University of Illinois Indiana University University of Iowa

University of Maryland University of Michigan Michigan State UniversityUniversity of Minnesota University of Nebraska—Lincoln Northwestern University

Ohio State University Pennsylvania State University Purdue University

Rutgers University—New Brunswick University of Wisconsin—Madison

Sneaking Up On OIDC:How the Big Ten Academic Alliance federated with social

IDs

Tim Newcomb, Big Ten Academic Alliance

Keith Wessel, University of Illinois at Urbana-Champaign

Dedra Chamberlin, Cirrus Identity

The Use Case

• Member schools use federated authentication to access consortium resources

• A big one used for collaboration is SharePoint• We ran our own local SharePoint instance

• Moving to an enterprise instance run by our host institution, Illinois

Bring in the Guests

• Sometimes a contractor or guest needs access

• Not part of a member institution

• On local SharePoint• Manually create guest in back-end database

• Send guests to a custom login screen

• Guest authenticates with credentials stored in the local database

This wasn’t going to fly with the enterprise instance

To Social or not to Social

• Considered adding guest accounts to Illinois Active Directory• This would allow them to sign in with Illinois Shibboleth

• But it’s confusing to tell guests to select Illinois from the login screen

• And we wanted out of the password management business

• The obvious choice: social IDs

• But how?

Enter Proxy

• The plan: use Google for guest authentication

• SharePoint supports OIDC

• But other consortium services are running the Shibboleth SP

• Member schools not yet ready to embrace OIDC

• We wanted to stick with SAML for now

• We needed an OIDC to SAML bridge

Building a Bridge to Google

• Illinois already running SimpleSAMLphp

• Used as a proxy IdP for the three Illinois Campuses

• If it could proxy SAML, it could proxy other stuff

• The consortium contracted with Cirrus to build an OIDC client module

Mybtaa.org login page

Google Login

via client module by

Mybtaa.org

What just happened?

• Consortium SPs federated with proxy IdP

• Proxy IdP registered as OIDC client with Google

• SP sends SAML authentication request to proxy

• Proxy initiates OIDC authentication with Google

• User logs into Google

• Proxy requests user info from Google

• Proxy puts OIDC claims into a SAML response

• User is logged in

What claims?

Uid 112287603598948954850

displayName Keith Wessel

givenName Keith

Sn Wessel

Mail Kw********@gmail.com

Eppn Kw********+gmail.com@idpproxy-google.mybtaa.org

mailto:Kw********@gmail.commailto:Kw********+gmail.com@idpproxy-google.mybtaa.org

The Technical Bits

• SSP’s OIDC support is a module developed by Cirrus Identity

• Easily installed on top of any SSP installation

• Register the OIDC client with the social provider

• Configure the client as an SSP authentication source

• For a multi-protocol bridge, add the new auth source to an SSP IdP configuration

Beyond the Big Ten

• Illinois couldn’t help but use this for more than just the consortium

• Other campus groups are using it to easily allow guest researchers and contributors access

• For any SP already running a discovery interface, trivial to add

• We plan to add proxies for Facebook and LinkedIn

What has happened since the original BTAA funded project?• Success of the OIDC module

• Approximately 3,800 installs of the OIDC module

• 9 different contributors (adding bitbucket support, OIDC logout)

• One user is using the module with ID porten (Norwegian government eIDsolution) and Feide (Norwegian educational eID solution)

• Leveraging partnership to benefit the community• University identifies a needed enhancement to an Open Source project

• Engages a vendor to perform development and support the work going forward

• The University, Open Source Project, and Vendor and larger community all benefit from the partnership

SimpleSAMLphp Update• SimpleSAMLphp 1.18 just released

• Includes sneak peak at new UI for 2.0• Major improvements in code maintainability

• Most modules now external for independent updating

• If using SSP as a service provider, upgrade ASAP to 1.18 or 1.17.8

• 1.19 coming soon• Last release before 2.0 -Includes everything for 2.0 with backwards

compatibility

• Intended for easy migration to 2.0

• No ETA for 2.0 yet, but soon

Resources and Questions

• The module: https://github.com/cirrusidentity/simplesamlphp-module-authoauth2

• Questions later:• Keith Wessel, kwessel@Illinois.edu

• Tim Newcomb, tim.newcomb@btaa.org

• Dedra Chamberlin, Dedra@cirrusidentity.com

• Questions now?

https://github.com/cirrusidentity/simplesamlphp-module-authoauth2mailto:kwessel@Illinois.edumailto:tim.newcomb@btaa.orgmailto:dedra@cirrusidentity.com