1 / 160

Shibboleth Service Provider Workshop

Shibboleth Service Provider Workshop. Bart Ophelders - Philip Brusten shib@kuleuven.be. June 2010. Shibboleth Service provider workshop. This work is licensed under a  Creative Commons Attribution- ShareAlike 3.0 Unported License . Acknowledgements.

jimbo
Download Presentation

Shibboleth Service Provider Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth Service ProviderWorkshop Bart Ophelders - Philip Brusten shib@kuleuven.be June 2010

  2. Shibboleth Service provider workshop This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

  3. Acknowledgements What's new in Shibboleth 2 – Chad La Joie [SAMLConf] http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf Liberty interoperability testing: http://projectliberty.org/liberty/liberty_interoperable/implementations Shibboleth 2.0 InstallFest Service Provider Material – Ann Arbor, MI SP Hands-on Session – SWITCH https://spaces.internet2.edu/display/SHIB2

  4. Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration

  5. Introduction: “What is Shibboleth?” • Quote from http://shibboleth.internet2.edu: The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

  6. Introduction: “What is Shibboleth?” • Terminology • Authentication: says who we are • Authorization: says which resource we can access • SP: Service Provider (Resource) • IdP: Identity Provider (Home organisation) • WAYF: Where Are You From • DS: Discovery Service

  7. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service Components: Identity Provider (IdP) – Service Provider (SP) – Where Are You From (WAYF) – User Agent (UA)

  8. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service SAML1.1 profile: Browser/Artifact Initial request from UA to document X No active Shibboleth session, UA redirected to WAYF

  9. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service WAYF asks UA to choose an IdP (if not already set in cookie) Redirect UA to selected IdP

  10. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service IdP prompts the UA for credentials (Username/Password, x509, digipass, etc). IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)

  11. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service IdP resolves attributes for the authenticated principal and creates SAML assertion (authentication & attribute statement) Redirects UA with references to these assertions (Artifacts).

  12. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service Shibboleth service or daemon dereferences the Artifacts on a secure backchannel with SSL mutual authentication.Invisible for the UA.

  13. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service The Shibboleth service verifies and filters the information and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.

  14. Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider 2 Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service The active sessions with every component will provide the single sign-on experience.

  15. Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration

  16. Shibboleth 2.x: “What has changed?” • General • SAML2 protocols • Authentication Request Protocol (SP initiated) • Force re-authentication • Passive authentication • Assertion Query and Request Protocol • Artifact Resolution Protocol • Single Logout Protocol (Not supported by the IdP yet) • NameID Management Protocol • NameID Mapping Protocol • Encryption and signing of sensitive information • Distributed configuration (pull) • Federation Metadata • Attribute-map • Attribute-filter

  17. Shibboleth 2.x: “What has changed?” • Identity Provider • Own authentication modules • LDAP • Kerberos • IP-based • PreviousSession (SSO) • REMOTE_USER (cfr. CAS) • No SAML2 force authentication • Very flexible attribute resolving • Very flexible attribute filtering (with constraints) • Clean audit logs • etc

  18. Shibboleth 2.x: “What has changed?” • Discovery Service • Successor of WAYF • SAML2 Identity Provider Discovery Profile • Multi-federation support

  19. Shibboleth 2.x: “What has changed?” • Service Provider • Multi-protocol support • New attribute filtering policy language • Support for ODBC based storage of state • Significant performance improvements

  20. Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service SAML2.0 profile: Web browser SSO + HTTP POST binding Initial request from UA to document X No active Shibboleth session, UA redirected to DS

  21. Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver SP takes back control Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service DS asks UA to choose an IdP (if not already set in cookie) Redirect UA back to SP with selected IdP as parameter.

  22. Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary. IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)

  23. Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser • SAML response • Authentication statement • Attribute statement Shibboleth service The IdP resolves and filters the principal’s attribute information and constructs a SAML assertion. This assertion can optionally be signed and/or encrypted. Next, the IdP POSTs a response to the SP.

  24. Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service No callback! The Shibboleth service decrypts, verifies and filters the response and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.

  25. Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider 2 Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service • Again, the active sessions with every component will provide the single sign-on experience.

  26. Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration

  27. Concept of Federation Toledo App X K.U.Leuven W&K App Y … K.U.Leuven App Z App Z … Federation K.U.Leuven Federation AssociatieK.U.Leuven Group of entities, both IdPs and SPs. Can map on existing Associations (e.g.: BELNET, AssociatieK.U.Leuven, K.U.Leuven, etc)

  28. Concept of Federation • Benefits • Scalable • Simplifies things • WAYF service (IdP discovery) • Metadata • Describes entities (protocol support, contact information, etc) • PKI management • Trust • Since Shibboleth v2.x = single point of trust • Digitally signed • http://shib.kuleuven.be/download/metadata

  29. Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration

  30. Resource Registry • Metadata management tool • Based on open source from SWITCH and modified by INTIENT and K.U.Leuven • Adapted for K.U.Leuven • Multi-federation support • Identity Provider 1-many link • Service Provider 1-many link

  31. Resource Registry

  32. Resource Registry • For now only internal use • In a later stage available for: • Resource Registry Administrators • To approve resources from a certain IdP • Resource Administrators • For administering SP information (self-service) • Home Organisation Administrators • For administering IdP information (self-service) • Federation Administrators • Signing metadata file • Roles can be assigned independently

  33. Resource Registry • Currently hosting: • Federation K.U.Leuven • Federation AssociatieK.U.Leuven • Federation K.U.Leuven – UZLeuven • Test federation K.U.Leuven

  34. Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration

  35. A word on ADFS • Active Directory Federation Services v1 • Part of Microsoft Windows Server 2003 R2 • WS-Federation Passive Requester Profile (WS-F PRP) • Shibboleth v1.3 has implemented “WS-Federation: Passive Requestor Interoperability Profile” specification for both IdP & SP • Two ways of working • NT-Token based • Claim based

  36. A word on ADFS ADFS Web Agents FS IdPK.U.Leuven OWA Webserver Identity Provider Account partners K.U.Leuven TRUST TRUST EVault Resources - OWA - EVault - Sharepoint - etc TRUST Sharepoint TRUST E.g. Implementation at K.U.Leuven

  37. A word on ADFS

  38. A word on AD FS 2.0 • Version 2.0 • Officially released on 5 May 2010 • Windows Server 2008 and Windows Server 2008 R2 • Only claims based • Compatible with ADFS v1.0 • Liberty Interoperable Implementation Tables • SAML2.0 operational modes: • IdPlite • SP lite

  39. A word on AD FS 2.0

  40. A word on AD FS 2.0

  41. A word on AD FS 2.0 5) Use claims in token Identity Providers Windows Live ID Other Application WIF STS STS 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity Browser or Client 1) Access application and learn token requirements CardSpace 2.0 2) Select an identity that matches those requirements User Shamelessly copied from David Chappell’s presentation at TechEd 2009

  42. Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration

  43. Environment • RedHat Enterprise Linux 5.5 (Tikanga) • Debian 5.0 (Lenny) • Windows Server 2008 R2 • Username: “shib” / “root” • Passwords: “P@ssw0rd” • Remote Access • Linux: ssh • Windows: Remote desktop

  44. Environment • RedHat Enterprise Linux 5.5 (Tikanga) • 8 virtual machines • DNS: worksh-rh-N.cc.kuleuven.be • IP: 10.2.4.N • Debian 5.0 (Lenny) • 4 virtual machines • DNS: worksh-db-N.cc.kuleuven.be • IP: 10.2.4.2N • Windows Server 2008 R2 • 10 virtual machines • DNS: worksh-w8-N.cc.kuleuven.be • IP: 10.2.4.4N + 10.2.4.50

  45. Environment • Shibboleth IdP • DNS: worksh-idp.cc.kuleuven.be • IP: 10.2.4.9 • https://worksh-idp.cc.kuleuven.be/idp/status(only accessible through VMs: 10.2.4.0/24)

  46. Environment Shibboleth standard basehttp://shib.kuleuven.be/ssb_sp.shtml $WORKSH_HOST = worksh-[rh|db|w8]-N.cc.kuleuven.be

  47. Environment openssl x509 –in $cert –issuer –noout • Key/Certificate generation - We’ve done it for you  • Webserver • Located at $PKI • Signed by TerenaSSL CA • Shibboleth SP • Self-signed • worksh-idp.cc.kuleuven.be:/home/shib/ShibbolethSPWorkshop/certificates/shibboleth-sp • Certificate: sp-[rh|db|w8]-N-cert.pem • Key: sp-[rh|db|w8]-N-key.pem • Save at $PKI • Test certificates

  48. SSL certificates • Use of self-signed certificates in backend • No need for commercial certificates • Longer lifetime • No truststore to maintain for commercial CAs • Revocation (just remove certificate) • Trustbase of commercial signed certificates can become quite large • Separate certificate for front- and backend

  49. Environment $ apt-get install vim • Tools • An absolute must: Syntax friendly editor • RHEL: vim • Debian: vim • Windows: notepad++ or SciTE • HTTP client • RHEL: links • Debian: links • Windows: local browser • SCP or WinSCP • Check your time now! • Always work case sensitive!

  50. Installation - Overview Shibbolethservice IIS Apache Shibboleth handler/Shibboleth.sso Shibboleth handler/Shibboleth.sso mod_ssl mod_auth mod_shib ... RPC port 1600 Unix socket ISAPI filter Shibboleth

More Related