1 / 20

Office 365 & IdP Shibboleth

Office 365 & IdP Shibboleth. Carlos Costa @ Univ . Aveiro. agenda. Office 365 Premissas, federações possíveis, etc Configurações de um IdP Shibboleth Ativação da autenticação fed . com Shibboleth Office 365 + Exchange On-Premises

satya
Download Presentation

Office 365 & IdP Shibboleth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Office 365 & IdPShibboleth Carlos Costa @ Univ. Aveiro

  2. agenda • Office 365 • Premissas, federações possíveis, etc • Configurações de um IdPShibboleth • Ativação da autenticação fed. com Shibboleth • Office 365 + Exchange On-Premises (ambos com autenticação federada Shibboleth) • Dificuldades, problemas/limitações

  3. Office 365 + Exchange On-Premises

  4. Office 365 com Autenticação Federada

  5. Office 365 (aut. fed. Shibboleth) + Exchange On-Premises @UA IdP.ua.pt SMTP servers mail.demo.ua.pt Office 365   ActiveSync Web MAPI/IMAP demo.ua.pt clientes

  6. ECP* Profile do Shibboleth Recurso   Tomcat IdP Server  IdPapp   Clientesweb Clientesnão web demo.ua.pt * - EnhancedClientor Proxy

  7. Shibboleth – Configuração do ECP Profile • <tomcatHomedir>/config/servers.xml (…) <Enginename="Catalina" defaultHost="localhost"> <RealmclassName="org.apache.catalina.realm.JAASRealm" appName="ShibUserPassAuth2" userClassNames="edu.vt.middleware.ldap.jaas.LdapPrincipal" roleClassNames="edu.vt.middleware.ldap.jaas.LdapRole"/> <Hostname="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> (…)

  8. Shibboleth – Configuração do ECP Profile • <tomcatHomedir>/config/login.config (…) ShibUserPassAuth2{ // DEMO2 edu.vt.middleware.ldap.jaas.LdapLoginModulesufficient host="ldap://dc.demo.ua.pt:389" port="389" ssl="false" tls="false" base="ou=UUs,dc=demo,dc=ua,dc=pt" subtreeSearch="true" referral="follow" userField="samAccountName" serviceUser="cn=IdP,cn=Users,dc=demo,dc=ua,dc=pt" serviceCredential=" passwordDAconta"; }; (…)

  9. Shibboleth – Configuração do ECP Profile • <IdPSourceDir>/src/main/webapp/WEB-INF/ web.xml (…) <security-constraint> <display-name>ShibbolethIdP</display-name> <web-resource-collection> <web-resource-name>ECP</web-resource-name> <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method> BASIC </auth-method> <realm-name> ShibUserPassAuth2 </realm-name> </login-config> <security-role> <role-name>*</role-name> </security-role> (…)

  10. Shibboleth – Configuração do ECP Profile • idp-metadata.xml (…) <SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0: bindings:SOAP" Location="https://idp.ua.pt/idp/profile/SAML2/SOAP/ECP" /> (…) • Redeploy da aplicação IdP (install.sh/.bat)

  11. Shibboleth – Configuração de +1 SP • <IdPDir>/conf/Relayingparty.xml (…) <rp:RelyingParty id="urn:federation:MicrosoftOnline“ provider="https://idp.ua.pt/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"> <rp:ProfileConfigurationxsi:type="saml:SAML2SSOProfile" signAssertions="conditional" encryptAssertions="never" encryptNameIds="never" /> <rp:ProfileConfigurationxsi:type="saml:SAML2ECPProfile“ includeAttributeStatement="true" assertionLifetime="PT5M“ assertionProxyCount="0“ signResponses="never“ signAssertions="always" encryptAssertions="never“ encryptNameIds="never" /> </rp:RelyingParty> (…)

  12. Shibboleth – Configuração de +1 SP • <IdPDir>/conf/Relayingparty.xml (cont.) • Incluir a Metadata do SP • <IdPDir>/conf/Atribute-resolver.xml (…) <resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple“ xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="objectGUID"> <resolver:Dependencyref="connUA-LDAP_DEMO2" /> <resolver:AttributeEncoderxsi:type="SAML2StringNameID“ xmlns="urn:mace:shibboleth:2.0:attribute:encoder“ nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="UserId" xsi:type="ad:Simple“ sourceAttributeID="userPrincipalName"> <resolver:Dependencyref="connUA-LDAP_DEMO2" /> <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="IDPEmail“ friendlyName="UserId" /> </resolver:AttributeDefinition> (…)

  13. Shibboleth – Configuração de +1 SP • <IdPDir>/conf/Attribute-filter.xml (…) AttributeFilterPolicyid="releaseToMICROSOFT-Online"> <PolicyRequirementRulexsi:type="basic:AttributeRequesterString“ value="urn:federation:MicrosoftOnline" /> <AttributeRuleattributeID="ImmutableID"> <PermitValueRulexsi:type="basic:ANY" /> </AttributeRule> <AttributeRuleattributeID="UserId"> <PermitValueRulexsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> (…)

  14. Shibboleth – Configuração de +1 LDAP • <IdPDir>/conf/Atribute-resolver.xml (…) <resolver:DataConnector id="connUA-LDAP_DEMO2" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://dc.staging.ua.pt“ baseDN="ou=UUs,dc=demo,dc=ua,dc=pt" principal="IdP@DEMO.UA.PT" principalCredential="passwordDAconta"> <FilterTemplate> <![CDATA[ (samAccountName=$requestContext.principalName) ]]> </FilterTemplate> <ReturnAttributes>objectGUIDuserprincipalname</ReturnAttributes> <LDAPPropertyname="java.naming.referral" value="follow"/> <LDAPPropertyname="java.naming.ldap.attributes.binary" value="objectGUID"/> <LDAPPropertyname="com.sun.jndi.ldap.connect.timeout" value="500"/> </resolver:DataConnector> (…)

  15. Shibboleth – Configuração de +1 LDAP • <IdPDir>/conf/Login.config (…) // DEMO2 edu.vt.middleware.ldap.jaas.LdapLoginModulesufficient host="ldap://dc.demo.ua.pt:389" port="389" ssl="false" tls="false" base="ou=UUs,dc=demo,dc=ua,dc=pt" subtreeSearch="true" referral="follow" userField="samAccountName" serviceUser="cn=IdP,cn=Users,dc=demo,dc=ua,dc=pt" serviceCredential="passwordDAconta"; (…)

  16. Office 365 – Configuração Fed. Shibboleth ########### Inicialização de variáveis ############### $dom = "demo.ua.pt” $FedBrandName = “demo.ua.pt” $PassiveLogOnUrl = "https://idp.ua.pt/idp/profile/SAML2/POST/SSO" $ecpUrl = "https://idp.ua.pt/idp/profile/SAML2/SOAP/ECP" $IssuerUri = "https://idp.ua.pt/idp/shibboleth" $LogOffUrl = “https://idp.ua.pt/idp/logout.jsp” $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\idp.crt") $certData = [system.convert]::tobase64string($cert.rawdata) ########### Conversão do tipo de autenticação do domínio ############### Set-MsolDomainAuthentication-DomainName $dom -FederationBrandName $FedBrandName -AuthenticationFederated -PassiveLogOnUri $PassiveLogOnUrl -SigningCertificate $certData -IssuerUri $IssuerUri -ActiveLogOnUri $ecpUrl -LogOffUri $LogOffUrl-PreferredAuthenticationProtocol SAMLP ########### Verificar o tipo de autenticação (deverá ser “Federated” e não “Managed”) e quais os seus settings Get-MsolDomain Get-MsolDomainFederationSettings-domain $dom | fl *

  17. Office 365 + Exchange On-Premises(com autenticação federada Shibboleth) @UA ADFS IdP.ua.pt ADFS Proxy SMTP servers mail.demo.ua.pt   Office 365    ActiveSync Web MAPI/IMAP demo.ua.pt clientes

  18. Office 365 c/ autenticação Fed. Shibboleth

  19. perguntas

  20. Referências • Links: http://technet.microsoft.com/en-us/library/jj205456 http://community.office365.com/en-us/wikis/live-at-edu-transition/1096.aspx Office365-ShibbolethIdp.docx Office365-Single-Sign-On-with-Shibboleth-2.docx https://wiki.shibboleth.net/confluence/display/SHIB2/ECP https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2ECPProfile Config https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+ECP+Extension https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableECP http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm

More Related