HPE migrated their SSO solution from HPE Passport to a new federated solution. As a result, their partners would need to implement this new standard for employee access. One HPE partner is a long time client of ours, iServe Inc. So they turned to us to create a solution for their HPE Product Demo site. A few approaches were looked at but Shibboleth always came out on top.
Shibboleth is among the world’s most widely deployed federated identity solutions, connecting users to applications both within and between organizations. Every software component of the Shibboleth system is free and open source. We configured Shibboleth to use a service provider configuration to authenticate using HPE’s servers. In other words, HPE employees come to the demo site and login using their computer credentials.
The HPE Product Demo web site is responsible for authorization. Once HPE validates the user, it is up to the service provider to decide what the user has access to. Shibboleth is setup to hook into the existing access control. In addition, we’ve made several SAML domain changes to enhance security and user experience.
Shibboleth can be set up in a variety of different ways. For the most reliable method, Shibboleth installs as a web server module. Particularly an Apache or IIS module. Using this method is relatively easy to setup and yields great results. With .NET we can fill in the gaps such as handling SAML responses and proceeding onto authorization.
The HPE SSO project solved some issues for HPE. For example, they have fine grain control over user accounts and adoption of HPE passport was sparse. Furthermore, they can now have convenient multi-factor authentication using employees laptops and cell phones.