Steve Colin (Coordinator of the eServices Unit of the Digital Campus of the Haute-Ecole Condorcet) recently produced a manual to help you implement Office 365 authentication by configuring Shibboleth IdP v4.x on Debian-Ubuntu Linux (with Apache2 + Jetty9). This specific configuration is available in a particularly detailed manual in our FAQ pages.
We asked Steve Colin a few questions to get more details about this manual and better understand his approach to sharing knowledge within the academic community.
Can you tell us more about your manual?
This manual makes it possible to use Shibboleth version 4.1 on a Linux operating system (Debian-Ubuntu) in order to join the Belnet Identity Federation and the eduGAIN Federation. It details the implementation of authentication using Azure Active Directory/Office 365.
"I want to make the Identity Federation more accessible to academic partners who are sometimes held back by the idea of the complexity of its deployment." (Steve Colin)
How did you create this manual, what sources did you use?
This manual was written on the basis of several existing official documents available on the Internet (official Shibboleth documentation, work of the GARR consortium in Italy).
We added comments and explanations that we thought would be useful and that are often missing in open-source world procedures. We also added scripts to generate some of the attributes needed for Identity Federations to work properly.
I wrote it with the help of my colleague Alexandre Bourgeois, System Administrator at the Campus Numérique Hainaut-Enseignement (Haute-Ecole Condorcet) and Pascal Panneels (Belnet).
How did you get the idea of sharing this manual with our community?
The notion of sharing is very important and is a philosophy that we apply daily at the Campus Numérique. I think most higher education institutions have this approach. I also want to make the Identity Federation more accessible to academic partners who are sometimes held back by the idea of the complexity of its deployment. I think the future of education is in co-diplomation, collaboration and exchange. It is therefore important for us to make a technical contribution.
What is the impact of using Office 365 authentication in Shibboleth?
As far as education in the Province of Hainaut is concerned (Haute-Ecole Condorcet, Social Promotion and Secondary Education), it offers the standardisation of our unique and centralised authentication mechanism.
Since the COVID-19 pandemic, we wanted to strengthen this authentication by providing stability, high availability and security. We therefore chose to work with Azure Active Directory authentication (Office 365), which meets these three criteria perfectly. With this in mind, we wanted to link all our tools to this authentication.
First, we evaluated the possibility of joining the Belnet Identity Federation directly using Azure AD. This "direct" solution involved too many attribute conversions and metadata changes. Shibboleth works at this level, by configuring it as a SAML proxy, it allows the junction between Azure AD and the Federation.
Steve Colin (Coordinator of the eServices Unit of the Digital Campus of the Haute-Ecole Condorcet)
Does the installation vary according to the size of the organisation?
I would say that the installation will vary depending on the number of applications the institution wants to link to the Federation. One configuration per application is the ideal situation for flexibility and security. In this way, the distributed attributes are filtered and only those attributes needed by the target application are sent on successful authentication.
"The notion of sharing is very important and is a philosophy that we apply daily at the Campus Numérique." (Steve Colin)
For very large institutions, it will be useful to have a cluster of Shibboleth servers to provide the highest availability. We have not chosen to do that at this time and will certainly consider it in the near future.
What advice would you give to organisations looking to add Office 365 authentication using your manual?
Don't see it as complicated; set aside at least two days.
If the institution already has a Shibboleth V2 or V3 server, start from scratch and install V4.1. There are too many changes between these major versions of Shibboleth and it wastes too much time.
It is also possible to join the Federation a second time with a test entity to avoid impacting a server already in production. Finally, don't hesitate to contact Belnet, without which this deployment would not have been possible and which is always very helpful.