210 likes | 426 Views
Office 365 & IdP Shibboleth. Carlos Costa @ Univ . Aveiro. agenda. Office 365 Premissas, federações possíveis, etc Configurações de um IdP Shibboleth Ativação da autenticação fed . com Shibboleth Office 365 + Exchange On-Premises
E N D
Office 365 & IdPShibboleth Carlos Costa @ Univ. Aveiro
agenda • Office 365 • Premissas, federações possíveis, etc • Configurações de um IdPShibboleth • Ativação da autenticação fed. com Shibboleth • Office 365 + Exchange On-Premises (ambos com autenticação federada Shibboleth) • Dificuldades, problemas/limitações
Office 365 (aut. fed. Shibboleth) + Exchange On-Premises @UA IdP.ua.pt SMTP servers mail.demo.ua.pt Office 365 ActiveSync Web MAPI/IMAP demo.ua.pt clientes
ECP* Profile do Shibboleth Recurso Tomcat IdP Server IdPapp Clientesweb Clientesnão web demo.ua.pt * - EnhancedClientor Proxy
Shibboleth – Configuração do ECP Profile • <tomcatHomedir>/config/servers.xml (…) <Enginename="Catalina" defaultHost="localhost"> <RealmclassName="org.apache.catalina.realm.JAASRealm" appName="ShibUserPassAuth2" userClassNames="edu.vt.middleware.ldap.jaas.LdapPrincipal" roleClassNames="edu.vt.middleware.ldap.jaas.LdapRole"/> <Hostname="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host> </Engine> (…)
Shibboleth – Configuração do ECP Profile • <tomcatHomedir>/config/login.config (…) ShibUserPassAuth2{ // DEMO2 edu.vt.middleware.ldap.jaas.LdapLoginModulesufficient host="ldap://dc.demo.ua.pt:389" port="389" ssl="false" tls="false" base="ou=UUs,dc=demo,dc=ua,dc=pt" subtreeSearch="true" referral="follow" userField="samAccountName" serviceUser="cn=IdP,cn=Users,dc=demo,dc=ua,dc=pt" serviceCredential=" passwordDAconta"; }; (…)
Shibboleth – Configuração do ECP Profile • <IdPSourceDir>/src/main/webapp/WEB-INF/ web.xml (…) <security-constraint> <display-name>ShibbolethIdP</display-name> <web-resource-collection> <web-resource-name>ECP</web-resource-name> <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method> BASIC </auth-method> <realm-name> ShibUserPassAuth2 </realm-name> </login-config> <security-role> <role-name>*</role-name> </security-role> (…)
Shibboleth – Configuração do ECP Profile • idp-metadata.xml (…) <SingleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0: bindings:SOAP" Location="https://idp.ua.pt/idp/profile/SAML2/SOAP/ECP" /> (…) • Redeploy da aplicação IdP (install.sh/.bat)
Shibboleth – Configuração de +1 SP • <IdPDir>/conf/Relayingparty.xml (…) <rp:RelyingParty id="urn:federation:MicrosoftOnline“ provider="https://idp.ua.pt/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"> <rp:ProfileConfigurationxsi:type="saml:SAML2SSOProfile" signAssertions="conditional" encryptAssertions="never" encryptNameIds="never" /> <rp:ProfileConfigurationxsi:type="saml:SAML2ECPProfile“ includeAttributeStatement="true" assertionLifetime="PT5M“ assertionProxyCount="0“ signResponses="never“ signAssertions="always" encryptAssertions="never“ encryptNameIds="never" /> </rp:RelyingParty> (…)
Shibboleth – Configuração de +1 SP • <IdPDir>/conf/Relayingparty.xml (cont.) • Incluir a Metadata do SP • <IdPDir>/conf/Atribute-resolver.xml (…) <resolver:AttributeDefinition id="ImmutableID" xsi:type="Simple“ xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="objectGUID"> <resolver:Dependencyref="connUA-LDAP_DEMO2" /> <resolver:AttributeEncoderxsi:type="SAML2StringNameID“ xmlns="urn:mace:shibboleth:2.0:attribute:encoder“ nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="UserId" xsi:type="ad:Simple“ sourceAttributeID="userPrincipalName"> <resolver:Dependencyref="connUA-LDAP_DEMO2" /> <resolver:AttributeEncoderxsi:type="enc:SAML2String" name="IDPEmail“ friendlyName="UserId" /> </resolver:AttributeDefinition> (…)
Shibboleth – Configuração de +1 SP • <IdPDir>/conf/Attribute-filter.xml (…) AttributeFilterPolicyid="releaseToMICROSOFT-Online"> <PolicyRequirementRulexsi:type="basic:AttributeRequesterString“ value="urn:federation:MicrosoftOnline" /> <AttributeRuleattributeID="ImmutableID"> <PermitValueRulexsi:type="basic:ANY" /> </AttributeRule> <AttributeRuleattributeID="UserId"> <PermitValueRulexsi:type="basic:ANY" /> </AttributeRule> </AttributeFilterPolicy> (…)
Shibboleth – Configuração de +1 LDAP • <IdPDir>/conf/Atribute-resolver.xml (…) <resolver:DataConnector id="connUA-LDAP_DEMO2" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" ldapURL="ldap://dc.staging.ua.pt“ baseDN="ou=UUs,dc=demo,dc=ua,dc=pt" principal="IdP@DEMO.UA.PT" principalCredential="passwordDAconta"> <FilterTemplate> <![CDATA[ (samAccountName=$requestContext.principalName) ]]> </FilterTemplate> <ReturnAttributes>objectGUIDuserprincipalname</ReturnAttributes> <LDAPPropertyname="java.naming.referral" value="follow"/> <LDAPPropertyname="java.naming.ldap.attributes.binary" value="objectGUID"/> <LDAPPropertyname="com.sun.jndi.ldap.connect.timeout" value="500"/> </resolver:DataConnector> (…)
Shibboleth – Configuração de +1 LDAP • <IdPDir>/conf/Login.config (…) // DEMO2 edu.vt.middleware.ldap.jaas.LdapLoginModulesufficient host="ldap://dc.demo.ua.pt:389" port="389" ssl="false" tls="false" base="ou=UUs,dc=demo,dc=ua,dc=pt" subtreeSearch="true" referral="follow" userField="samAccountName" serviceUser="cn=IdP,cn=Users,dc=demo,dc=ua,dc=pt" serviceCredential="passwordDAconta"; (…)
Office 365 – Configuração Fed. Shibboleth ########### Inicialização de variáveis ############### $dom = "demo.ua.pt” $FedBrandName = “demo.ua.pt” $PassiveLogOnUrl = "https://idp.ua.pt/idp/profile/SAML2/POST/SSO" $ecpUrl = "https://idp.ua.pt/idp/profile/SAML2/SOAP/ECP" $IssuerUri = "https://idp.ua.pt/idp/shibboleth" $LogOffUrl = “https://idp.ua.pt/idp/logout.jsp” $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\idp.crt") $certData = [system.convert]::tobase64string($cert.rawdata) ########### Conversão do tipo de autenticação do domínio ############### Set-MsolDomainAuthentication-DomainName $dom -FederationBrandName $FedBrandName -AuthenticationFederated -PassiveLogOnUri $PassiveLogOnUrl -SigningCertificate $certData -IssuerUri $IssuerUri -ActiveLogOnUri $ecpUrl -LogOffUri $LogOffUrl-PreferredAuthenticationProtocol SAMLP ########### Verificar o tipo de autenticação (deverá ser “Federated” e não “Managed”) e quais os seus settings Get-MsolDomain Get-MsolDomainFederationSettings-domain $dom | fl *
Office 365 + Exchange On-Premises(com autenticação federada Shibboleth) @UA ADFS IdP.ua.pt ADFS Proxy SMTP servers mail.demo.ua.pt Office 365 ActiveSync Web MAPI/IMAP demo.ua.pt clientes
Referências • Links: http://technet.microsoft.com/en-us/library/jj205456 http://community.office365.com/en-us/wikis/live-at-edu-transition/1096.aspx Office365-ShibbolethIdp.docx Office365-Single-Sign-On-with-Shibboleth-2.docx https://wiki.shibboleth.net/confluence/display/SHIB2/ECP https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2ECPProfile Config https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+ECP+Extension https://wiki.shibboleth.net/confluence/display/SHIB2/IdPEnableECP http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm