Shibboleth Training: Round Two 09/01/13 Shibboleth Training: Round Two www.incommon.org 1

Welcome (back) to the training and thanks (again) to our hosts 09/01/13 Welcome (back) to the training and thanks (again) to our hosts • SP(Service Provider) day A few slides to reinforce key concepts (flows, terminology) and dig a little deeper The SP's role in the wonderful world of applications

Why is Shared Identity Important? 09/01/13 Why is Shared Identity Important? Authoritative user data(attributes), expressed to a service Many applications, many users, not many credentials People and applications are complicated Regulatory compliance Excellent auditability of who, what, when, and how for data release Cloud! *aaS, NET+

09/01/13 Federated Identity Single Sign-On (SSO) with bells and whistles added to fit a multi-domain world More evolution than innovation Single Log-Out(SLO)... becomes a nearly intractable problem Provisioning Can be a mess, mostly out of scope for Shibboleth Federations scale trust and simplify operations Distinct from federated identity, as you'll find out with some vendors

Terminology Identity Provider (IdP) Service Provider (SP) 09/01/13 Terminology Identity Provider (IdP) Service Provider (SP) Discovery Service (DS) Federation Enhanced Client & Proxy (ECP) Authentication Authorization Metadata Attribute Assertion Subject entityID Entity attributes

SAML 2.0 On the Wire Large piles of XML that we'll help you to digest 09/01/13 SAML 2.0 On the Wire Large piles of XML that we'll help you to digest AuthnRequest SAMLResponse SAML 2.0 can do far more than this, but these are the fundamentals Browser tools like SAML Tracer and web consoles give you a great HD view of the action

09/01/13 n

SAML 2.0 On the Wire: Outbound AuthnRequest 09/01/13 SAML 2.0 On the Wire: Outbound AuthnRequest GET https://sp.testshib.org/Shibboleth.sso/TestShib?entityID=https%3A%2F%2Fidp.testshib.org%2Fidp%2Fshibboleth HTTP/1.1 Host: sp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://sp.testshib.org/ HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:43:07 GMT Server: Apache/2.2.15 (CentOS) Set-Cookie: _shibstate_1379266987_5fd8=https%3A%2F%2Fsp.testshib.org%2Ftesting%2Fsample.jsp; path=/; HttpOnly Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Location: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJdb4IwGIX%2FCuk9lA9FaISE6cVM3CTCdrGbpWCVJtCyvmUf%2F35V3OaWzLumPe8573nSOdCu7Uk26EZs2cvAQFvvXSuAnB4SNChBJAUORNCOAdE1KbK7NfEdl%2FRKalnLFlkZAFOaS7GQAoaOqYKpV16zh%2B06QY3WPRCMoXe08YeGV45UB1yYQyVbphsHQOKjrY%2FzTVEia2l0XNCj48883%2F0xMBfY7LDnLTtPb9mOK1ZrXBQbZK2WCXp2ozCcUDbbT%2F0gjNzYo%2FvQq%2BJpEERRFE9qIwMY2EqApkInyHe9wHZj25uW3oxMAuLOnpCVn6vecLHj4nCdSzWKgNyWZW6PjR6ZglMbI0Dp%2FEiXnILVBe%2FrtvQLMkr%2FQwrfSG3o5%2FgiZYzsyb2xXS1z2fL6w8raVr4tFKOaJchDOB1Hfv%2BH9BM%3D&RelayState=cookie%3A1379266987_5fd8 Content-Length: 832 Connection: close Content-Type: text/html; charset=iso-8859-1

SAML 2.0 On the Wire: Outbound AuthnRequest 09/01/13 SAML 2.0 On the Wire: Outbound AuthnRequest https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest= fZJdb4IwGIX%2FCuk9lA9FaISE6cVM3CTCdrGbpWCVJtCyvmUf%2F3 5V3OaWzLumPe8573nSOdCu7Uk26EZs2cvAQFvvXSuAnB4SNChBJ AUORNCOAdE1KbK7NfEdl%2FRKalnLFlkZAFOaS7GQAoaOqYKpV1 6zh%2B06QY3WPRCMoXe08YeGV45UB1yYQyVbphsHQOKjrY%2Fz TVEia2l0XNCj48883%2F0xMBfY7LDnLTtPb9mOK1ZrXBQbZK2WCXp 2ozCcUDbbT%2F0gjNzYo%2FvQq%2BJpEERRFE9qIwMY2EqApkIny He9wHZj25uW3oxMAuLOnpCVn6vecLHj4nCdSzWKgNyWZW6PjR6Zg lMbI0Dp%2FEiXnILVBe%2FrtvQLMkr%2FQwrfSG3o5%2FgiZYzsyb2x XS1z2fL6w8raVr4tFKOaJchDOB1Hfv%2BH9BM%3D &RelayState=cookie%3A1379266987_5fd8

SAML 2.0 On the Wire: Outbound AuthnRequest Decoded 09/01/13 SAML 2.0 On the Wire: Outbound AuthnRequest Decoded <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol” AssertionConsumerServiceURL=” https://sp.testshib.org/Shibboleth.sso/SAML2/POST" Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO" ID="_08664ae7f52368091af61b953388894c" IssueInstant="2013-09-15T17:43:07Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTPPOST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https:/sp.testshib.org/shibboleth-sp </saml:Issuer> <samlp:NameIDPolicy AllowCreate="1" /> </samlp:AuthnRequest>

SAML 2.0 On the Wire: Some of the Authentication Process 09/01/13 SAML 2.0 On the Wire: Some of the Authentication Process GET https://idp.testshib.org/idp/AuthnEngine HTTP/1.1 Host: idp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://sp.testshib.org/ Cookie: JSESSIONID=7457D9BC57AB79F47FDC449D267C3A05; _idp_authn_lc_key=19b41e7b8030fefc158a5124fa4e8dd0ada81b7e220cad9d71dba38d4be61bf9 HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:43:08 GMT Expires: 0 Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Location: https://idp.testshib.org:443/idp/Authn/UserPassword Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8

SAML 2.0 On the Wire: Response POST 09/01/13 SAML 2.0 On the Wire: Response POST POST https://sp.testshib.org/Shibboleth.sso/SAML2/POST HTTP/1.1 Host: sp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO Cookie: _shibstate_1379266987_5fd8=https%3A%2F%2Fsp.testshib.org%2Ftesting%2Fsample.jsp Content-Type: application/x-www-form-urlencoded Content-Length: 18165

SAML 2.0 On the Wire: Response Body 09/01/13 SAML 2.0 On the Wire: Response Body POST RelayState: cookie:1379266987_5fd8 SAMLResponse: Mb2RLSGRJdVBwV2UwVkFvQmNiSDloZmlWeFZiWkVlU1hiUHlSUFNsaUJsc1MraGRuYkd3Skp5anBWd1kzNXptV1pNakJYSmJhN3hwZTV6WitNMERCTXRtNkNmUkZheU82TVNOQkpxWGx5Y2VWb2RFWTU4VzdQOGszSi9pOHRvRUJVQk01Qks3TlJ6Yk50MUZEMWZoN0dEYmlPaEJIV1BvNk55U0VPOVJaL3FyM3lwbVh4TlE5ckNaMmphMWZQYkIxRlVmZDlLNWt3Zi9QRTdXeDFyK3B2RXZXVVhuVWRaR1l1aFZRZHBnczdYUW5WZE5ZbDdrb1lWUFJ2a2V1ajdmekVWZjEvWkVFcThqTVJiSUdkUVh5clFEdU91Qy9JTUY0WTllUzBYUUZIcklYNUVNZlVzd2hOaVZ2bnB3VVNzUUovYTZoZ0dCYTJML01xYklwaFFrcVhYOUZ0Zm5vdlppRWh4YWNqNlFSeHgxQm1jVUhEK3RPNHcrWXZKTGZBQ0ZuRXplUG9KangwTDVVN2pCYXZpNnhwUmNldWNnK2hUL3l4KzhCU05zeGxZYndKSktucUNTRGlCZnJFaWNDUTExK3JiTGp3Zzdpa3Yzdm1mVE9nR1J1WlNDaTFDUXVxa2Nuc29tT05SNFpycUxUT2h2dXlxUGM3aW9YQWtPc0Q5NWpqTWh0NjFRWmlwV1d5akZ3b2l2VmNmKzNDTkZOdVJaYmhBVlFMTDVxdXh4b0RnVndTRDA0bThzclpGTlNzbDlwaEcwTXBncTNzSE9hcG9udWR4Qm5ZMi9xR2l2eWtVMWVVVGh0b1lDeDZINHVzdzdWV0lYVnB5cXFmVnB0NzZuUjFFR3F0ZzJHTW9xYUN5Zm9iWkRGandCazBMc2tKa3JNclUxQ09xSDFVbmYzOG9TZlJmMjZvTzRRWnFPbzRqcWFNYm0yOC9ubHRCb2thQ3p1ZEgwbVFGWmc0Rk1XUlRrTkxXY2hrT0FyOGlpN3QzQkw4UmFiem9JdzdpOTl0eE5jR1l1bE45c081MFJ1elh1azdCVUw0YW81S1dBV0Q3RjdaNHZKNC9TT255bmxUem1PY0JtVExEWFZ0dVRQNzJ0cGo5SEUza01jMzdlcEtseUZlOFVIajVtR0NCM2NuUSs1eGkvaFlEenh5Wldob1RyY3RSSGFOWVErTlVpN0xUeXFPQkoxbGR4RVk0WXpvN0tCK0hSSnpPUm0yT1pyYXhLWWplb0NsWDk4cFZ1ZmRPc1RqQlRadU5HS2c2NHJPakZ3STRweXA3R1o4ZUVBeVJGQ1BlVHYwSDZyTW41RnNoUlJmdzR0Y0lrRXdRTWczb1ROZmo5LzQ2R0ZYUnk3dmNGUFEwUkFQKzYrM0ViOHMxZ0x1ZEt6UW4vQVh6T2oyektpb3dLSVlNOEFHb21rQW1WVGZmZVVkeGYxdE1ISmczTktJdzRiZ0xhWnAyNVQ2RFdTMmMzZnd3S0JNUmlLa1h1ZnRyQ1FPeHhMUmk5T3Yrb0U4VTBVSDczQzBEWGtOQUlnTzBNTW5BcGtSOXZwdGoyTEFsd2YrbkJBQWhTQzEyS1NVem1ORy9sNUZhWS84MUhtSWhSZlpHWmEycllDNStLV2JjSGdKZnZ3allZaU5RdXJ5UW5DVVFHTnJRa2QxbXl6citQL2tSYTRCUmlmVzhPWUxycGdBZ2puUC8yZ2tZRWcxV0ZRWUE3NjZibnVwRnowaWZidUNUQ1ZIQTZnUXQram1DWVhNdnZBSXlhVThxVDBIQ0FDc2VsY2xBdEhacEVUZDBvaGtYcjVQWk1HdEU5V2U3T040eEVGZHNRZXVDTC9ubkRnWnE5L3N0blFOWGRBNy81bE5OY1lwRCsyRGZPN3FRVjA0S3JsT1BxbXZIck8rM1UvcjN5Z25EM09tNm5sN2RMQUZVVjRZd3ZJejVSK3BCU3l5VDZtZG54dkhJL0lTM3I2QnNlaHNrS25lSE1pbVF0TEhtNTlVQkxSOWgxcG1UZ2JIdmhJNCtmME1jZU00UGJ0bE43cXoydGI3d2RxNFdPNklWdlNubVJPVnkwaXg5K2JCaFZwbTBNZkYzc0MraWpDU2VHQW91aXRRQ0VZbnVRZEd5K2ZKNGRTN3RVQTZMUWtaaGl5UlVMbTZUNkJiU1lIWEViWFcwOTRwSnU3R2pMazRYMXNMVGIvRmxXTnRXRGpOSjFoVnpVUTzJiR0tXeURmdHlWUE9HbktTV25zQ1dlOGl2VlQyaDRGQUpYcDBEQUc4SldlK25xbktDNzlGU1AxWjRlVnd6ZC9DaEp6TkVTd0cxTWh4TE0zWGwrTlBwV2xYV3N4cnZCbkpLcElIczFubVFiVjhidWZrWEhNak9OSm9OSjNROUtlMm1rVG1xdC9zelF3djc0c3JXSFhDNW5GSkkwL0xQWi9UcmxGY3VhOFJSVjZhbEhiUm9ONkI1R3E0RWY5N0xwU1g0MEsyRWZsU1RmbG9VTHkxcFZoR2c3eVdHQWhkUEphN0Irbkp4NWVsRWF1MXBCMFZwdjBNY0RvN2k5V2t1a09LUGkrODFIWCthb3Z6VmRnQ3RJY2R6YmR5Szhob2hMNkNDZC9kV0VtU3JqNlMxSllZTEdBUlZJV2VCVmR4M1BBeElWR0lDQnBKb28zSE9NOG9hSXQ2eENRQTAzWGN3azVscmMvY08ya2FyN0swNGJIZUg2YU1Ud2JVM1pRbDBnZXp0QWU1aHFpRlFCTStyd0hONlZwYnlkdWpYQ3gvNXluclVqVi81bTU4bGhOK2NyODEyWlVWaFZKZitTSmRkVnUxamZTNEZLZ2NWTEJBak5wcFYwVUM2cFFPTTBoZm5BTWdtd0phVjFoMW4wWWJUUHZ0bW1BTlBwLzdxbW5iQlJFUWJWUi9iL00zdnA1RWJhcGd5Zm5EdEN1bXBZVk1zbjVndy91dzd2OUhCUzlacmdxU28wb01udm1vVDlGNEtiYm9zU0VnUUkvdElUaGhqRFVBSnhLTDAwdkVCbEV6RmZxQy9EKzFWSmZ4VHlEMjV0d0VaUHNJSXp4UjlzR01EcHBtOVVmSkw3OTEvRm1adzFQSVFVVERzbE44Y3o3U0hLVSt1YWhzNHp6MzY5TTNaamdkbWloQWNjSHVpMXlRci83VUYrSFZPb2wyK1VFK3BER2o0ZVpwQ1FwOUtHbVdNM1Y1NHFuemxYUHBPL0dZMkxVN3ZWYUpnNCtzbWw4eTlMWWlqbXBLVk1xSDlTcXk5NnNFNWdNemticVY2Tm1CaUtwclBuZk03ZXVScHZBRHFPYXpscTk4UDlIRkJEZmoybm1PdkY4VzI4bzVzLzhYbXFNUkJGYnRpVE5GL1QvTG40bG8yeWdNM1F3VEE9PTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0YT48L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWwyOkVuY3J5cHRlZEFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=

SAML 2.0 On the Wire: Response Decoded 09/01/13 SAML 2.0 On the Wire: Response Decoded <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://sp.testshib.org/Shibboleth.sso/SAML2/POST” ID="_756c7ce31cf1c3c05af079ad190418e9” InResponseTo="_08664ae7f52368091af61b953388894c” IssueInstant="2013-09-15T17:48:07.312Z" Version="2.0”> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity”> https://idp.testshib.org/idp/shibboleth </saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <!-- Encryption keying information goes here --> <!-- Encrypted Assertion goes Here --> </saml2:EncryptedAssertion> </saml2p:Response>

SAML 2.0 On the Wire: Assertion Decrypted 09/01/13 SAML 2.0 On the Wire: Assertion Decrypted <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_e3d6ba821a78177ec5b8a943857bf4bb" IssueInstant="2013-09-15T17:48:07.312Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity”>https://idp.testshib.org/idp/shibboleth</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><!-- Digital Signature Goes Here --></ds:Signature> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.testshib.org/idp/shibboleth" SPNameQualifier="https://sp.testshib.org/shibboleth-sp"> _eeb8e86508a287a76650811310111869 </saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData Address="131.252.248.198" InResponseTo="_08664ae7f52368091af61b953388894c" NotOnOrAfter="2013-09-15T17:53:07.312Z" Recipient=“https://sp.testshib.org/Shibboleth.sso/SAML2/POST” /> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2013-09-15T17:48:07.312Z" NotOnOrAfter="2013-09-15T17:53:07.312Z"> <saml2:AudienceRestriction> <saml2:Audience>https://sp.testshib.org/shibboleth-sp</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <!-- Continued On Next Slide -->

SAML 2.0 On the Wire: Assertion Decrypted 09/01/13 SAML 2.0 On the Wire: Assertion Decrypted <!– Continued From Previous Slide --> <saml2:AuthnStatement AuthnInstant="2013-09-15T17:48:07.046Z" SessionIndex="_d01434572d16888023226e30793cc225"> <saml2:SubjectLocality Address="131.252.248.198”> <saml2:AuthnContext> <saml2:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute FriendlyName="eduPersonAffiliation" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> Member </saml2:AttributeValue> </saml2:Attribute> <!– More Attributes Here –> </saml2:AttributeStatement> </saml2:Assertion>

SAML 2.0 On the Wire: Session Created 09/01/13 SAML 2.0 On the Wire: Session Created HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:48:07 GMT Server: Apache/2.2.15 (CentOS) Set-Cookie: _shibsession_64656661756c7468747470733a2f2f73702e74657374736869622e6f72672f73686962626f6c6574682d7370=_0c4133a61ce1abb3b04faa379dbb1e4a; path=/; HttpOnly _shibstate_1379266987_5fd8=; path=/; HttpOnly; expires=Mon, 01 Jan 2001 00:00:00 GMT Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Location: https://sp.testshib.org/testing/sample.jsp Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1

SAML 2.0 On the Wire: What does the SP finally set? 09/01/13 SAML 2.0 On the Wire: What does the SP finally set? Session Expiration (barring inactivity): 459 minute(s) Client Address: 131.252.248.198 SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity Provider: https://idp.testshib.org/idp/shibboleth Authentication Time: 2013-09-15T17:48:07.046Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Attributes affiliation: 1 value(s) cn: 1 value(s) entitlement: 1 value(s) eppn: 1 value(s) givenName: 1 value(s) persistent-id: 1 value(s) sn: 1 value(s) telephoneNumber: 1 value(s) unscoped-affiliation: 1 value(s)

SAML 2.0 On the Wire: What does the application finally see? 09/01/13 SAML 2.0 On the Wire: What does the application finally see? • How the application sees and uses the information exposed by the SP depends on the application, the environment, and the language • Here are some examples

Integration Example -- Java 09/01/13 Integration Example -- Java public String getUser(HttpServletRequest req){ return (String) req.getRemoteUser(); } or return (String) req.getAttribute("uid");

Integration Example -- PHP 09/01/13 Integration Example -- PHP $user = $_SERVER["uid"]; echo "User UID is: $user";

Integration Example -- ASP 09/01/13 Integration Example -- ASP Request("HTTP_uid") ASP.NET Request.Headers("uid")

Application Integration 09/01/13 Application Integration Moving out of the “Science” zone and into the “Art” zone • Two main points of integration: session management, attribute use • Session management handled by HTTP queries • Attributes available per above Rule of Thumb: applications try to handle everything internally and require “domestication” Every state of understanding reached with an application is unique

More Integration Information 09/01/13 More Integration Information The SP is written as an Apache module or IIS ISAPI filter paired with a daemon, shibd The SP can be integrated with applications in a thousand ways Typically, attributes are received as environment variables and some special URL's to make Shibboleth things happen at for app Apache can be used as a front-end for a Java servlet container; fastCGI support also exists Other implementations like OIOSAML, pySAML, ruby- saml, simpleSAMLphp, etc. offer alternatives, but tend to be less fully featured Many fun problems for the solution-oriented individual

A self-paced installation and configuration of the SP 09/01/13 Today's Agenda Us talking at you(apologies, done for now) A self-paced installation and configuration of the SP Quick tour of the SP configuration files covering pieces you didn't need to work with SP Productionalization Discussion And, at any time, ask your questions, raise your hand, engage with us!

09/01/13 Thank you! Now, the real fun begins... (these links are also in the emailed workshop information for a superior copy/paste experience) Linux SP: https://spaces.internet2.edu/x/LoLNAQ Windows SP: https://spaces.internet2.edu/x/aYH8 26 26