1.61k likes | 1.89k Views
Shibboleth Service Provider Workshop. Bart Ophelders - Philip Brusten shib@kuleuven.be. June 2010. Shibboleth Service provider workshop. This work is licensed under a Creative Commons Attribution- ShareAlike 3.0 Unported License. Acknowledgements.
E N D
Shibboleth Service ProviderWorkshop Bart Ophelders - Philip Brusten shib@kuleuven.be June 2010
Shibboleth Service provider workshop This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Acknowledgements What's new in Shibboleth 2 – Chad La Joie [SAMLConf] http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf Liberty interoperability testing: http://projectliberty.org/liberty/liberty_interoperable/implementations Shibboleth 2.0 InstallFest Service Provider Material – Ann Arbor, MI SP Hands-on Session – SWITCH https://spaces.internet2.edu/display/SHIB2
Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration
Introduction: “What is Shibboleth?” • Quote from http://shibboleth.internet2.edu: The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
Introduction: “What is Shibboleth?” • Terminology • Authentication: says who we are • Authorization: says which resource we can access • SP: Service Provider (Resource) • IdP: Identity Provider (Home organisation) • WAYF: Where Are You From • DS: Discovery Service
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service Components: Identity Provider (IdP) – Service Provider (SP) – Where Are You From (WAYF) – User Agent (UA)
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service SAML1.1 profile: Browser/Artifact Initial request from UA to document X No active Shibboleth session, UA redirected to WAYF
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service WAYF asks UA to choose an IdP (if not already set in cookie) Redirect UA to selected IdP
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service IdP prompts the UA for credentials (Username/Password, x509, digipass, etc). IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service IdP resolves attributes for the authenticated principal and creates SAML assertion (authentication & attribute statement) Redirects UA with references to these assertions (Artifacts).
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service Shibboleth service or daemon dereferences the Artifacts on a secure backchannel with SSL mutual authentication.Invisible for the UA.
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service The Shibboleth service verifies and filters the information and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.
Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Service Provider 2 Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service The active sessions with every component will provide the single sign-on experience.
Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration
Shibboleth 2.x: “What has changed?” • General • SAML2 protocols • Authentication Request Protocol (SP initiated) • Force re-authentication • Passive authentication • Assertion Query and Request Protocol • Artifact Resolution Protocol • Single Logout Protocol (Not supported by the IdP yet) • NameID Management Protocol • NameID Mapping Protocol • Encryption and signing of sensitive information • Distributed configuration (pull) • Federation Metadata • Attribute-map • Attribute-filter
Shibboleth 2.x: “What has changed?” • Identity Provider • Own authentication modules • LDAP • Kerberos • IP-based • PreviousSession (SSO) • REMOTE_USER (cfr. CAS) • No SAML2 force authentication • Very flexible attribute resolving • Very flexible attribute filtering (with constraints) • Clean audit logs • etc
Shibboleth 2.x: “What has changed?” • Discovery Service • Successor of WAYF • SAML2 Identity Provider Discovery Profile • Multi-federation support
Shibboleth 2.x: “What has changed?” • Service Provider • Multi-protocol support • New attribute filtering policy language • Support for ODBC based storage of state • Significant performance improvements
Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service SAML2.0 profile: Web browser SSO + HTTP POST binding Initial request from UA to document X No active Shibboleth session, UA redirected to DS
Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver SP takes back control Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service DS asks UA to choose an IdP (if not already set in cookie) Redirect UA back to SP with selected IdP as parameter.
Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary. IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc)
Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser • SAML response • Authentication statement • Attribute statement Shibboleth service The IdP resolves and filters the principal’s attribute information and constructs a SAML assertion. This assertion can optionally be signed and/or encrypted. Next, the IdP POSTs a response to the SP.
Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service No callback! The Shibboleth service decrypts, verifies and filters the response and gives it to the Shibboleth module (via RPC or TCP).The Shibboleth module or Webserver will authorise the principal.
Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Service Provider 2 Identity Provider Webserver Webserver Identity Provider Shibboleth module x User Agent/Browser Shibboleth service • Again, the active sessions with every component will provide the single sign-on experience.
Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration
Concept of Federation Toledo App X K.U.Leuven W&K App Y … K.U.Leuven App Z App Z … Federation K.U.Leuven Federation AssociatieK.U.Leuven Group of entities, both IdPs and SPs. Can map on existing Associations (e.g.: BELNET, AssociatieK.U.Leuven, K.U.Leuven, etc)
Concept of Federation • Benefits • Scalable • Simplifies things • WAYF service (IdP discovery) • Metadata • Describes entities (protocol support, contact information, etc) • PKI management • Trust • Since Shibboleth v2.x = single point of trust • Digitally signed • http://shib.kuleuven.be/download/metadata
Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration
Resource Registry • Metadata management tool • Based on open source from SWITCH and modified by INTIENT and K.U.Leuven • Adapted for K.U.Leuven • Multi-federation support • Identity Provider 1-many link • Service Provider 1-many link
Resource Registry • For now only internal use • In a later stage available for: • Resource Registry Administrators • To approve resources from a certain IdP • Resource Administrators • For administering SP information (self-service) • Home Organisation Administrators • For administering IdP information (self-service) • Federation Administrators • Signing metadata file • Roles can be assigned independently
Resource Registry • Currently hosting: • Federation K.U.Leuven • Federation AssociatieK.U.Leuven • Federation K.U.Leuven – UZLeuven • Test federation K.U.Leuven
Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration
A word on ADFS • Active Directory Federation Services v1 • Part of Microsoft Windows Server 2003 R2 • WS-Federation Passive Requester Profile (WS-F PRP) • Shibboleth v1.3 has implemented “WS-Federation: Passive Requestor Interoperability Profile” specification for both IdP & SP • Two ways of working • NT-Token based • Claim based
A word on ADFS ADFS Web Agents FS IdPK.U.Leuven OWA Webserver Identity Provider Account partners K.U.Leuven TRUST TRUST EVault Resources - OWA - EVault - Sharepoint - etc TRUST Sharepoint TRUST E.g. Implementation at K.U.Leuven
A word on AD FS 2.0 • Version 2.0 • Officially released on 5 May 2010 • Windows Server 2008 and Windows Server 2008 R2 • Only claims based • Compatible with ADFS v1.0 • Liberty Interoperable Implementation Tables • SAML2.0 operational modes: • IdPlite • SP lite
A word on AD FS 2.0 5) Use claims in token Identity Providers Windows Live ID Other Application WIF STS STS 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity Browser or Client 1) Access application and learn token requirements CardSpace 2.0 2) Select an identity that matches those requirements User Shamelessly copied from David Chappell’s presentation at TechEd 2009
Program Introduction: “What is Shibboleth?” Shibboleth 2.x: “What has changed?” Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration
Environment • RedHat Enterprise Linux 5.5 (Tikanga) • Debian 5.0 (Lenny) • Windows Server 2008 R2 • Username: “shib” / “root” • Passwords: “P@ssw0rd” • Remote Access • Linux: ssh • Windows: Remote desktop
Environment • RedHat Enterprise Linux 5.5 (Tikanga) • 8 virtual machines • DNS: worksh-rh-N.cc.kuleuven.be • IP: 10.2.4.N • Debian 5.0 (Lenny) • 4 virtual machines • DNS: worksh-db-N.cc.kuleuven.be • IP: 10.2.4.2N • Windows Server 2008 R2 • 10 virtual machines • DNS: worksh-w8-N.cc.kuleuven.be • IP: 10.2.4.4N + 10.2.4.50
Environment • Shibboleth IdP • DNS: worksh-idp.cc.kuleuven.be • IP: 10.2.4.9 • https://worksh-idp.cc.kuleuven.be/idp/status(only accessible through VMs: 10.2.4.0/24)
Environment Shibboleth standard basehttp://shib.kuleuven.be/ssb_sp.shtml $WORKSH_HOST = worksh-[rh|db|w8]-N.cc.kuleuven.be
Environment openssl x509 –in $cert –issuer –noout • Key/Certificate generation - We’ve done it for you • Webserver • Located at $PKI • Signed by TerenaSSL CA • Shibboleth SP • Self-signed • worksh-idp.cc.kuleuven.be:/home/shib/ShibbolethSPWorkshop/certificates/shibboleth-sp • Certificate: sp-[rh|db|w8]-N-cert.pem • Key: sp-[rh|db|w8]-N-key.pem • Save at $PKI • Test certificates
SSL certificates • Use of self-signed certificates in backend • No need for commercial certificates • Longer lifetime • No truststore to maintain for commercial CAs • Revocation (just remove certificate) • Trustbase of commercial signed certificates can become quite large • Separate certificate for front- and backend
Environment $ apt-get install vim • Tools • An absolute must: Syntax friendly editor • RHEL: vim • Debian: vim • Windows: notepad++ or SciTE • HTTP client • RHEL: links • Debian: links • Windows: local browser • SCP or WinSCP • Check your time now! • Always work case sensitive!
Installation - Overview Shibbolethservice IIS Apache Shibboleth handler/Shibboleth.sso Shibboleth handler/Shibboleth.sso mod_ssl mod_auth mod_shib ... RPC port 1600 Unix socket ISAPI filter Shibboleth