1 / 22

Introduction to Shibboleth

damon
Download Presentation

Introduction to Shibboleth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Introduction to Shibboleth

    2. 2 Agenda What is Shibboleth? IdP/SP Communication 1.3 to 2.X migration Future Releases Support Resources

    3. 3 What is Shibboleth? Technically it’s a project group, like Apache or Eclipse, whose core team maintains a set of software components Most people think of it as the set of software components OpenSAML C++ and Java libraries Shibboleth Identity Provider (IdP) Shibboleth Service Provider (SP) Shibboleth Discovery Service (DS) Taken together these components make up a federated identity management (FIM) platform. You might also think of Shibboleth as a multi-protocol platform that enforces a consistent set of policies.

    4. 4 Shibboleth Components

    5. 5 Shibboleth Components: Identity Provider What is it? A Java Servlet (2.4) web application What does it do? Connects to existing authentication and user data systems Provides information about how a user has been authenticated Provides user identity information from the data source

    6. 6 Shibboleth Components: Service Provider What is it? mod_shib: A C++ web server (Apache/IIS/iPlanet) module shibd: A C++ daemon - keeps state when web server processes die What does it do? Optionally initiates the request for authentication and attributes Processes incoming authentication and attribute information Optionally evaluates content access control rules

    7. 7 Shibboleth Components: Discovery Service What is it? A Java Servlet (2.4) web application What does it do? Asks the user to select their home organization from a list

    8. 8 Terminology SAML - Security Assertion Markup Language - the standard describing the XML messages sent back and forth by the Shibboleth components (two versions: 1.1, 2.0) Profile - Standard describing how to use SAML to accomplish a specific task (e.g. SSO, attribute query) Binding - Standard that describes how to take a profile message and send it over a specific transport (e.g. HTTP) Front-channel - A binding that sends message through a user’s browser via redirects or form posts Back-channel - A binding where the entities connect directly to each other

    9. 9 Terminology entityID - Unique identifier for an IdP or SP Assertion - The unit of information in SAML NameID - An identifier by which an IdP knows a user Attribute - A named piece of information about a user

    10. 10 Shibboleth Supported Profiles SAML 1 Shibboleth SSO Attribute Query Artifact Resolution SAML 2 SSO Attribute Query Artifact Resolution Single Logout (SP-only) Discovery Shibboleth 1 WAYF SAML 2 Discovery Service

    11. 11 Shibboleth Communication Flow: Shib 1

    12. 12 Problems with Shib 1 SSO Flow The SP does not know which IdP will receive its request and so can not tailor the authentication request Which protocol to use? Which keys to use for encryption? The IdP must have a second SSL port in order for the SP to make its attribute query (attribute pull model) Twice the number of crypto operations Two request/response pairs for every authentication

    13. 13 Shibboleth Communication Flow: Shib 2 SSO

    14. 14 Demo

    15. 15 Odds and Ends Shibboleth knows nothing about federations, it just consumes metadata in order to: locate the entity to which messages are sent determine what protocols the entity supports determine what signing/encryption keys to use The IdP is CPU bound, unlike most web apps No support for crypto-acceleration currently Good support for clustering though

    16. 16 Shibboleth 1.3 to 2.X migration Shibboleth 2 is backwards compatible with 1.3 Obviously new SAML 2 features don’t work with Shib 1.3 Entity’s should embed their certificates in their metadata This is required in order to support SAML 2 encryption The Shibboleth team recommends URLs for entityIDs IdP entityID: https://HOSTNAME/idp/shibboleth SP entityID: https://HOSTNAME/shibboleth These URLs can then be used to get the metadata for the entity

    17. 17 IdP Migration The Bad News All configuration files have changed IdP Endpoints have changed The Good News The installer generates: Most of the configuration files Certificates used for signing and encryption IdP Metadata Shibboleth 2 can operate in the same environment (LDAP/databases, CAS/PubCookie/Kerberos/etc, Apache, Tomcat) Shibboleth 2 requires less infrastructure, you can remove: other SSO systems Apache metadata refresh scripts Versions 2 and 1.3 can be run in parallel

    18. 18 IdP Migration: How To Install database (optional, needed for persistent name IDs) Install version 2 (do not use the same $IDP_HOME) Configure the Identity Provider Add new IdP to your test federation and test Update production metadata Wait enough time for all SPs to refresh metadata SPs will continue to contact the old IdP until their metadata updates Shutdown version 1.3 (don’t forget any related cronjobs and services) Strongly consider setting up a clustered IdP Give advanced warning if you’re changing the IdP entityID Systems that do not use metadata will need to be updated in some bilateral fashion

    19. 19 SP Migration The Bad News You can not install Shib 2 over 1.3 Configuration files are similar but not compatible Versions 2 and 1.3 can not be run in parallel The Good News 2.0 is mostly just a progression of version 1.3 Same components: shibd & mod_shib Few changes unless you use new features Installer generates certificates New functionality allows the SP to generate its own metadata

    20. 20 SP Migration: Attribute Names Version 1.3 placed attributes in HTTP Headers HTTP_SHIB_EP_AFFILIATION staff HTTP_SHIB_INETORGPERSON_GIVENNAME Lukas Version 2.0 (when using Apache) places attributes in server environment and uses slightly different names as a result Shib-EP-Affiliation staff Shib-InetOrgePerson-givenName Lukas Version 2.0 supports the old method but the new method guarantees that information can not be spoofed

    21. 21 SP Migration: How To Backup old configuration, binaries, and shibd init.d script Disable Apache module (a2dismod shib) Disable cronjobs for siterefresh Move 1.3 SP to some other location Install version 2.0 Configure Service Provider Make sure your application still works, if not: Turn on use of HTTP headers using ShibUseHeaders On This is needed for all Java applications Remove old 1.3 SP

    22. 22 Future Releases Identity Provider (IdP) 2.2 LDAP and Database query caching Standard format for all time period/duration options Small Improvements / Bug Fixes Identity Provider (IdP) 3.0 Internal API changes X.509 Authentication Attribute Release Consent (uApprove) New Installation Package containing configured Servlet container New High Availability option that does not require extra software Simpler Configuration Options Discovery Service (DS) 2.0 HTML/CSS/Javascript based Deployable centrally or on the Service Provider

    23. 23 Support Resources First, check with your Federation, if you have one: http://switch.ch/aai/support/documents http://switch.ch/aai/support/help Shibboleth Wiki https://spaces.internet2.edu/display/SHIB2/Home Shibboleth User’s Mailing List Archive http://groups.google.com/group/shibboleth-users/topics Shibboleth User’s Mailing List http://shibboleth.internet2.edu/lists.html

More Related