1 / 45

AAI with simpleSAMLphp

AAI with simpleSAMLphp. Marina Vermezovi ć Academic Network of Serbia -AMRES EIFL, 15.12.2011. Content. AAI and Federated Identity simpleSAMLphp Federation structures AMRES AAI deployment. Let’s make a start point. If you want to: You need to: How do you do this:.

bin
Download Presentation

AAI with simpleSAMLphp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAI with simpleSAMLphp Marina Vermezović Academic Network of Serbia -AMRES EIFL, 15.12.2011.

  2. Content • AAI and Federated Identity • simpleSAMLphp • Federation structures • AMRES AAI deployment Akademska mreža Srbije www.amres.ac.rs

  3. Let’s make a start point • If you want to: • You need to: • How do you do this: Akademska mreža Srbije www.amres.ac.rs

  4. Let’s make a start point • If you want to: • offer web services – e-books, e-magazines • You need to: • How do you do this: Akademska mreža Srbije www.amres.ac.rs

  5. Let’s make a start point • If you want to: • offer web services – e-books, e-magazines • You need to: • Control access to those web services • Make services user personalized • How do you do this: Akademska mreža Srbije www.amres.ac.rs

  6. Let’s make a start point • If you want to: • offer web services – e-books, e-magazines • You need to: • Control access to those web services • Make services user personalized • How do you do this: • Authentication - who is your user? • Authorization - what she can do? • AAI - Authentication and authorization infrastructure makes access to protected services easier Akademska mreža Srbije www.amres.ac.rs

  7. Without AAI FacultyA Service Providers wireless videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  8. Without AAI FacultyA Service Providers wireless Auth videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  9. Without AAI FacultyA Service Providers wireless Auth Autz videoconference e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  10. Without AAI FacultyA Service Providers wireless Auth Autz videoconference Auth Autz e-learning Student portal Library B Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  11. Without AAI FacultyA Service Providers wireless Auth Autz videoconference Auth Autz e-learning Auth Autz Student portal Auth Autz Library B Service Providers wireless Auth Autz e-books Auth Autz Akademska mreža Srbije www.amres.ac.rs

  12. With AAI FacultyA Service Providers wireless videoconference e-learning Student portal Library Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  13. With AAI FacultyA Service Providers wireless videoconference Identity provider e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  14. With AAI FacultyA Service Providers wireless videoconference Identity provider Auth e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  15. With AAI FacultyA Service Providers wireless videoconference Identity provider Auth e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  16. With AAI Autz Autz Autz Autz Autz Autz Autz Autz Autz Autz Autz Autz FacultyA Service Providers wireless videoconference Identity provider Auth e-learning Identity Management Student portal Library Service Providers wireless e-books Akademska mreža Srbije www.amres.ac.rs

  17. AAI Architecture and Roles Federation operator Identity Provider Service Provider Akademska mreža Srbije www.amres.ac.rs

  18. AAI Architecture and Roles Federation operator Identity Provider Service Provider • Identity Management • Authentication • Release of user Attributes • Preserving user privacy Akademska mreža Srbije www.amres.ac.rs

  19. AAI Architecture and Roles Federation operator Identity Provider Service Provider • Identity Management • Authentication • Release of user Attributes • Preserving user privacy • Controls Access to resource • Authorization • Personalized user service Akademska mreža Srbije www.amres.ac.rs

  20. AAI Architecture and Roles • Defines technologies used • Admits IdPs and SPs to federation –provides metadata • Can provide some of federation services centrally: • Discovery Service • Metadata management • SSO, SLO, consent, Attribute Handling Federation operator Identity Provider Service Provider • Identity Management • Authentication • Release of user Attributes • Preserving user privacy • Controls Access to resource • Authorization • Personalized user service Akademska mreža Srbije www.amres.ac.rs

  21. AAI Architecture and Roles • Defines technologies used • Admits IdPs and SPs to federation –provides metadata • Can provide some of federation services centrally: • Discovery Service • Metadata management • SSO, SLO, consent, Attribute Handling CIRCLE OF TRUST Federation operator Identity Provider Service Provider • Identity Management • Authentication • Release of user Attributes • Preserving user privacy • Controls Access to resource • Authorization • Personalized user service Akademska mreža Srbije www.amres.ac.rs

  22. Decide for technology and software • De-facto standard in Academic identity federations: SAML • Software: • Shibboleth • Created by Internet2 (U.S.) • IdP: Java, needs Tomcat • SP: C++, Apache module • SimpleSAMLphp • Created by UNINETT (Norway) • Both IdP and SP, written in PHP Akademska mreža Srbije www.amres.ac.rs

  23. SimpleSAMLphp • What are key-point simpleSAMLphp functionalities ? • Let’s see what simpleSAMLphp can do from an example of user accessing web service.. Akademska mreža Srbije www.amres.ac.rs

  24. SP point of view.. – protect Access • Allows access to resource only to legitimate users Akademska mreža Srbije www.amres.ac.rs

  25. SP point of view.. – IdP Discovery • Before redirecting user to its IdP, SP needs to discover what is a user’s IdP • With simpleSAMLphp you can: • Implement centralized discovery service by Federation Operator Akademska mreža Srbije www.amres.ac.rs

  26. SP point of view.. – IdP Discovery • Before redirecting user to its IdP, SP needs to discover what is a user’s IdP • With simpleSAMLphp you can: • Implement centralized discovery service by Federation Operator • Implement built-in discovery service on SP side; works by displaying IdP entries from metadata Akademska mreža Srbije www.amres.ac.rs

  27. Idp point of view.. - Authentication • User is redirected to IdP site, where she is asked to enter u/p • Thus process of authentication is started Akademska mreža Srbije www.amres.ac.rs

  28. Idp point of view.. - Authentication • When IdP gets u/p, IdP must authenticate user against some database • Authentication methods that come with simpleSAMLphp distribution: • LDAP • SQL • RADIUS • List of username/password • Open ID, Facebook, Tweeter, MySpace, LinkedIn,.. • … • If you don’t find your authentication source on the list, you can make custom authentication module Akademska mreža Srbije www.amres.ac.rs

  29. Idp point of view.. - Identity Management • Regardless in which database user Identities are stored, it is important that data about user is correct • IdM : set of proceduresandruleswhichdefine: • Who has the right to own digital identity • When is digital identity assigned to a person • How is digital identity maintained • How is the digital identity used • How is the digital identity terminated • Must comply with national personal data protection law • EU Data Protection Directive Akademska mreža Srbije www.amres.ac.rs

  30. Idp point of view.. - Attribute Release • After user is authenticated, IdP can release some attributes about user to SP • But some principles are important ! • General rules: • release only attributes which SP really needs • release attributes upon pre-agreed syntax (schemas) • With simpleSAMLphp, IdP can : • Filter out a subset of available attributes that are sent to a SP • Modify name or values of attributes • Add new attributes • Generate new attributes that are composed of others Akademska mreža Srbije www.amres.ac.rs

  31. Idp point of view.. - Consent • Before Attribute Release, IdP can ask user about consent for releasing user ‘s data • This is very important from the perspective of national and international laws about protection of users data • EU Data Protection Directive: • Consent—data should not be disclosed without the data subject’s consent; Akademska mreža Srbije www.amres.ac.rs

  32. Idp point of view.. - Consent • Consent module is available in simpleSAMLphp Akademska mreža Srbije www.amres.ac.rs

  33. SP point of view .. - Attribute processing • Attributes help SP to: • Make authorization decisions • Students/employees have different permissions Akademska mreža Srbije www.amres.ac.rs

  34. SP point of view .. - Attribute processing • Attributes help SP to: • Make authorization decisions • Students/employees have different permissions • Make personalized services to users • SP needs persistent user Id so he can save users preferences Akademska mreža Srbije www.amres.ac.rs

  35. SP point of view .. - Attribute processing • Attributes help SP to: • Make authorization decisions • Students/employees have different permissions • Make personalized services to users • SP needs persistent user Id so he can save users preferences • User gets some additional service • SP needs users e-mail address to send e-mail notifications Akademska mreža Srbije www.amres.ac.rs

  36. Decide for Federation architecture • 3 possibilities: • Full mesh • Centralized • Hub and spoke • Choosing one is very important because it heavily depends on state institutions are in.. Akademska mreža Srbije www.amres.ac.rs

  37. Federation operator Full mesh Federation metadata Discovery service Institution A Identity Provider Auth Atr. Filt. Consent Institution B Service Provider Discovery Service SSO,SLO Autz Identity Management

  38. Federation operator Full mesh Federation metadata Discovery service Institution A Identity Provider Auth Atr. Filt. Consent Institution B Service Provider Discovery Service SSO,SLO Autz Identity Management Institution D Institution C Service Provider Identity Provider Discovery Service Auth Atr. Filt. Autz Consent SSO,SLO Identity Management Akademska mreža Srbije www.amres.ac.rs

  39. Hub and spoke Institution A Identity Provider Auth Institution B Service Provider Discovery Service Federation operator Identity Management Autz Federation metadata Discovery service Atr. Filt. Consent SSO,SLO

  40. Hub and spoke Institution A Identity Provider Auth Institution B Service Provider Discovery Service Federation operator Identity Management Autz Federation metadata Discovery service Institution D Service Provider Institution C Atr. Filt. Discovery Service Identity Provider Auth Consent Autz SSO,SLO Identity Management

  41. Centralized Federation operator Institution B Service Provider Federation metadata Discovery service Discovery Service Institution A Autz Identity Management Identity Provider Auth Atr. Filt. Consent SSO,SLO Akademska mreža Srbije www.amres.ac.rs

  42. Centralized Federation operator Institution B Service Provider Federation metadata Discovery service Discovery Service Institution A Autz Identity Management Identity Provider Auth Atr. Filt. Institution D Consent Service Provider Discovery Service Institution C SSO,SLO Identity Management Autz Akademska mreža Srbije www.amres.ac.rs

  43. AMRES AAI • What was our start point: • Institution administrators have less knowledge • Institutions have different databases => no centralized federation • No institution has its own SSO • We decided for: • simpleSAMLphp • Full-mesh with making it as much as possible lightweight: metadata management tool, attribute release recommendations, ... Akademska mreža Srbije www.amres.ac.rs

  44. AMRES AAI • We have set-up test environment • Next steps: • Make hands-on workshop with few chosen institutions which will continue in PILOT AAI • Get experiences in PILOT, evaluate chosen solution, make some changes if needed • Start PRODUCTION, continue with workshops • Get /deploy new user services which would attract institutions Akademska mreža Srbije www.amres.ac.rs

  45. Thank you for your attention • Questions? or write to marina.vermezovic@rcub.bg.ac.rs Akademska mreža Srbije www.amres.ac.rs

More Related