1 / 26

Shibboleth Training: Round Two

Welcome back to the training and thanks again to our hosts. This training session covers key concepts, terminology, and the role of Service Providers in the wonderful world of applications. Learn about the importance of shared identity, regulatory compliance, and more.

rexford
Download Presentation

Shibboleth Training: Round Two

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth Training: Round Two www.incommon.org 1

  2. Welcome (back) to the training and thanks (again) to our hosts • SP(Service Provider) day A few slides to reinforce key concepts (flows, terminology) and dig a little deeper The SP's role in the wonderful world of applications

  3. Why is Shared Identity Important? Authoritative user data(attributes), expressed to a service Many applications, many users, not many credentials People and applications are complicated Regulatory compliance Excellent auditability of who, what, when, and how for data release Cloud! *aaS, NET+

  4. Federated Identity Single Sign-On (SSO) with bells and whistles added to fit a multi-domain world More evolution than innovation Single Log-Out(SLO)... becomes a nearly intractable problem Provisioning Can be a mess, mostly out of scope for Shibboleth Federations scale trust and simplify operations Distinct from federated identity, as you'll find out with some vendors

  5. Terminology Identity Provider (IdP) Service Provider (SP) Discovery Service (DS) Federation Enhanced Client & Proxy (ECP) Authentication Authorization Metadata Attribute Assertion Subject entityID Entity attributes

  6. SAML 2.0 On the Wire Large piles of XML that we'll help you to digest AuthnRequest SAMLResponse SAML 2.0 can do far more than this, but these are the fundamentals Browser tools like SAML Tracer and web consoles give you a great HD view of the action

  7. n

  8. SAML 2.0 On the Wire: Outbound AuthnRequest GET https://sp.testshib.org/Shibboleth.sso/TestShib?entityID=https%3A%2F%2Fidp.testshib.org%2Fidp%2Fshibboleth HTTP/1.1 Host: sp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://sp.testshib.org/ HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:43:07 GMT Server: Apache/2.2.15 (CentOS) Set-Cookie: _shibstate_1379266987_5fd8=https%3A%2F%2Fsp.testshib.org%2Ftesting%2Fsample.jsp; path=/; HttpOnly Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Location: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJdb4IwGIX%2FCuk9lA9FaISE6cVM3CTCdrGbpWCVJtCyvmUf%2F35V3OaWzLumPe8573nSOdCu7Uk26EZs2cvAQFvvXSuAnB4SNChBJAUORNCOAdE1KbK7NfEdl%2FRKalnLFlkZAFOaS7GQAoaOqYKpV16zh%2B06QY3WPRCMoXe08YeGV45UB1yYQyVbphsHQOKjrY%2FzTVEia2l0XNCj48883%2F0xMBfY7LDnLTtPb9mOK1ZrXBQbZK2WCXp2ozCcUDbbT%2F0gjNzYo%2FvQq%2BJpEERRFE9qIwMY2EqApkInyHe9wHZj25uW3oxMAuLOnpCVn6vecLHj4nCdSzWKgNyWZW6PjR6ZglMbI0Dp%2FEiXnILVBe%2FrtvQLMkr%2FQwrfSG3o5%2FgiZYzsyb2xXS1z2fL6w8raVr4tFKOaJchDOB1Hfv%2BH9BM%3D&RelayState=cookie%3A1379266987_5fd8 Content-Length: 832 Connection: close Content-Type: text/html; charset=iso-8859-1

  9. SAML 2.0 On the Wire: Outbound AuthnRequest https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest= fZJdb4IwGIX%2FCuk9lA9FaISE6cVM3CTCdrGbpWCVJtCyvmUf%2F35V3OaWzLumPe8573nSOdCu7Uk26EZs2cvAQFvvXSuAnB4SNChBJAUORNCOAdE1KbK7NfEdl%2FRKalnLFlkZAFOaS7GQAoaOqYKpV16zh%2B06QY3WPRCMoXe08YeGV45UB1yYQyVbphsHQOKjrY%2FzTVEia2l0XNCj48883%2F0xMBfY7LDnLTtPb9mOK1ZrXBQbZK2WCXp2ozCcUDbbT%2F0gjNzYo%2FvQq%2BJpEERRFE9qIwMY2EqApkInyHe9wHZj25uW3oxMAuLOnpCVn6vecLHj4nCdSzWKgNyWZW6PjR6ZglMbI0Dp%2FEiXnILVBe%2FrtvQLMkr%2FQwrfSG3o5%2FgiZYzsyb2xXS1z2fL6w8raVr4tFKOaJchDOB1Hfv%2BH9BM%3D &RelayState=cookie%3A1379266987_5fd8

  10. SAML 2.0 On the Wire: Outbound AuthnRequest Decoded <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol” AssertionConsumerServiceURL=” https://sp.testshib.org/Shibboleth.sso/SAML2/POST" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" ID="_08664ae7f52368091af61b953388894c" IssueInstant="2013-09-15T17:43:07Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTPPOST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https:/sp.testshib.org/shibboleth-sp </saml:Issuer> <samlp:NameIDPolicy AllowCreate="1" /> </samlp:AuthnRequest>

  11. SAML 2.0 On the Wire: Some of the Authentication Process GET https://idp.testshib.org/idp/AuthnEngine HTTP/1.1 Host: idp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://sp.testshib.org/ Cookie: JSESSIONID=7457D9BC57AB79F47FDC449D267C3A05; _idp_authn_lc_key=19b41e7b8030fefc158a5124fa4e8dd0ada81b7e220cad9d71dba38d4be61bf9 HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:43:08 GMT Expires: 0 Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Location: https://idp.testshib.org:443/idp/Authn/UserPassword Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8

  12. SAML 2.0 On the Wire: Response POST POST https://sp.testshib.org/Shibboleth.sso/SAML2/POST HTTP/1.1 Host: sp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO Cookie: _shibstate_1379266987_5fd8=https%3A%2F%2Fsp.testshib.org%2Ftesting%2Fsample.jsp Content-Type: application/x-www-form-urlencoded Content-Length: 18165

  13. SAML 2.0 On the Wire: Response Body POST RelayState: cookie:1379266987_5fd8 SAMLResponse: Mb2RLSGRJdVBwV2UwVkFvQmNiSDloZmlWeFZiWkVlU1hiUHlSUFNsaUJsc1MraGRuYkd3Skp5anBWd1kzNXptV1pNakJYSmJhN3hwZTV6WitNMERCTXRtNkNmUkZheU82TVNOQkpxWGx5Y2VWb2RFWTU4VzdQOGszSi9pOHRvRUJVQk01Qks3TlJ6Yk50MUZEMWZoN0dEYmlPaEJIV1BvNk55U0VPOVJaL3FyM3lwbVh4TlE5ckNaMmphMWZQYkIxRlVmZDlLNWt3Zi9QRTdXeDFyK3B2RXZXVVhuVWRaR1l1aFZRZHBnczdYUW5WZE5ZbDdrb1lWUFJ2a2V1ajdmekVWZjEvWkVFcThqTVJiSUdkUVh5clFEdU91Qy9JTUY0WTllUzBYUUZIcklYNUVNZlVzd2hOaVZ2bnB3VVNzUUovYTZoZ0dCYTJML01xYklwaFFrcVhYOUZ0Zm5vdlppRWh4YWNqNlFSeHgxQm1jVUhEK3RPNHcrWXZKTGZBQ0ZuRXplUG9KangwTDVVN2pCYXZpNnhwUmNldWNnK2hUL3l4KzhCU05zeGxZYndKSktucUNTRGlCZnJFaWNDUTExK3JiTGp3Zzdpa3Yzdm1mVE9nR1J1WlNDaTFDUXVxa2Nuc29tT05SNFpycUxUT2h2dXlxUGM3aW9YQWtPc0Q5NWpqTWh0NjFRWmlwV1d5akZ3b2l2VmNmKzNDTkZOdVJaYmhBVlFMTDVxdXh4b0RnVndTRDA0bThzclpGTlNzbDlwaEcwTXBncTNzSE9hcG9udWR4Qm5ZMi9xR2l2eWtVMWVVVGh0b1lDeDZINHVzdzdWV0lYVnB5cXFmVnB0NzZuUjFFR3F0ZzJHTW9xYUN5Zm9iWkRGandCazBMc2tKa3JNclUxQ09xSDFVbmYzOG9TZlJmMjZvTzRRWnFPbzRqcWFNYm0yOC9ubHRCb2thQ3p1ZEgwbVFGWmc0Rk1XUlRrTkxXY2hrT0FyOGlpN3QzQkw4UmFiem9JdzdpOTl0eE5jR1l1bE45c081MFJ1elh1azdCVUw0YW81S1dBV0Q3RjdaNHZKNC9TT255bmxUem1PY0JtVExEWFZ0dVRQNzJ0cGo5SEUza01jMzdlcEtseUZlOFVIajVtR0NCM2NuUSs1eGkvaFlEenh5Wldob1RyY3RSSGFOWVErTlVpN0xUeXFPQkoxbGR4RVk0WXpvN0tCK0hSSnpPUm0yT1pyYXhLWWplb0NsWDk4cFZ1ZmRPc1RqQlRadU5HS2c2NHJPakZ3STRweXA3R1o4ZUVBeVJGQ1BlVHYwSDZyTW41RnNoUlJmdzR0Y0lrRXdRTWczb1ROZmo5LzQ2R0ZYUnk3dmNGUFEwUkFQKzYrM0ViOHMxZ0x1ZEt6UW4vQVh6T2oyektpb3dLSVlNOEFHb21rQW1WVGZmZVVkeGYxdE1ISmczTktJdzRiZ0xhWnAyNVQ2RFdTMmMzZnd3S0JNUmlLa1h1ZnRyQ1FPeHhMUmk5T3Yrb0U4VTBVSDczQzBEWGtOQUlnTzBNTW5BcGtSOXZwdGoyTEFsd2YrbkJBQWhTQzEyS1NVem1ORy9sNUZhWS84MUhtSWhSZlpHWmEycllDNStLV2JjSGdKZnZ3allZaU5RdXJ5UW5DVVFHTnJRa2QxbXl6citQL2tSYTRCUmlmVzhPWUxycGdBZ2puUC8yZ2tZRWcxV0ZRWUE3NjZibnVwRnowaWZidUNUQ1ZIQTZnUXQram1DWVhNdnZBSXlhVThxVDBIQ0FDc2VsY2xBdEhacEVUZDBvaGtYcjVQWk1HdEU5V2U3T040eEVGZHNRZXVDTC9ubkRnWnE5L3N0blFOWGRBNy81bE5OY1lwRCsyRGZPN3FRVjA0S3JsT1BxbXZIck8rM1UvcjN5Z25EM09tNm5sN2RMQUZVVjRZd3ZJejVSK3BCU3l5VDZtZG54dkhJL0lTM3I2QnNlaHNrS25lSE1pbVF0TEhtNTlVQkxSOWgxcG1UZ2JIdmhJNCtmME1jZU00UGJ0bE43cXoydGI3d2RxNFdPNklWdlNubVJPVnkwaXg5K2JCaFZwbTBNZkYzc0MraWpDU2VHQW91aXRRQ0VZbnVRZEd5K2ZKNGRTN3RVQTZMUWtaaGl5UlVMbTZUNkJiU1lIWEViWFcwOTRwSnU3R2pMazRYMXNMVGIvRmxXTnRXRGpOSjFoVnpVUTzJiR0tXeURmdHlWUE9HbktTV25zQ1dlOGl2VlQyaDRGQUpYcDBEQUc4SldlK25xbktDNzlGU1AxWjRlVnd6ZC9DaEp6TkVTd0cxTWh4TE0zWGwrTlBwV2xYV3N4cnZCbkpLcElIczFubVFiVjhidWZrWEhNak9OSm9OSjNROUtlMm1rVG1xdC9zelF3djc0c3JXSFhDNW5GSkkwL0xQWi9UcmxGY3VhOFJSVjZhbEhiUm9ONkI1R3E0RWY5N0xwU1g0MEsyRWZsU1RmbG9VTHkxcFZoR2c3eVdHQWhkUEphN0Irbkp4NWVsRWF1MXBCMFZwdjBNY0RvN2k5V2t1a09LUGkrODFIWCthb3Z6VmRnQ3RJY2R6YmR5Szhob2hMNkNDZC9kV0VtU3JqNlMxSllZTEdBUlZJV2VCVmR4M1BBeElWR0lDQnBKb28zSE9NOG9hSXQ2eENRQTAzWGN3azVscmMvY08ya2FyN0swNGJIZUg2YU1Ud2JVM1pRbDBnZXp0QWU1aHFpRlFCTStyd0hONlZwYnlkdWpYQ3gvNXluclVqVi81bTU4bGhOK2NyODEyWlVWaFZKZitTSmRkVnUxamZTNEZLZ2NWTEJBak5wcFYwVUM2cFFPTTBoZm5BTWdtd0phVjFoMW4wWWJUUHZ0bW1BTlBwLzdxbW5iQlJFUWJWUi9iL00zdnA1RWJhcGd5Zm5EdEN1bXBZVk1zbjVndy91dzd2OUhCUzlacmdxU28wb01udm1vVDlGNEtiYm9zU0VnUUkvdElUaGhqRFVBSnhLTDAwdkVCbEV6RmZxQy9EKzFWSmZ4VHlEMjV0d0VaUHNJSXp4UjlzR01EcHBtOVVmSkw3OTEvRm1adzFQSVFVVERzbE44Y3o3U0hLVSt1YWhzNHp6MzY5TTNaamdkbWloQWNjSHVpMXlRci83VUYrSFZPb2wyK1VFK3BER2o0ZVpwQ1FwOUtHbVdNM1Y1NHFuemxYUHBPL0dZMkxVN3ZWYUpnNCtzbWw4eTlMWWlqbXBLVk1xSDlTcXk5NnNFNWdNemticVY2Tm1CaUtwclBuZk03ZXVScHZBRHFPYXpscTk4UDlIRkJEZmoybm1PdkY4VzI4bzVzLzhYbXFNUkJGYnRpVE5GL1QvTG40bG8yeWdNM1F3VEE9PTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWwyOkVuY3J5cHRlZEFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=

  14. SAML 2.0 On the Wire: Response Decoded <saml2p:Responsexmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://sp.testshib.org/Shibboleth.sso/SAML2/POST” ID="_756c7ce31cf1c3c05af079ad190418e9” InResponseTo="_08664ae7f52368091af61b953388894c” IssueInstant="2013-09-15T17:48:07.312Z" Version="2.0”> <saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity”> https://idp.testshib.org/idp/shibboleth </saml2:Issuer> <saml2p:Status> <saml2p:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:EncryptedAssertionxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <!-- Encryption keying information goes here --> <!-- Encrypted Assertion goes Here --> </saml2:EncryptedAssertion> </saml2p:Response>

  15. SAML 2.0 On the Wire: Assertion Decrypted <saml2:Assertionxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e3d6ba821a78177ec5b8a943857bf4bb" IssueInstant="2013-09-15T17:48:07.312Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml2:IssuerFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://idp.testshib.org/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><!-- Digital Signature Goes Here --></ds:Signature> <saml2:Subject> <saml2:NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://sp.testshib.org/shibboleth-sp"> _eeb8e86508a287a76650811310111869 </saml2:NameID> <saml2:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationDataAddress="131.252.248.198" InResponseTo="_08664ae7f52368091af61b953388894c" NotOnOrAfter="2013-09-15T17:53:07.312Z" Recipient=“https://sp.testshib.org/Shibboleth.sso/SAML2/POST” /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:ConditionsNotBefore="2013-09-15T17:48:07.312Z" NotOnOrAfter="2013-09-15T17:53:07.312Z"> <saml2:AudienceRestriction> <saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <!-- Continued On Next Slide -->

  16. SAML 2.0 On the Wire: Assertion Decrypted <!– Continued From Previous Slide --> <saml2:AuthnStatementAuthnInstant="2013-09-15T17:48:07.046Z" SessionIndex="_d01434572d16888023226e30793cc225"> <saml2:SubjectLocalityAddress="131.252.248.198”> <saml2:AuthnContext> <saml2:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:AttributeFriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> Member </saml2:AttributeValue> </saml2:Attribute> <!– More Attributes Here –> </saml2:AttributeStatement> </saml2:Assertion>

  17. SAML 2.0 On the Wire: Session Created HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:48:07 GMT Server: Apache/2.2.15 (CentOS) Set-Cookie: _shibsession_64656661756c7468747470733a2f2f73702e74657374736869622e6f72672f73686962626f6c6574682d7370=_0c4133a61ce1abb3b04faa379dbb1e4a; path=/; HttpOnly _shibstate_1379266987_5fd8=; path=/; HttpOnly; expires=Mon, 01 Jan 2001 00:00:00 GMT Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Location: https://sp.testshib.org/testing/sample.jsp Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1

  18. SAML 2.0 On the Wire: What does the SP finally set? Session Expiration (barring inactivity): 459 minute(s) Client Address: 131.252.248.198 SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity Provider: https://idp.testshib.org/idp/shibboleth Authentication Time: 2013-09-15T17:48:07.046Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Attributes affiliation: 1 value(s) cn: 1 value(s) entitlement: 1 value(s) eppn: 1 value(s) givenName: 1 value(s) persistent-id: 1 value(s) sn: 1 value(s) telephoneNumber: 1 value(s) unscoped-affiliation: 1 value(s)

  19. SAML 2.0 On the Wire: What does the application finally see? • How the application sees and uses the information exposed by the SP depends on the application, the environment, and the language • Here are some examples

  20. Integration Example -- Java public String getUser(HttpServletRequest req){ return (String) req.getRemoteUser(); } or return (String) req.getAttribute("uid");

  21. Integration Example -- PHP $user = $_SERVER["uid"]; echo "User UID is: $user";

  22. Integration Example -- ASP Request("HTTP_uid") ASP.NET Request.Headers("uid")

  23. Application Integration Moving out of the “Science” zone and into the “Art” zone • Two main points of integration: session management, attribute use • Session management handled by HTTP queries • Attributes available per above Rule of Thumb: applications try to handle everything internally and require “domestication” Every state of understanding reached with an application is unique

  24. More Integration Information Apache can be used as a front-end for a Java servlet container; fastCGI support also exists Other implementations like OIOSAML, pySAML, ruby-saml, simpleSAMLphp, etc. offer alternatives, but tend to be less fully featured Many fun problems for the solution-oriented individual • The SP is written as an Apache module or IIS ISAPI filter paired with a daemon, shibd • The SP can be integrated with applications in a thousand ways • Typically, attributes are received as environment variables and some special URL's to make Shibboleth things happen at for app

  25. Today's Agenda Us talking at you(apologies, done for now) A self-paced installation and configuration of the SP Quick tour of the SP configuration files covering pieces you didn't need to work with SP Productionalization Discussion And, at any time, ask your questions, raise your hand, engage with us!

  26. Thank you!Now, the real fun begins...(these links are also in the emailed workshop information for a superior copy/paste experience)Linux SP:https://spaces.internet2.edu/x/LoLNAQWindows SP:https://spaces.internet2.edu/x/aYH8 26

More Related