SSL, certificates and security with Shibboleth

From RavenWiki
Revision as of 18:13, 12 March 2009 by jw35 (talk | contribs)
Jump to navigationJump to search

http is insecure, in that the traffic between endpoints can be snooped and that neither the client nor the server has any reason to believe anything about the other. Layering http traffic over SSL (a.k.a. TLS for the purposes of this document) can protect the traffic in transit and allows at least the client, and optionally the client and the server, to positively identify the other. Implementing SSL typically requires some software, some configuration, and an key and corresponding certificate.

In a Shibboleth deployment there are three places where SSL can or must be used:

  • To protect communication directly between an SP and an IdP
  • To protect communication with special 'Protocol Endpoints' which the SP software responds to automatically and to which the user's browser is directed during authentication
  • To protect general site traffic and the cookies that represent the user's authenticated state

SP to IdP communication

Under Shibboleth the SPs and IdPs exchange information directly. This conversation is protected by SSL and the identity of the communicating entities is established

SP protocol endpoints

General site traffic

https://spaces.internet2.edu/display/SHIB/KeysAndCertificates

Retrieved from "https://wiki.cam.ac.uk/wiki/raven/index.php?title=SSL,_certificates_and_security_with_Shibboleth&oldid=2096"