To understand the function and work of ITS Identity Management, it’s important to know several key terms, processes and services associated with this group. This post highlights Shibboleth, Web Single Sign-On, Federation and 2-Step Verification. This is part of a continuing series about ITS Identity Management.
What is Shibboleth?Shibboleth is the official UNC-Chapel Hill campus solution for Web Single Sign-On. Shibboleth started out as an Internet2 community project around 2000, with its first release in 2003. ITS implemented its first Shibboleth implementation around 2008. Since then, Shibboleth has seen steady adoption across campus.
Shibboleth is based on the Security Assertion Markup Language (SAML) standard. It can interoperate with other SAML-based authentication systems.
Identity Management hosts and maintains the Shibboleth Identity Provider (IdP), also known as sso.unc.edu, which provides the login page and performs the Kerberos authentication piece, as well as fetching identity data from LDAP to provide back to an application. Each application owner maintains the corresponding Shibboleth Service Provider (SP), which is responsible for maintaining the local Shibboleth session information and providing the identity attributes to the application itself.
What is Web Single Sign-On?Web Single Sign-On (SSO) is a process that centrally manages login sessions for web applications. Identity Management manages the authentication decision centrally so that each application doesn’t have to do so individually. The username and password are supplied to the central login page. Identity Management provides central logging for compliance and auditing purposes. Most of the University’s important web-based applications use this, including ConnectCarolina, Sakai, the Library and Student Affairs applications.
What is Federation?Federation allows institutions to share authentication systems across institutional borders. For instance, the National Institutes of Health (NIH) has a website that enables faculty members at UNC-Chapel Hill to apply for a grant. When users go to the NIH site, they are prompted for their home institution. Users are then re-directed to the sso.unc.edu authentication page, where they log in with their Onyen and password. After successfully authenticating, they are re-directed back to the NIH site with a successful authentication handle and any identity information that the NIH requests about the user that is necessary for the application process.
Thus, institutions can share authentication and prevent another NIH-specific username and password from having to be maintained.
UNC-Chapel Hill participates in several federations made up of multiple institutions, including InCommon, eduGain and the UNC-GA Federation.
Why is Shibboleth important to the University?Shibboleth is an important time-saver in that application owners don’t have to create their own authentication systems over and over again but can use the central one. Shibboleth also is an important security enhancement because it prevents locally stored or captured usernames and passwords. It is much easier to ensure the centralized system is in compliance with regular security assessments than it would be if there were many authentication systems around campus.
Why should a campus employee, faculty member or student care about Shibboleth?Web SSO improves the end-user experience since users only have to log in once and are granted access to all SSO-using applications for which users are authorized without having to re-input their username and password for the lifetime of the Shibboleth session. Also, it means there are only one username and password for all participating applications instead of having multiple. There is also one central tool for password management.
How does Identity Management use 2-Step Verification?One important recent development with Shibboleth is the addition of 2-Step Verification, implemented using Duo. Identity Management is in the initial stages of adoption of this new functionality. Three successful pilot programs are currently using it: improvadmin, the administrative utility that the ITS Service Desk uses to troubleshoot Onyen and Guest ID issues, Splunk and Grouper, both of which administrators use within and outside of ITS.
Identity Management expects many more sites to begin using Duo in the future. ITS is currently discussing how Duo will roll out to other applications and in what order of priority. Dennis Schmidt, Assistant Vice Chancellor for Infrastructure & Operations, and Chief Information Security Officer Kevin Lanning are leading that effort.