SAML Set-Up [WIP]

What is SAML and what do we use it for? How to set-up a new application with SAML

What is SAML?

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application.

What is Shibboleth?

Shibboleth is a web-based software tool that supports single sign-on (SSO) between two applications or between two organizations. It is an open-source tool and mainly used for Single Sign-On (SSO) using SAML protocol.

What is an SP, IdP and Attribute?

Service Provider (SP) - An SP is a web service that provides services/resources to a user that has been authorized to use it (Alma, LibGuides, etc.)
Identity Provider (IdP) - An IdP acts as a data source for user information and acts as an authenticator to validate users before they can access the SP
SAML Attribute - An Attribute is a means for delivering information to the Service Provider about the authenticated user after logging into the application/resource

Minimum SAML Attributes Required

Minimal Attribute Bundle
- Name Identifier: SAML2 Transient NameID
- User Attribute: eduPersonScopedAffiliation

This translates to using these two attributes:

User attribute #1: eduPersonTargetedIDUser attribute #2: eduPersonScopedAffiliation

Found here: https://kb.wisc.edu/helpdesk/page.php?id=76827 under Default Attribute Release For Wisconsin Federation.

We use eduPersonTargetedID because it is a persistent, non-reassigned, opaque identifier for a principal. We want to limit passing PII (Personal Indentifiable Information) to our SPs. Using eduPersonTargetedID the adminstrators of the system cannot trace that value back to a person.

EPPN alone may not be Sensitive or Restricted, but in combination with first/last name it could be classified as Sensitive or Restricted. We recommend not using EPPN because of this.

DoIT has also created a base32-encoded version (no special characters) of the eduPersonTargetedID; the name is urn:oid:1.3.6.1.4.1.214.52.1.290 / wiscEduPairwiseID, an example value is "G3O3UG6KOFXHXTIKVNJ4B3BCSL57XYQM".

Internal Application (Staff use only) Set-up: can use email and eduWisconsinLibraryPatronID

External Set-up: Use Minimal Attribute Bundle

Set-up a new Application with SAML

NetID Login Service and Wisconsin Federation Attribute Information

https://kb.wisc.edu/helpdesk/page.php?id=76827

https://login.wisc.edu/metadata/attribute-map.xml

href="/Shibboleth.sso/Session"

https://www.ibm.com/docs/en/was/8.5.5?topic=SSEQTP_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samluserattributes.htm

https://data.wisc.edu/core-person-data-domain/

https://en.wikipedia.org/wiki/Principle_of_least_privilege

https://wiki.refeds.org/display/STAN/eduPerson+2020-01#eduPerson202001-eduPersonTargetedID

Keywords	saml, sso, single-sign on, shibboleth, authentication, attributes, Suggest keywords	Doc ID	129415
Owner	Kyle S.	Group	Libraries
Created	2023-06-29 12:59:01	Updated	2024-03-21 15:05:05
Sites	UW-Madison Libraries
Feedback	0 0 Comment Suggest a new document