1 / 18

SAML & Federation Principles Workshop: Trust, Authentication, and IdP Evolution

Join the 2-day workshop for a quick introduction to SAML and Federation principles, hands-on IdP SAML & Federation tour, metadata attributes exchange, authentication management, and IdP trust concepts.

climon
Download Presentation

SAML & Federation Principles Workshop: Trust, Authentication, and IdP Evolution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CYNETIdP Marathon Marco from GARR (Italia) Geoffroy from RENATER (France)

  2. CYNET IdP Marathon - Agenda 2 days workshop Quick introduction du SAML and Federationprinciples Hands-on IdP

  3. SAML & Federation quick tour • SAML ? Federation ? • types of entities • notion of trust • workflow federated • point-to-point vs federation • IdPuseful information • Certificates • Usefulattributes • Useful information for the marathon

  4. Authentication management evolution

  5. SAML Entities • Service Provider (SP) • The application that one want to access • Identity Provider (IdP) • The server to which the SP delegates the authentication • Uponsuccessfulauthentication, the IdPprovides information about the user (attributes) • Exchanges are signed and eventuallyciphered • Eachentityisdescribedthrough the mean of metadata

  6. Attributes exchange urn:oid:0.9.2342.19200300.100.1.3 mail mail LDAP SP Application IdP SAML2 Attribute « mail » Value : john.doe@univ.ac.cy IdP allows or not the release of the attribute to the SP

  7. What’sinsidemetadata? • Main information: • entity ID (unique ID) • Certificates for signing and ciphering • Supportedprotocols (SAML1, SAML2) • Endpoints for login workflow • Requiredattributes (only for SP) • Contact email address (shouldbegeneric)

  8. All isbased on trust! • IdP must TRUST the SP • SP must TRUST the IdP • Trust happenswhen SP and IdP exchange theirmetadata • What if no trust? • An application couldbeaccessed by anyIdP • An SP couldbeused for phishing to get information about users (valid email, id, telephone…)

  9. Point-2-Point vs Federation Point-to-point trust and login flow IdP SP trusted trusted

  10. Point-2-Point vs Federation Fédération Education-Recherche Univ. X CNRS SP IdP SP IdP SP Université Paris Saclay Université Rennes 1 SP IdP IdP SP SP SP eduGAIN Fédération InCommon (USA) MIT Univ. Y SP IdP Univ. Chicago SP SP IdP SP IdP SP

  11. Federatedauthenticationdemo Need for something to discover the IdP => Discovery Service / WAYF (Where Are You From) Demo : https://rendez-vous.renater.fr

  12. Certificates usage in SAML • 3 types of certificates are used in Shibboleth IDP – don’t swap them • TLS certificate, to enable HTTPS betweenbrowers and IdP • Just as usual • Self-signedcertificate (and private key) for signing/ciphering, with long lifetime (> 10y) • Federationoperatorsigingcertificate (the metadata file published by the federationoperatorissigned)

  13. Shibboleth IdP high-level functionning ShibbolethIdentity Provider Request dispatcher Input request LDAP Authenticationengine flow Authentication Attributeresolver Resolveattr. Attributefilter Filterattr. Response

  14. Recommendedattributesused in Federation https://wiki.geant.org/display/eduGAIN/IDP+Attribute+Profile+and+Recommended+Attributes

  15. Marathon overview https://geanttraining.cynet.ac.cy/sp-garr Training SP trusts WAYF/DS YOU trusts Training Federation generates IdP Shibboleth Metadata Your LDAP

  16. Useful information for Marathon • SP URL : https://geanttraining.cynet.ac.cy/sp-garr • Training Metadata : • URL : https://registry-test.idem.garr.it/rr3/signedmetadata/federation/cyprusIDPtraining/metadata.xml • Public Key : https://registry-test.idem.garr.it/rr3/signedmetadata/federation/cyprusIDPtraining/metadata-signer.crt • HOW-TO : • https://github.com/ConsortiumGARR/idem-tutorials

  17. For CENTOS : https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/CentOS/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v3.4.x%20on%20CentOS%207%20with%20Apache2%20%2B%20Jetty9.md For DEBIAN : https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/Debian/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v3.4.x%20on%20Debian%209%20Linux%20with%20Apache2%20%2B%20Jetty9.md For Ubuntu : https://github.com/ConsortiumGARR/idem-tutorials/blob/master/idem-fedops/HOWTO-Shibboleth/Identity%20Provider/Ubuntu/HOWTO%20Install%20and%20Configure%20a%20Shibboleth%20IdP%20v3.4.3%20on%20Ubuntu%20Linux%20LTS%2018.04%20with%20Apache2%20%2B%20Jetty9.md

  18. https://github.com/ConsortiumGARR

More Related