SAML Sicurezza II A.A Speaker: André Panisson, PhD student

Slides:



Advertisements
Similar presentations
RSDB Installation & Configuration
Advertisements

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.
WSO2 Identity Server Road Map
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Sicurezza II, A.A. 2011/2012 LDAP Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.
SquirrelMail for Webmail AfNOG 2012 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Serrekunda, Gambia (Original Materials by Joelja)
SquirrelMail for Webmail AfNOG 2013 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Lusaka, Zambia (Original Materials by Joelja)
Linux Operations and Administration
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
INFM603 Project Presentation Jenny Wu Prachi Chhokar.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.
Integrating with UCSF’s Shibboleth system
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
Chad La Joie Shibboleth’s Future.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
Multi-Domain Hosting Hosting multiple domains on one server using Apache John Beckett 1/16/2013.
Apache with SSL and php Apache with ssl support should be the basic platform for providing web services... There are several different implementations.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
CITA 310 Section 5 Virtual Hosts and Virtual Directories (Selected Topics from Textbook Chapter 6)
Presented by Lonnye Bower Fardin Khan Chris Orona APACHE WEB SERVER.
Campuses New to Shibboleth: WebSSO Barry Johnson
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
Multi-Domain Hosting CPTE 212 “Missing Slides” for 1/22/2015 John Beckett.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Web Server Administration Chapter 6 Configuring a Web Server.
19 Copyright © 2008, Oracle. All rights reserved. Security.
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
Web and Proxy Server.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Apache with SSL building from source
Federation made simple
Shibboleth Integration Fairfield University
HMA Identity Management Status
SquirrelMail for Webmail
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Unix System Administration
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Identity Federations - Installation and operation
Shibboleth Implementation in EZproxy
IIS.
Public Single Sign-On for EPM Cloud Using Oracle Identity Cloud Service (IDCS) Question: How can I set up single sign-on (SSO) between EPM.
What’s changed in the Shibboleth 1.2 Origin
Public-key Infrastructure
Mechanisms for Distributed Global Authentication David R Newman.
Community AAI with Check-In
Public-key Infrastructure
Shibboleth 2.0 IdP Training: Introduction
INTEGRATIONS WITH Single Sign-On
INTEGRATIONS WITH Enterprise HRIS
Presentation transcript:

SAML Sicurezza II A.A. 2010-2011 Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II, A.A. 2010/2011

Security Assertion Markup Language XML-based open standard for exchanging authentication and authorization data between security domains Identity Provider (IdP) Service Provider (SP) Sicurezza II, A.A. 2010/2011

SimpleSAMLphp SAML implementation written in PHP Provides support for: SAML 2.0 as a Service Provider SAML 2.0 as a Identity Provider Shibboleth 1.3 A-Select, CAS, OpenID, WS-Federation and OAuth Sicurezza II, A.A. 2010/2011

Download e installazione Ai nostri scopi è necessario anche la libreria PHP con supporto a libxml openssl zlib ldap Scaricare la versione compilata per il laboratorio da http://www.di.unito.it/~panisson/public/libphp5.so.tar.gz tar -xvzf libphp5.so.tar.gz mv libphp5.so $HOME/apache/modules/ Sicurezza II, A.A. 2010/2011

Download e installazione http://simplesamlphp.org/ http://code.google.com/p/simplesamlphp/downloads/list Scaricare la versione 1.8.0 tar -xvzf simplesamlphp-1.8.0.tar.gz La cartella samlidp conterrà l’ Identity Provider cp -R simplesamlphp-1.8.0 $HOME/samlidp La cartella samlsp conterrà il Service Provider cp -R simplesamlphp-1.8.0 $HOME/samlsp Sicurezza II, A.A. 2010/2011

Apache Configuration WARNING: When running an IdP and a SP on the same computer, the SP and IdP MUST be configured with different hostnames. This prevents cookies from the SP to interfere with cookies from the IdP. Uncomment the following line on apache/conf/httpd.conf: Include conf/extra/httpd-vhosts.conf Sicurezza II, A.A. 2010/2011

Apache Configuration Edit the file apache/conf/extra/httpd-vhosts.conf and add: <VirtualHost *:8080> ServerAdmin admin@educ.di.unito.it DocumentRoot "/usr/home/…/apache/htdocs/localhost" ServerName localhost ServerAlias localhost ErrorLog "logs/localhost-error_log" CustomLog "logs/localhost-access_log" common Alias /samlidp /usr/home/…/samlidp/www <Directory /usr/home/…/samlidp/www > Order allow,deny Allow from all </Directory> </VirtualHost> <VirtualHost *:8080> ServerAdmin admin@educ.di.unito.it DocumentRoot "/usr/home/…/apache/htdocs/loopback" ServerName 127.0.0.1 ServerAlias 127.0.0.1 ErrorLog "logs/loopback-error_log" CustomLog "logs/loopback-access_log" common Alias /samlsp /usr/home/…/samlsp/www <Directory /usr/home/…/samlsp/www > Order allow,deny Allow from all </Directory> </VirtualHost> Sicurezza II, A.A. 2010/2011

Identity Provider Copy some required config files: cp samlidp/modules/sanitycheck/config-templates/config-sanitycheck.php samlidp/config/ Edit samlidp/config/config.php Change the following values: 'baseurlpath' => 'samlidp/', 'tempdir' => '/tmp/samlidp', 'auth.adminpassword' => 'your_password', 'technicalcontact_email' => 'your_email', Sicurezza II, A.A. 2010/2011

Identity Provider Enabling the Identity Provider functionality: This is done by editing samlidp/config/config.php. The options enable.saml20-idp and enable.shib13-idp controls whether SAML 2.0 and Shibboleth 1.3 support is enabled. Enable one or both of those by assigning true to them: 'enable.saml20-idp' => true, 'enable.shib13-idp' => true, Sicurezza II, A.A. 2010/2011

Identity Provider Configuring the authentication module: The exampleauth:UserPass authentication module is part of the exampleauth module. This module isn't enabled by default, so you will have to enable it. This is done by creating a file named enable in samlidp/modules/exampleauth/ touch samlidp/modules/exampleauth/enable Sicurezza II, A.A. 2010/2011

Identity Provider Configuring the authentication module: The next step is to create an authentication source with this module. Configuration for authentication sources can be found in samlidp/config/authsources.php. Uncomment the following entry: 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('test'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), Sicurezza II, A.A. 2010/2011

Identity Provider Configuring the IdP: The IdP is configured by the metadata stored in samlidp/metadata/saml20-idp-hosted.php and samlidp/metadata/shib13-idp-hosted.php Keep them untouched! Sicurezza II, A.A. 2010/2011

Identity Provider Test it! Access http://localhost:8080/samlidp Sicurezza II, A.A. 2010/2011

Service Provider Copy some required config files: cp samlsp/modules/sanitycheck/config-templates/config-sanitycheck.php samlsp/config/ Edit samlsp/config/config.php Change the following values: 'baseurlpath' => 'samlsp/', 'tempdir' => '/tmp/samlsp', 'auth.adminpassword' => 'your_password', 'technicalcontact_email' => 'your_email', Sicurezza II, A.A. 2010/2011

Service Provider The SP is configured by an entry in samlsp/config/authsources.php: // An authentication source which can authenticate against both SAML 2.0 // and Shibboleth 1.3 IdPs. 'default-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => NULL, // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => NULL, // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, ), Sicurezza II, A.A. 2010/2011

Adding IdPs to the SP The service provider you are configuring needs to know about the identity providers you are going to connect to it This is configured by metadata stored in samlsp/metadata/saml20-idp-remote.php and samlsp/metadata/shib13-idp-remote.php You will have to add the identity provider metadata to your configuration file. You can find the metadata by going to your identity provider Open http://localhost:8080/samlidp Go to the tab “Federation” and find the session entitled “SAML 2.0 IdP Metadata” Click on “Show metadata” Copy the PHP code for the metadata into samlsp/metadata/saml20-idp-remote.php Sicurezza II, A.A. 2010/2011

Adding SPs to the IdP The identity provider you are configuring also needs to know about the service providers you are going to connect to it. This is configured by metadata stored in samlidp/metadata/saml20-sp-remote.php and samlidp/metadata/shib13-sp-remote.php You will have to add the service provider metadata to your configuration file. You can find the metadata by going to your service provider Open http://127.0.0.1:8080/samlsp Go to the tab “Federation” and find the session entitled “SAML 2.0 SP Metadata” Click on “Show metadata” Copy the PHP code for the metadata into samlidp/metadata/saml20-sp-remote.php Sicurezza II, A.A. 2010/2011

Test the SP and IdP Go to your Service Provider: http://127.0.0.1:8080/samlsp Go to the tab “Authentication” and click on “Test configured authentication sources” Click on “default-sp” Select the identity provider you configured in the previous steps Log in using the identity provider credentials Sicurezza II, A.A. 2010/2011

Grazie per l’attenzione! Sicurezza II A.A. 2010-2011 SAML Grazie per l’attenzione! Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy panisson@di.unito.it Sicurezza II, A.A. 2010/2011

©2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. Sicurezza II, A.A. 2010/2011

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.