
- Configuring Authentication -- Special characteristics of OIDC when configuring authentication.
- Attribute Definitions -- We introduce OIDC encoders for attribute definitions.
- Attribute Filtering -- We introduce new attribute filtering options to be used with OIDC RPs.
- Subject Identifier -- In this section, we introduce how subject identifier is generated. We study the provided configuration files and make modifications to them.
- Credentials and Security Configuration -- We introduce new JWK signing credentials and algorithm configurations.
- Profile Configurations -- We familiarize attendees with the provided profile configuration options.
- OAuth2 features -- Token Revocation, Introspection and flows like for example Device Flow.

In the end of the tutorial, attendees should have knowledge on how OIDC extension is both installed and configured to an existing Shibboleth (SAML) IdP deployment.


Speaker Henri Mikkonen CSC - IT Center for Science

Speaker Arto Tuomi NORDUnet (Nordic Infrastructure for Research and Education)

Primary track InCommon

Secondary tracks Information Security

gold Sponsors

bronze Sponsors