Re: SMAL vs Shibboleth vs CAS

[Kevin Shier]

To use simpleSAMLphp, you do not need shibboleth for something like Moodle, which has an SSO SAML compliant SP plugin. Drupal probably has SP code already available as well.

You would set up SimpleSAMLphp on your network using the IDP setup, so it authenticates against AD. that is your SAML2.0 IDP.

Then, you set up your other websites as SP's to authenticate against the IDP you set up above.

You may want to use Shibboleth for the SP side on your websites, but simpleSAMLphp can also be used as an SP on a website that uses SAML2 IDP to authenticate against your IDP.

Google Apps is a good reference to use. It has SSO as an SP built in, so it can authenticate against your SAML2.0 IDP that you set up with simpelSAMLphp. SimpleSAMLphp IDP even has code embedded that is set up to authorize Google to talk to your IDP, so you don't have to search for the code to get Google Apps working.

It's pretty cool because once your web browser has authenticated to your IDP, it keeps a cookie that ALL websites configured to use your IDP can read, so users going to different websites managed by you can all use the same cookie to log in - hence SSO!

Kevin

On 2011-06-17, at 12:05 PM, Topher Fangio wrote:

Hey Mark,

I've worked with a lot of campuses that use CAS and authenticate against ActiveDirectory. From what I've seen, it is one of the easiest things to get up-and-running.

From what I understand, CAS and SAML both authenticate against some back-end system like AD, or perhaps just a database. CAS and SAML basically provide a layer on top of the actual authentication that handles sessions across multiple services (i.e. web apps).

I just recently began using SAML, but one advantage I believe CAS has over SAML is that CAS has a client-server architecture whereas SAML has a client-server-server architecture. What I mean by that is that if you want to authenticate against an existing CAS server, all you need to do is write the client. SAML requires that you setup your own server to act as a service provider in addition to writing the client integration code. Although the integration code is trivial with SimpleSAMLPHP.

Hope this helps you wrap your head around it :-)

--

Topher Fangio

System Architect
Pharos Resources

office: 325.216.2908
mobile: 325.660.7141

On Fri, Jun 17, 2011 at 10:23 AM, Mark L. <marklo...@gmail.com> wrote:

Howdy folks! I am a Systems/Web Admin with a community college and we
are evaluating different SSO options for our campus network. I have
looked at CAS which seems to meet our needs, but some of our
colleagues are hoping to leverage our use of Active Directory. To that
end I have been researching Active Directory Federated Services
(ADFS). In doing that research I have learned that ADFS 2.0 is SAML
2.0 compliant, while led me to simpleSAMLPHP. We have number of
applications that are written in php (Drupal, Moodle, and some custom
stuff) so my question is can I use simpleSAMLPHP to get my php
applications to authenticate to Active Directory? Along those same
lines does shibboleth play into this scenario? Do I need a shibboleth
server to use simpleSMLPHP, or can it 'talk' directly to ADFS? Sorry
if these questions are elementary, I'm just trying to wrap my brain
around all the moving parts. Thanx in advance!

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.

[Tom Scavo]

On Fri, Jun 17, 2011 at 11:23 AM, Mark L. <marklo...@gmail.com> wrote:
>
> I have been researching Active Directory Federated Services
> (ADFS). In doing that research I have learned that ADFS 2.0 is SAML
> 2.0 compliant

Yes, AD FS 2.0 will function as an IdP or an SP.

> while led me to simpleSAMLPHP.

Not sure why? simpleSAMLphp will also function an IdP or an SP, so
it's a competitor for AD FS.

> We have number of
> applications that are written in php (Drupal, Moodle, and some custom
> stuff) so my question is can I use simpleSAMLPHP to get my php
> applications to authenticate to Active Directory?

No, that's not how it works. You deploy simpleSAMLphp as an SP in
front of Drupal (e.g.) and then your SP talks to an IdP. If you
already have AD FS deployed, it might make sense to use it as the IdP.

> Along those same
> lines does shibboleth play into this scenario?

Shibboleth will also function as an SP or IdP.

> Do I need a shibboleth server to use simpleSMLPHP

No, the two are direct competitors.

> or can it 'talk' directly to ADFS?

Don't know what "it" is? If you run AD FS as an IdP, your SP talks to that.

> Sorry
> if these questions are elementary, I'm just trying to wrap my brain
> around all the moving parts.

You need to read up on SAML in general before you try to deploy
anything. I recommend the Technical Overview from OASIS:

http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf

Once that starts to make sense, you can dive into the deployment docs
for the implementations you're interested in (apparently simpleSAMLphp
and AD FS).

Hope that helps,
Tom

[Mark L.]

Howdy folks! I am a Systems/Web Admin with a community college and we
are evaluating different SSO options for our campus network. I have
looked at CAS which seems to meet our needs, but some of our
colleagues are hoping to leverage our use of Active Directory. To that

end I have been researching Active Directory Federated Services

(ADFS). In doing that research I have learned that ADFS 2.0 is SAML

2.0 compliant, while led me to simpleSAMLPHP. We have number of

applications that are written in php (Drupal, Moodle, and some custom
stuff) so my question is can I use simpleSAMLPHP to get my php

applications to authenticate to Active Directory? Along those same
lines does shibboleth play into this scenario? Do I need a shibboleth
server to use simpleSMLPHP, or can it 'talk' directly to ADFS? Sorry

if these questions are elementary, I'm just trying to wrap my brain

around all the moving parts. Thanx in advance!

[Topher Fangio]

Hey Mark,

I've worked with a lot of campuses that use CAS and authenticate against ActiveDirectory. From what I've seen, it is one of the easiest things to get up-and-running.

From what I understand, CAS and SAML both authenticate against some back-end system like AD, or perhaps just a database. CAS and SAML basically provide a layer on top of the actual authentication that handles sessions across multiple services (i.e. web apps).

I just recently began using SAML, but one advantage I believe CAS has over SAML is that CAS has a client-server architecture whereas SAML has a client-server-server architecture. What I mean by that is that if you want to authenticate against an existing CAS server, all you need to do is write the client. SAML requires that you setup your own server to act as a service provider in addition to writing the client integration code. Although the integration code is trivial with SimpleSAMLPHP.

Hope this helps you wrap your head around it :-)

--

Topher Fangio

System Architect
Pharos Resources

office: 325.216.2908
mobile: 325.660.7141

[Mark L.]

Hey guys, thanx so much for the responses. I definitely need to bone
up on the architecture (SP's and IdP's) before I can fully understand
SAML. @TomS thanx for the link to the document. I will read that, and
post back with any questions for further clarification.

On Jun 17, 2:05 pm, Topher Fangio <topher.fan...@pharosresources.com>
wrote:

> Hey Mark,
>
> I've worked with a lot of campuses that use CAS and authenticate against
> ActiveDirectory. From what I've seen, it is one of the easiest things to get
> up-and-running.
>
> From what I understand, CAS and SAML both authenticate against some back-end
> system like AD, or perhaps just a database. CAS and SAML basically provide a
> layer on top of the actual authentication that handles sessions across
> multiple services (i.e. web apps).
>
> I just recently began using SAML, but one advantage I believe CAS has over
> SAML is that CAS has a client-server architecture whereas SAML has a
> client-server-server architecture. What I mean by that is that if you want
> to authenticate against an existing CAS server, all you need to do is write
> the client. SAML requires that you setup your own server to act as a service
> provider in addition to writing the client integration code. Although the
> integration code is trivial with SimpleSAMLPHP.
>
> Hope this helps you wrap your head around it :-)
>
> --
> Topher Fangio
>
> System Architect
> Pharos Resources
>
> office: 325.216.2908
> mobile: 325.660.7141
>

[Peter Schober]

* Mark L. <marklo...@gmail.com> [2011-06-20 14:34]:

> Hey guys, thanx so much for the responses. I definitely need to bone
> up on the architecture (SP's and IdP's) before I can fully understand
> SAML. @TomS thanx for the link to the document. I will read that, and
> post back with any questions for further clarification.

My 2� (one each ;)

Personally I wouldn't deploy different systems for intranet/campus-SSO
(like CAS) and federated SSO (SAML2) today. This means using SAML2
also for campus websso, IMO.
Not only does this reduce the number of SSO/authen/security systems to
run, upgrade and maintain, it'll also help with questions like which
system (campus SSO or federated SSO) local applications should
integrate with (and what happens if their audience changes, e.g. now
also including people from other institutions) -- there's only one,
usable for all cases. Federation should be considered the norm, and
campus-SSO is simply a (not so special) special case of that, which
you'll get for free with federation.

The other comment being that even if MS ADFS can function as a
SAML2.0 IdP and/or SP I would ask around and try out other projects
(such as SimpleSAMLphp and Shibboleth). Only because some vendor
"supports" some protocol or feature doesn't mean it'll work great or
be implemented in a scalable way.
I'm not saying this is the case with M$, as I don't know a thing about
their software, just that this turned out to be the case with other
products and implementations (e.g. where you had to manually import a
public key and supply metadata via a graphical GUI for every entity
you want to federate with; as compared to the automagical
runtime-configuration based on SAML2.0 metadata that SimpleSAMLphp and
Shibboleth have, for example.)

cheers,
-peter

[Peter Schober]

* Mark L. <marklo...@gmail.com> [2011-06-22 15:44]:
> OK guys, I've did some reading a white boarding off and on for an hour
> or two at a time over the last week. So just for a sanity check I
> would like to clarify Service Provider (SP) and Identity Provider
> (IdP).

You should probably have a look at some SAML primer instead of doing
all that on the SimpleSAMLphp list, but anyway...

> IdP-The IdP does authentication, and thats all it does. It verifies
> you are who you say your are and gives you a 'ticket' or 'token'
> which is then passed on to the SP, which will redirect you to your
> application.

Mostly. The IdP will usually set a session cookie with the webbrowser
after successful authentication (this is what enables "single
sign-on") and will hand out SAML assertions (your "tokens") to SPs,
usually via the webbrowser.
Note that an IdP can also act as an attribute authority and answer to
attribute queries, though SimpleSAMLphp doesn't implement this, AFAIR.

> SP-All the SP does is verify that you have a valid ticket/token, and
> then redirects you on to your application(s).

Generally. The SAML assertion often contains attributes and these will
have to be made available to the application (or the application
integration code) somehow, depending on the implementation.
The SP will also enforce that only correctly authenticated and
authorized users will be able to access some resource, so session
initiatiion is also a part.

> A user/web browser will only authentication/communicate with the IdP
> one time during a users session. If a user is using multiple
> applications that are SSO aware, after the first authentication with
> the IdP the users ticket/token is valid for the entire user session,
> and for other SSO aware applications.

See above. Each new SP will get its own SAML assertion and establish
its own sessions, but since I have a session with the IdP (via an HTTP
cookie) I don't have to explicitly login each time.
-peter

[Mark L.]

OK guys, I've did some reading a white boarding off and on for an hour
or two at a time over the last week. So just for a sanity check I
would like to clarify Service Provider (SP) and Identity Provider
(IdP).

IdP-The IdP does authentication, and thats all it does. It verifies
you are who you say your are and gives you a 'ticket' or 'token' which
is then passed on to the SP, which will redirect you to your
application.

SP-All the SP does is verify that you have a valid ticket/token, and
then redirects you on to your application(s).

A user/web browser will only authentication/communicate with the IdP
one time during a users session. If a user is using multiple
applications that are SSO aware, after the first authentication with
the IdP the users ticket/token is valid for the entire user session,
and for other SSO aware applications.

On Jun 20, 11:12 am, Peter Schober <peter.scho...@univie.ac.at> wrote:
> * Mark L. <marklockl...@gmail.com> [2011-06-20 14:34]: