OIDCShibbolethIdP - Training
|Date:||10.10.2018 09:30 - 10.10.2018 15:00|
|Location details:||The event is organised at the CSC Training Facilities located in the premises of CSC at Keilaranta 14, Espoo, Finland. The best way to reach us is by public transportation; more detailed travel tips are available.|
|The fee covers all materials, lunches as well as morning and afternoon coffees.|
Payment can be made with electronic invoicing, credit card, or direct bank transfer. Note that for electronic invoicing you need the operator and e-invoicing address (OVT code) of your organization. Please also note that invoice reference is needed for electronic invoicing in your organization, so please have this available when registering.
The course will be held in Finnish!
During the past few years, OpenID Connect (OIDC) has become a popular choice for implementing single sign-on to Web and native applications via trusted third party. For SAML2 Shibboleth IdP is one of the most deployed open source identity providers in our communities. Within the GEANT 4-2 project's task "Next Generation Trust and Identity Technology Development" we have set one of our goals to be providing a native-like OpenID Connect extension for Shibboleth IdP. Reaching the goal would benefit the numerous existing SAML2 Shibboleth IdP deployments by turning them also into OIDC Providers (OP).
The training is inteded for Shibboleth IdP administrators.
In the end of the tutorial attendees should have knowledge on how OIDC extension is both installed and configured to existing SAML2 Shibboleth IdP deployment.
Good knowledge of Shibboleth Idp. Own laptop. For the attendees of the tutorial on the OIDC extension, we will provide pre-prepared virtual machines having Shibboleth IdP already installed.
OIDC extension project developer resources:
We first introduce project in general, wiki, support channels and access to source code.
We will perform installation of the OIDC extension on top of standard Shibboleth IdP installation.
Trust Management & OP configuration.
The provided virtual machines have a OIDC Relying Party (RP) that needs to establish trust relationship with Shibboleth OP. We first visit dynamic registration options and configure the OP to accept the dynamic registration requests of RP. Then we disable the dynamic registration and establish trust by adding the RP to local metadata file of the OP. In this section we also cover OP configuration.
We configure one or some of the authentication methods in OP to have OIDC specific principals for selecting authentication method based on requested authentication context class reference (acr). This section covers both essential and nonessential acrs.
We introduce OIDC encoders for attribute definitions. We cover also the cases of different response types and their impact on attribute availability and writing robust resolvers.
We introduce new attribute filtering options to be used with OIDC RPs. How to combine OIDC specific options to existing ones and what can be expected from OIDC filtering options.
In this section we introduce how subject identifier is generated. We study the provided configuration files and make modifications to them.
We introduce new JWK signing credentials.
We familiarize attendees with the provided profile configuration options. Profile configuration options may be used to configure RP specific behaviour for OPs such as token lifetimes.