1 / 43

Edugate Workshop

Edugate Workshop. (Federated Access Workshop). Workshop Structure. First of a series of Workshops. Introduction (today) Advanced (pilot participants) Joining the Edugate Federation (2009). Workshop Content. Introduction to Federated Access Labs Installation of IdP Installation of SP

jirair
Download Presentation

Edugate Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Edugate Workshop (Federated Access Workshop)

  2. Workshop Structure • First of a series of Workshops. • Introduction (today) • Advanced (pilot participants) • Joining the Edugate Federation (2009)

  3. Workshop Content • Introduction to Federated Access • Labs • Installation of IdP • Installation of SP • Bilateral federation (after lunch) • Federation • Wrap up

  4. Breaks • Introduction to Federated Access --Break-- • Labs • Installation of IdP --Lunch-- • Installation of SP --Break-- • Bilateral federation (after lunch) • Federation • Facilities / Fire escapes

  5. Facilities • Toilets • Fire Escapes • Meeting rooms

  6. Objectives • Provide you with enough knowledge to try local federated access in a lab environment. • Move from lab environment to federation.

  7. Introduction Why federate? • SSO • Within the campus (with or without SAML) • Beyond the campus (bilaterally outside the campus) • Within a federation (with SAML) • Beyond a federation (inter-federation with SAML)

  8. Introduction Why federate? • Collaboration • VLE (LMS or eLearning) • Wiki / Portal / Blog / Forum / Sharepoint • GRID / HPC / SSH • SaaS (Google Apps and others) • VPN’s / NAC • Others...

  9. Introduction Why federate? • Who are your federation partners ? • Research Groups (cross institutional) • Shared Resources (NDLR, IReL) • Hospitals • Government R&D (ESRI, EPA) • Your campus libraries • Providers of student services (Travel Cards etc.)

  10. Introduction SP or IdP? • Service providers • Provide access to federated users to their services • Identity providers • Provide identities to service providers • You can be an SP and an IdP

  11. Introduction How to federate? • Bilaterally • Quick to setup • Easy to change • Agreements easy to maintain • Specific purpose Me (IdP) You (SP)

  12. Introduction How to federate? • Multilaterally • Easy to change • Agreements difficult to maintain • Specific purposes Me (IdP) You (SP) Other (IdP & SP)

  13. Introduction How to federate? • As a member of a federation • Easy to setup • Easy to add new partners • Agreement difficult to broker • Multipurpose

  14. Introduction What tools to federate? • OpenSource • Shibboleth 1.3 and 2.0+ • SimpleSAMLphp • Commercial • Ping ID • Sun Access Manager • Novell iChain • ADFS • Oracle Identity Manager

  15. Introduction How to integrate? • Tight integration • Suppliment Existing Authentication (AuthN) • Attributes • UserID • Group / Role (AuthZ) • Session

  16. Introduction How to integrate? • Loose integration • Use existing AutnN with Shibboleth AuthN. • Service provider application adds group, role to Shibboleth ‘user’ later, and handles AuthZ • Applications and federated access session management not aligned.

  17. Introduction Choices. • Authentication (AuthN) • Shibboleth Authentication • Web server or application

  18. Introduction Choices. • entityID-how your IdP or SP is identified to others • ‘University of Narnia Identity Provider’ or • urn:uni:narnia:idp or • https://idp.narnia.un/shibboleth

  19. Introduction Choices. • Attribute handling • Attribute push or pull • Signed or encrypted attributes

  20. Introduction Choices. • Session Start • Only from Portal (WAYFless URL) • From Portal or Target (WAYF)

  21. Federated Access Workflows There are a number of ways a federated access transaction can occur, the following slides demonstrate the two most common ways.

  22. Workflows Simple Workflow • User attributes pushed to the service provider • User starts in his home portal • Service provider relies on IdP for all user data (does not create local application attributes)

  23. Demonstration www.google.com/a www.dreamspark.com http://www.csa.com/

  24. Simple Access Let’s start with the user accessing protected area of his/her institutional portal. Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  25. The portal prompts the user to login using the portals normal authentication method Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  26. The user enters his/her portal or institutional credentials and they are validated. Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  27. A portal session is established and access is granted, full portal content is delivered to browser. Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  28. The user attempts to access the service providers content via a link on the institutional portal, the link to to SP will include information identifying the IdP Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  29. The request is sent to the service provider through the users browser Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  30. On receiving the request the service provider passes the request to the service providers SAML server, the SAML server responds an authentication request that redirects the user back to the identity provider Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  31. The user has an existing session on the identity provider service and will therefore not be prompted for credentials The identity provider asserts the identity of the user to the service provider, this will include some basic user attributes Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  32. An authorisation decision is made by the web server based on the SAML servers evaluation of the assertion and it’s attributes. The web-server delivers the protected content with an authenticated session and optional HTTP data containing the users attributes. Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  33. Subsequent requests for protected content re-use the established session with the SP Federation or Service Provider WAYF Server Institutional SAML Server Service Provider SAML server Institution (IdP). Service Provider Web Server Institutional User Repository Institutional Web Server Service Provider User Repository Service Provider (SP).

  34. Advanced Workflow • Attribute Query • Provisioning on-the-fly • WAYF (user starts by accessing the SP site directly)

  35. Service Provider Identity Provider Service Provider SAML server Institutional SAML Server Federation or Service Provider WAYF Server Service Provider Web Server Institutional User Repository User accesses the service providers web-site first, the page contains a link to login, the service provider must first ask ‘where are you from’? Service Provider User Repository

  36. Service Provider Identity Provider Service Provider SAML server Institutional SAML Server Federation or Service Provider WAYF Server Service Provider Web Server Institutional User Repository Service Provider User Repository The user is directed to the WAYF service, the WAYF service prompts the user to select his/her home institution from a list.

  37. Service Provider Identity Provider Service Provider SAML server Institutional SAML Server Federation or Service Provider WAYF Server Service Provider Web Server Institutional User Repository The user is directed to his chosen home institution and is prompted for his/her home institution credentials Service Provider User Repository

  38. Service Provider Identity Provider Service Provider SAML server Service Provider SAML server Institutional SAML Server Institutional SAML Server Federation or Service Provider WAYF Server Federation or Service Provider WAYF Server Service Provider Web Server Service Provider Web Server Institutional User Repository Institutional User Repository The home credentials are validated and the user is directed back to SP with a SAML message Service Provider User Repository Service Provider User Repository

  39. Service Provider Identity Provider Service Provider SAML server Institutional SAML Server Federation or Service Provider WAYF Server Service Provider Web Server Institutional User Repository The SAML message is passed to the service providers SAML server, and the SAML server requests additional attributes from the home institution. Service Provider User Repository

  40. Service Provider Identity Provider Service Provider SAML server Institutional SAML Server Federation or Service Provider WAYF Server Service Provider Web Server Institutional User Repository The service provider authorises access based on the attributes obtained, the web-application creates a link from the federated identity to a permanent account for subsequent visits (password?). Service Provider User Repository

  41. Simple and Advanced • Simple • User attributes pushed to the service provider • User starts in his home portal • Service provider relies on IdP for all user data • Advanced • Attribute Query • Provisioning on-the-fly • WAYF (Variations on these the above are possible)

  42. Labs www.edugate.ie >Support >Technical Resources >Installation Guides (www.edugate.ie/drupal/?q=InstallGuide) Choice of... • Ubuntu Linux with OpenLDAP and Apache • Windows with Active Directory and IIS. Only select the Windows option if you are not familiar with Linux/Unix or your institution only uses Windows

  43. Wrap up • STOP issuing accounts other than your student and staff accounts. • START issuing tenders ‘must support SAML/SSO’. • Technical part is small part of FAM. • Edugate and pilot project. • Next workshop on March 3rd. • Information day in May. • May Eurocamp in Cork Institute of Technology. • Identity Management mail list and RSS

More Related