310 likes | 419 Views
The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources. John Watt ( j.watt@nesc.gla.ac.uk ) Richard Sinnott ( r.sinnott@nesc.gla.ac.uk ), Jipu Jiang University of Glasgow, Scotland, UK. GLASgow early adoption of Shibboleth.
E N D
The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt ( j.watt@nesc.gla.ac.uk ) Richard Sinnott ( r.sinnott@nesc.gla.ac.uk ), Jipu Jiang University of Glasgow, Scotland, UK
GLASgow early adoption of Shibboleth http://www.nesc.ac.uk/hub/projects/glass “Implementing Single Sign-On and VO Management in e-Health and e-Learning domains at Glasgow using Shibboleth” 1 year JISC project (Dec ’05 – Dec ’06) In partnership with NHS Scotland
Federated Trust • Local authentication infrastructures are vital • e.g. Campus student directories • Support existing infrastructures (e.g. registration, human resources) • Will normally have enrolled IN PERSON at the institution • With standard identity (birth certificate, exam results) • Will be (reasonably) well known by local staff • Also the Regional Operators for a CA • Required decentralisation of credential verification due to travel/time restrictions • National CA would be impossible without this • Remote authentication information will always be out of date • Don’t want to have to learn lots of usernames/passwords
Federated Trust • The best entity to authenticate a person is their home institution/company • Info will be up to date • They will always know a person better than a remote site • Remote site may not know if user is still valid or not • Can we utilise a user’s home credentials to access remote resources?
Campus Authentication • Novell NSure • Unified account management system at University of Glasgow • Central authentication method for campus • System may be queried through LDAP connection • Production system! • Custom schema • Standard object classes + Novell definitions • NOTE: • ‘uid’ attribute is guaranteed unique for every user on system • So we can use this as a database linking attribute • could come in handy…
Federated Authentication system using SAML for secure conversation • Enables Single-Sign On to Web Pages and Portals • Authentication is done by the user’s home institution • Identity Provider (Origin) • Authorisation (and access) is done by the resource • Service Provider (Target)
Identity Provider Service Provider Application Home Institution Federation Authz WAYF User Grid Portal
Application Home Institution Federation Authz WAYF Point browser to portal User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz WAYF Shibboleth redirects user to W.A.Y.F service User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz User selects their home institution WAYF User Grid Portal
Identity Provider Service Provider AUTHENTICATE LDAP Home confirms user ID in local LDAP and pushes attributes to the service provider Application Home Institution Federation Authz WAYF User Grid Portal
Identity Provider Service Provider Application Home Institution Federation Authz WAYF Portal logs user in and presents attributes to authorisation function User Grid Portal
Identity Provider Service Provider AUTHORISE Portal passes attributes to AuthZ function to make final access control decision Application Home Institution Federation Authz WAYF User Grid Portal
Identity Providers • Identity Providers assert: • The authenticity of the user • IdPs in a federation TRUST each others authentication assertions • IdP guarantees the user is who they say they are • Enforced by federation policy • Shibboleth requires external apps to actually do the authentication • SAML provides the transport mechanism for this assertion • The privileges of the user • SAML Attributes carry extra information about this user which can be used by external resources to make access control decisions • These attributes need to be negotiated between IdPs and SPs • However a standard framework exists which SPs may adopt to enhance interoperability…
eduPerson • An LDAP object class which defines widely-used attributes relevant to higher education • Adopted by Shibboleth and the UK Access Management Federation. • eduPersonAffiliation • Standard attribute definition (student, staff, affiliate) • eduPersonPrincipalName • May be disabled for anonymous access • eduPersonTargetedID • Persistent non-identifying… identifier • eduPersonEntitlement • Custom attribute for carrying user privileges
eduPerson • Campus opinion of effect of adoption of eduPerson schema…
Towards a Solution… • Basic Shibboleth IdP configuration User Directory SP AuthN request IdP AuthN? y/n to SP y/n Atts? SP AuthZ request Atts. Atts to SP eduPerson not supported
Multiple Attribute Authorities User Directory SP AuthN request AuthN? IdP User entries linked through unique ‘uid’ attribute y/n y/n to SP Atts? SP AuthZ request Dept. A Atts. Atts? Dept. B Atts to SP Atts. eduPerson can be adopted at departmental level
The Techie Bit… • Multiple attribute authorities implemented through additional JNDI connectors in resolver.ldap.xml • Must set ‘noResultIsError’ to ‘false’ • Prevents an error being thrown if a user is not found in a database • Needed because a user is not normally a member of EVERY department! • Must set ‘propagateErrors’ flag to ‘false’ • Stops any errors from halting query of multiple LDAPs • Attribute connectors state which directories they will search
Specific Services • University of Glasgow is now offering many online services for its students • Some involve manipulation or extraction of sensitive personal data • Most involve insecure (often cleartext) user information to be moved about • Nearly all require: • Username and password to be entered each visit (even within the same browser session) • Is also possible that DIFFERENT usernames and passwords may be needed • Pre-registration for staff and non-students
GLASS Project • Unifying Uni. Resources under Shibboleth utilising the NSure Directory Service • SSO, Secure Attributes… WebMAIL
Moodle is an online course management system • A Virtual Learning Environment (VLE) which allows educators to create online learning communities • As of August 2006 • 15,768 registered sites in 163 countries (1241 in UK alone) • 581,984 courses • 6,033,505 users • Individual site Moodle(s) can be very different • Different sites may require different user information to create a session
University of Glasgow Moodle • Utilises the central campus LDAP server • Requires the following entries for a user session • uid, givenName, fullName, mail, sn • (Uni. Of Glasgow Computing Services (CS) requirements) • Entries usually retrieved through generic module • A Shibboleth Authentication module is available • Extracts the correct attributes from the HTTP_SHIB_ATTRIBUTES header provided by Shibboleth Service Provider • “Pure Shibboleth” login, or multiple login types • CS prefer the latter, more flexible • Cost is user must specifically request a Shibboleth session on first visit.
WebSURF is an online service for manipulation and retrieval of personal details • Student Services • Course registration/options • Access to personal exam results • Updating personal details • Address, Tel. No. • Staff Services • View student records • Update course information • WebSURF is authored by Glasgow University
GLASS • Moodle • Moodle ships with a Shibboleth authentication module • Requires configuration… • Shibboleth SP provides the 5 attributes in an HTTP header (HTTP_SHIB_ATTRIBUTES) • Each individual attribute is extracted using a CGI type header • HTTP_UID • HTTP_SHIBINETORG_SURNAME • HTTP_GIVENNAME • Etc • Moodle forms a local username (if it doesn’t already exist)
GLASS • WebSURF • Much more complicated! • WebSURF is a J2EE application which runs in a JBoss container • Authentication is done with the generic JAAS module • Shibboleth may interface with JBoss applications through the SPIE-JAAS module which takes the place of the generic JAAS • http://spie.oucs.ox.ac.uk
GLASS • BrainIT • Using Shibboleth to provide sensitive clinical data to a Grid portal from an NHS database • SP needs to host GridSphere, so a Tomcat/ajp_proxy setup is required • Have SSL enabled this portal as data is particularly sensitive • eduPersonEntitlement used as the attribute required for access to portal • Different attributes correspond to different available parameters to query • brainIT_nurse – low privilege (e.g. DOB/Sex) • brainIT_investigator – high privilege (e.g. postcode, illness specifics)
Summary • GLASS infrastructure is basis for all Shibboleth-based projects at Glasgow • e.g. EPSRC nanoCMOS project • Centralised authentication from NSure LDAP • Departmental Attribute Authorities at National e-Science Centre and Department of Electronics and Electrical Engineering • Each department controls the attributes required for access to their own service • LDAP directories linked using unique ‘uid’ attribute • Experience gained in interfacing with new technologies (MediaWiki) • Informs new Shibboleth based projects with other collaborators (e.g. SEE-GEO)
Demos • This afternoon…. All afternoon!