SSL, certificates and security with Shibboleth: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Work in progress)
 
No edit summary
Line 1: Line 1:
http is insecure, in that the traffic between endpoints can be snooped and that neither endpoint has any reason to believe anything about the other. Layering http traffic over SSL (a.k.a. TLS for the purposes of this document) can protect the traffic in transit and allows one, and optionally both, endpoints to positively identify the other. Implementing SSL typically requires some software, some configuration, and an key and corresponding certificate.  
http is insecure, in that the traffic between endpoints can be snooped and that neither the client nor the server has any reason to believe anything about the other. Layering http traffic over SSL (a.k.a. TLS for the purposes of this document) can protect the traffic in transit and allows at least the client, and optionally the client and the server, to positively identify the other. Implementing SSL typically requires some software, some configuration, and an key and corresponding certificate.  


In a Shibboleth deployment there are three places where SSL can or must be used:
In a Shibboleth deployment there are three places where SSL can or must be used:
* To protect communication directly between an SP and an IdP
* To protect communication directly between an SP and an IdP
* To protect communication with special 'Protocol Endpoints' which the SP software responds to automatically an to which the user's browser is directed during authentication
* To protect communication with special 'Protocol Endpoints' which the SP software responds to automatically and to which the user's browser is directed during authentication
* To protect general site traffic and the cookies that demonstrate that a iser has authenticated.
* To protect general site traffic and the cookies that represent the user's authenticated state
 
==SP to IdP communication==
 
Under Shibboleth the SPs and IdPs exchange information directly. This conversation is protected by SSL and the identity of the communicating entities is established 
 
==SP protocol endpoints==
 
==General site traffic==
 
 




Revision as of 18:13, 12 March 2009

http is insecure, in that the traffic between endpoints can be snooped and that neither the client nor the server has any reason to believe anything about the other. Layering http traffic over SSL (a.k.a. TLS for the purposes of this document) can protect the traffic in transit and allows at least the client, and optionally the client and the server, to positively identify the other. Implementing SSL typically requires some software, some configuration, and an key and corresponding certificate.

In a Shibboleth deployment there are three places where SSL can or must be used:

  • To protect communication directly between an SP and an IdP
  • To protect communication with special 'Protocol Endpoints' which the SP software responds to automatically and to which the user's browser is directed during authentication
  • To protect general site traffic and the cookies that represent the user's authenticated state

SP to IdP communication

Under Shibboleth the SPs and IdPs exchange information directly. This conversation is protected by SSL and the identity of the communicating entities is established

SP protocol endpoints

General site traffic

https://spaces.internet2.edu/display/SHIB/KeysAndCertificates

Retrieved from "https://wiki.cam.ac.uk/wiki/raven/index.php?title=SSL,_certificates_and_security_with_Shibboleth&oldid=2096"