Your web application PDI, January 2017

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

Employee Self-Service (ESS). Agenda Introduction 1 Terminology 2 Employee Self-Service Components 3 More Information 4 Questions & Answers 5.
ASP.NET Best Practices Dawit Wubshet Park University.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Address 3.Course Syllabus 4.Major.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.
Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
1 Agenda Views Pages Web Parts Navigation Office Wrap-Up.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
Integrating with UCSF’s Shibboleth system
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Murach’s ASP.NET 4.0/VB, C1© 2006, Mike Murach & Associates, Inc.Slide 1.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler
By Matt Baker Eric Sprauve Stephen Cauterucio. The Problem Advisors create a sign-up sheet to be posted on the door of their office. These sign-up sheets.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
Chapter 6 Server-side Programming: Java Servlets
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Christopher M. Pascucci Basic Structural Concepts of.NET Managing State & Scope.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth: An Introduction
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Chapter 4: Working with ASP.NET Server Controls OUTLINE  What ASP.NET Server Controls are  How the ASP.NET run time processes the server controls on.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.
Facebook is a social utility that connects you with the people around you. Use Facebook to…  Keep up with friends and family  Share photos and videos.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
Configuring and Deploying Web Applications Lesson 7.
ITM © Port,Kazman 1 ITM 352 Cookies. ITM © Port,Kazman 2 Problem… r How do you identify a particular user when they visit your site (or any.
E2E piPEfitters Eric L. Boyd. 2 Agenda NLANR / DAST Advisor Jim Ferguson John Estabrook OWAMP Jeff Boote SONAR Prototype Deployment Eric Boyd.
Distributed Web Systems Cookies and Session Tracking Lecturer Department University.
111 State Management Beginning ASP.NET in C# and VB Chapter 4 Pages
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
DSS Merger with Inside LAUSD FREQUENTLY ASKED QUESTIONS (FAQ’S) and
Architecture Review 10/11/2004
ASP.NET Programming with C# and SQL Server First Edition
Ask the Experts – Building Login-Based Sites in AEM
Unit 7 Learning Objectives
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Analyn Policarpio Andrew Jazon Gupaal
Federation made simple
Authentication & .htaccess
CAS and Web Single Sign-on at UConn
Chapter 8 Building the Transaction Database
ITM 352 Cookies.
Materials Engineering Product Data Management (ePDM)
Shibboleth Implementation in EZproxy
Testing REST IPA using POSTMAN
Unit 27 - Web Server Scripting
Web Systems Development (CSC-215)
Configuring Internet-related services
Grouper Training Developers and Architects Web Services - Part 2
SharePoint Online Authentication Patterns
This is the Sign In page for the Dashboard
Kerberos Part of project Athena (MIT).
Shibboleth 2.0 IdP Training: Introduction
Getting Started With LastPass Enterprise
Presentation transcript:

Your web application PDI, January 2017 Shibboleth Your web application PDI, January 2017

Presenter: Adam Warren ACNS employee, previously Web communications, previously ACNS  Middleware developer Administer 100,000 Google accounts in @Rams and @Alumni Involved in the 2007 rewrite of EID from cold fusion to .NET Been using eID Webauth for a long time…

Agenda eID Webauth review Shibboleth basics Protecting your pages/sites Shibboleth metadata One Way to Manage Session Store metadata Do early timeouts redirects: for web apps

But First… Authentication (AuthN) vs Authorization (AuthZ)

eID WebAuth > eID WebAuth only does AuthN < Setting up eID WebAuth: Preregistered eService – get a Token ID and set a “return” page Two web forms (login and login-proc) Two round trips to the server Must do something with “invalid” logins Must do AuthZ

eID WebAuth (2) Authenticating on a web app – first round trip App determines user must authenticate Login page sends Web Request to eID server with eService token eID server answers with some HTML – a login form that posts to eID User logs in, form posts to eID eID server evaluates the login, sends user to preregistered “result” page carrying an AuthenticationID

eID WebAuth (3) Authenticating – second round trip Login-proc re-bundles token with AuthenticationID, makes another Web Request eID server answers with delimited set of data on the person as well as an answer on if the user is valid or not

eID WebAuth (4) Processing Must look at “ValidUser” property, make decisions Metadata returned, if valid user: eName PrimaryEID EIDIRID ISISIRID ARIESIRID HRIRID AssociatesIRID CSUID

eID Webauth (5) Problems You have to handle invalid users Not much data except for IDs; requires subsequent lookups Round-trip (login form) spoofing Does not implement single sign-on Retiring!

Enter Shibboleth Replacement for eID WebAuth In production in very high-traffic web apps RAMweb Canvas LMS Library, Parking, others Timeline: eID WebAuth support ends July 1st 2017

What is Shibboleth? Web based single sign on with three components The Identity Provider (IdP) – does user authentication The Service Provider (SP) – protects online resources The Discovery Service (DS) – links SP to user’s IdP (not always needed)

Shibboleth Identity Provider (IdP) IdP does User Authentication, provides user information to the Service Provider, located at the home organization, which maintains the user's account. At CSU: Run by ACNS Redundant, load balanced Works just fine when Oracle is unavailable

Shibboleth Service Provider (SP) Protects online resources Consumes information from the Identity Provider (IdP). Generally installed on the same server as the resource. At CSU: Runs on your web server (IIS, Apache/Linux) Already set up on ACNS web servers ACNS timeout is 8hours session/1hour inactivity (default) http://csufederation.acns.colostate.edu/

Shibboleth Flow User requests a protected resource (your web page) If user lacks session, gets sent to the service provider Service Provider issues Authentication Request The SP sends the user to the Identity Provider User Authenticated at Identity Provider The IdP checks if the user has an existing session.. If none, IdP validates username and password

Safer > Logins only happen on the IdP <

Shibboleth Flow (2) Identity Provider issues Authentication Response and sends user back to the Service Provider. Service Provider checks Authentication Response SP validates the response, creates a session for the user, and makes metadata available to the protected resource. Resource returns Content Like before, user is asking for protected resource But now, user has a session and the resource knows who they are Must still do Authorization

Richer Data In addition to all the ID numbers (Aries, CSU-ID, EIDIRID, ad nauseum) Shibboleth also returns: displayName: Firstname Lastname eduPersonNickname: Firstname eduPersonPrincipalName: ename@colostate.edu This one is a key and the preferred identifier Mail: whatever alias email, like first.last@colostate.edu Sn: lastname givenName: Firstname

Session Timeouts for Single Sign-On IdP Session CSU IdP: 8 hours 2 hour inactivity timeout SP Session Default: 8 hours Application Session Set your own wsnetdev2.colostate.edu/cwis262/shibbolethpdi/session_timing.aspx

Implementing Shibboleth Decide what resource to protect Make use of the metadata you get from the IdP Manage your own session

Protecting Resources Can “protect” an entire folder or a single web form/page Best practice: Protect one page with the Shibboleth SP If using ACNS servers: email Joe Volesky with the filename Probably call it authorize instead of login Protect other pages by checking local session Send users to authorize page if local session is expired or nonexistent

Shibboleth Metadata Resources protected by the SP return metadata in the header. See: https://wsnetdev2.colostate.edu/cwis262/shibbolethpdi/authorize.aspx

Shibboleth Metadata (2) Wrap this metadata into a little class and only loop once ShibUserData.cs

Shibboleth Metadata Class Your one protected page spins up one ShibUserData object Just pass in the headers to the constructor Now you have all the SAML attributes from the IdP in an object that holds them in individual, type-correct properties

Managing Session in your App Create a ShibSession class Holds a ShibUserData object, and AuthZ, and a few others Store one instance of itself in the ASP.NET session Allows access to session properties in a type-safe way From inside a class file OR on any aspx page, in the same way No more HttpContext.Current.Session[“MySession”]…

Managing Session (2) Benefits it saves you from a lot of type-casting you don't have to use hard-coded session keys throughout your application (e.g. Session["loginId"]) you can document your session items by adding XML doc comments on the properties of MySession you can initialize your session variables with default values (e.g. assuring they are not null)

Shibboleth Session Class Properties: A ShibUserData object Intended Destination (for redirecting back) Login time (implement faster timeout) AuthZ Add more AuthZ properties for multiple types of AuthZ e.g., AuthZnormal, AuthZsuper

Implementing ShibSession (1) On your Authorize page: Set ShibSession User and Date properties

Implementing ShibSession (2) On your Authorize page: Do AuthZ Could be a database lookup Could be a simple ename check Could be GROUPER…

Implementing Shibboleth (3) Redirect if necessary

Now to “Other Pages” Example: simple one-page web app Three things to examine: Does user have an application session? Is user’s session fresh enough? Is user Authorized?

Other Page – Check for Session

Other Page – Check Timestamp

Other Page – Check Authorization

Demo http://wsnetdev2.colostate.edu/cwis262/ShibbolethPDI/ Default page is default.aspx Authorize page is authorize.aspx

Resources Joe Volesky for shibboleth-protecting a file on WSNDETDEV2/WSNET2 Files used in this demo: ShibUserData.cs and ShibSession.cs Authorize.aspx, Authorize.aspx.cs Default.aspx, Default.aspx.cs Web Sites shibboleth.net and wiki.shibboleth.net http://stackoverflow.com/questions/621549/how-to-access-session- variables-from-any-class-in-asp-net

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.