Shibboleth Migration: New Features and Potential Impact | Information Security and Enterprise Architecture

New features

This migration implements some new features that introduced in the shibboleth version 3.

New Login flow:

As introduced in IdPv3, individual login rules can be established per SP. This is leveraged by lots of SP to provide enhanced login requirement or multi factor authentication (etoken or One-Time-Password). In can include a combination of configuration options, various web-based interactions. If you require such setup, please contact us directly. The application security control compliance assessment will also help you determine your website security requirements.

Single Sign On Session Length:

The new idp v3 allows SPs to setup session length individually.

The production idp server has a default session length of 60 minutes. You can consume this value if you would like session to be time-out after 60 minutes, or alternatively if you prefer longer session length, this value can be overridden by modifying the shibboleth2.xml file.

To do that, change the lifetime property in the following line in shibboleth2.xml.

<Sessions lifetime=”120″ timeout=”120″ relayState=”ss:mem”

checkAddress=”false” handlerSSL=”false” cookieProps=”http”>

Please note that SP cannot have a shorter session length than idp server’s s default session length.

Potential Impact

This migration also introduces the new authentication store – Enterprise Active Directory. All staff/faculty/students UTORid will be authenticated against EAD. There might have small numbers of accounts that would require password verification and synchronization from current Kerberos to EAD. Please note that password less than 8 characters won’t be accepted for EAD. As such, password verification will require users to change the password if it detects that. The new minimum length is 10 characters.

We strongly suggest user to self-check if account can successfully authenticate with EAD prior to migration by going to:

https://can.login.utoronto.ca/

Upcoming changes

Application Security Control compliance: ISEA has developed “the minimum web application guidelines”. We are asking you to check your compliance against these guidelines, by completing and returning this spreadsheet. The guidelines can be found at https://isea.utoronto.ca/policies-procedures/guidelines-2/minimum-web-application-controls/

At this stage, this is a self-assessment, as we all work together to improve the security of our applications at the University. We will randomly respond to some of you with any concerns we identify. If you have questions, please reach out to us.