Best practices for login pages?

Question

I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable

Answer 1

@Joe Lencioni, and everyone else interested in Shibboleth

Your site pages should have the overall same look and feel on each page.

Regarding Shibboleth, and SSO. It is important to note which role your organization is associated with. Are you an Identity Provider - IdP (authenticating the user and then sending the response to the SP), or are you the Service Provider - SP (who will grant authentication based on the response and attributes sent by the IdP.

If you are a SP, you have whatever flexibility you desire to link your users to an IdP for them to login. Many SP create their own WAYF (Where Are You From) page that will redirect the user to the login page of the IdP.

If you are an IdP, you should have a login page that looks familiar to the user so they can login and then be redirected to the SP with the attributes that are needed for the SP to grant proper access.

As far as phishing scams go, it is important to keep Shibboleth metadata current. I believe many Federations recommend downloading metadata every (1) hour.

Many Shibboleth questions can be answered here: https://spaces.internet2.edu/display/SHIB2/Home

Hope this helps you out.