Community area‎ > ‎Open Resources‎ > ‎

IdP

The IdP (Identity Provider) is the service that brokers access to identity data held in the school user directory, to the integrated services (such as Moodle, Mahara, Google etc.).  When set up, the IdP uses an LDAP connection to the directory to authenticate the user, and to then reflect that data out as identity assertions.
The reference implementation used in the IAM pilots, and by the commercial service proivders is based on SimpleSAMLphp .  ssphp is a comprehensive OpenSource IdP, SP (Service Provider), and authentication components implementation written as a PHP based web service.  The software has been written with a modular design, which enables it to be customised in outward appearance (themes for individual schools), and for the functionality to be enhanced with regard to specific data and processing requirements.
 
As part of the Ministry of Education pilot process, a source code repository has been maintained that contains all of the New Zealand MLE specific enhancements.  These include LDAP connectors that can handle attribute mapping for multiple schools, and user directory data validation routines to ensure quality of data projected by the IdP.
  • NZ MLE specific branch
  • Multiple LDAP directory connector module with attribute mapping - ldapmultimap
  • User attribute validation as user logs into the IdP - mlepcheck
Configuration
Basic instructions for the setup and configuration of an IdP are here, and here

Other Authentication Sources
ssphp not only acts in either the IdP or SP web services role, it also provides bridging between protocols and IAM networks.
 For example, instead of logging in at the IdP with school user directory credentials, it is possible to use other 3rd party authentication sources that use OpenId, and OAuth such as:
  • Google Apps - use OpenId to authenticate, using Google as the user directory
  • Yahoo - OpenId
  • LinkedIn - OAuth
  • WindowsLive  - OAuth
  • Twitter - OAuth
  • FaceBook - OAuth and Facebook Connect
Bridging
Using the different authentication sources is already a form of bridging, but bridging can be taken further as a means of traversing different IAM networks even with different protocols.  SimpleSAMLphp can bridge:
  • SAML2.0 - other SAML2.0 network
  • SAML1.3
  • Shibboleth 1.3
  • Shibboleth 2.0



Comments