Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor cantor.2@osu.edu Copyright.

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Columbia Educational Resources Online: A Shib-Enabling Case Study Carol Kassel Columbia University Digital Knowledge Ventures (DKV) Copyright Carol Kassel.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.
C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
11 Web Services. 22 Objectives You will be able to Say what a web service is. Write and deploy a simple web service. Test a simple web service. Write.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Internet2 CAMP Shibboleth Scott Cantor (Hey, that’s my EPPN too.) Tom Dopirak Scott Cantor (Hey, that’s my.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
Shibboleth for Local Attribute Delivery 21 June 2007.
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Shibboleth: Technical Architecture Marlena Erdos and Scott Cantor Revised Oct 2, 2001 Marlena Erdos and Scott Cantor Revised Oct 2, 2001.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
WebISO, Single Sign-On & Authorization General Overview Shelley Henderson Project Manager, Grid Software USC Information Services Copyright.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
ClickOnce Deployment (One-click Deployment)
Shibboleth Identity Provider Version 3
Access Policy - Federation March 23, 2016
David Millman—Columbia January 2005
Applying eduGAIN to network operations The perfSONAR case
SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005
Federated Identity Management at Virginia Tech
John O’Keefe Director of Academic Technology & Network Services
e-Infrastructure Workshop 28th March 2006, University of Leeds
Scott Cantor April 10, 2003 Shibboleth and PKI Scott Cantor April 10, 2003.
What’s changed in the Shibboleth 1.2 Origin
Privilege Management: the Big Picture
Technical Approach Chris Louden Enspier
Project for OnLine Instructional Support (POLIS)
Overview and Development Plans
Federated Digital Rights Management
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
Shibboleth Deployment Overview
Shibboleth Advanced Operational Issues and Recommendations or Tomcat Ate My Brain Scott Cantor Copyright Scott Cantor This work.
Shibboleth Architecture and Requirements
The Attribute and the ecosystem
ClickOnce Deployment (One-click Deployment)
Presentation transcript:

Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor cantor.2@osu.edu Copyright Scott Cantor 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Getting Started GPG-signed source and Win32 binaries at https://wayf.internet2.edu/shibboleth/ Source: opensaml-1.0.tar.gz shibboleth-1.2.tar.gz Read doc/INSTALL.txt in each thoroughly for build assistance and common problems and compiler notes Binaries: win32/shibboleth-1.2-win32.exe Additional Windows binaries for other libraries, MySQL, and Apache 1.3 and 2.0 5/11/2019 2

Current Build/Install Issues UNIX Some packages may install uncleanly on non-GNU/Linux platforms. “make install” will overwrite configuration files Windows Installer modifies path, rebooting normally required Uninstaller can remove files but will leave behind environment changes and SHAR service mod_shib_13.so and mod_shib_20.so built against Apache packages on the web site, unlikely to work with an arbitrary install 5/11/2019 3

Out of the Box Installs in a hybrid configuration supporting the InQueue sample IdPs and a “localhost” IdP matching the default configuration of the origin Uses a dummy key pair named “localhost”, which allows the default install on both ends to run on a single server Advanced deployment session will discuss PKI configuration and naming issues 5/11/2019 4

Service Provider Architecture INTERNAL EXTERNAL ARP <Requester> Web Resources Shibboleth Application(s) <RequestMap> providerId Service Provider(s) Unit of Access Control Unit of Session Management and Configuration 5/11/2019 5

What is a Service Provider? Collection of resources that share a common set of requirements for user attributes Unit of policy in attribute release by IdPs Entity to whom assertions are issued by IdPs Key Requirements: Choose a providerId, a unique (URI) name for your service; good choice is an https:// URL controlled by the SP's organization: https://jstor.org/shibboleth Publish metadata about your SP that can be used by partners or incorporated by federations for use by IdPs 5/11/2019 6

Service Provider Metadata <SiteGroup Name="urn:mace:inqueue" xmlns="urn:mace:shibboleth:1.0"> <DestinationSite Name="urn:mace:inqueue:example.edu"> <Alias>Example State Service Provider</Alias> <Contact Type="technical" Name="InQueue Support" Email="inqueue-support@internet2.edu"/> <AssertionConsumerServiceURL Location="https://wayf.internet2.edu/Shibboleth.shire"/> <AttributeRequester Name="wayf.internet2.edu"/> </DestinationSite> </SiteGroup> 5/11/2019 7

Service Provider Metadata 1.2 introduces a limited set of metadata required from SP's to properly interact with 1.2 origins. 1.3 is expected to support both the older format and the SAML 2.0 metadata format, which includes the ability to publish descriptions of attribute-consuming services within an SP. Some metadata may be general, some may be partner-specific, but format should be consistent. 5/11/2019 8

Attributes Shibboleth (the project) involved in standardizing attributes and semantics, along with related efforts such as InCommon Shibboleth (the software) knows nothing about specific attributes or semantics, except: Encourages use of unique single-part naming of attributes via URIs SAML attribute values can be arbitrary XML; simplifying this requires some assumptions 5/11/2019 9

Attribute Types Built-in support for Simple and Scoped Attributes string-valued atomic serialization filtering based solely on value e.g. eduPersonEntitlement, eduPersonAffiliation, sn, givenName Scoped compound serialization (value@scope) filtering based on value and/or scope e.g. eduPersonPrincipalName, eduPersonScopedAffiliation, eduPersonTargetedID 5/11/2019 10

Attribute Examples eduPersonPrincipalName eduPersonTargetedID Non-privacy-preserving persistent user identifier Apps maintaining user lists that migrate to EPPN can be instantly Shib-aware eduPersonTargetedID Currently an attribute, a privacy-preserving persistent user identifier modeled on Liberty Likely becomes an alternate SAML NameIdentifier format in 2.0 5/11/2019 11

Attribute Examples eduPersonScopedAffiliation eduPersonEntitlement Small set of values scoped/contextualized to a DNS-style subdomain Could be considered a role expression with the roles derived from eduPersonAffiliation and the group derived from the scope (e.g. student@law.osu.edu) eduPersonEntitlement Usually represents the result of an authorization policy applied by the IdP and asserted directly to the SP Useful but seductive 5/11/2019 12

Writing Shibboleth Applications Does Shibboleth have an API? You can: Programmatically request authentication Access the raw SAML attribute assertion Access the user's IdP's providerId Access the SAML AuthenticationMethod URI Access the individual SAML attributes in stringized form Works from any language ;-) For many applications, no Shibboleth-specific coding necessary 5/11/2019 13

Writing Shibboleth Applications What's Different? WAYF issues Reliance on authentication as authorization rapidly falls apart Shibboleth sessions: here to help you Most deployments must deal with implications of user privacy controls: assume nothing, fail gracefully 5/11/2019 14

Use of PKI Service Providers use keys for distinct purposes: SSL server for user interactions, out of scope SSL client authentication on attribute queries Digitally signing SAML requests (FUTURE) Receive wrapped encryption keys to decrypt XML (FUTURE) Different federations or IdPs MAY require different certificates be used SP metadata identifies (by name) the keys used by an SP so an IdP can authenticate them 5/11/2019 15

Use of PKI Service Providers must: Verify XML signatures created by IdPs Validate SSL server certificates to authenticate IdPs Signature verification keys and CA lists MAY depend on IdP or federation IdP metadata identifies (by name) the keys used by an IdP so an SP can authenticate them A Trust Provider is a pluggable SP (and soon IdP) component that decides how to validate signed messages and SSL certificates Metadata says "use key Foo", Trust says "validate key Foo with CA Bar" 5/11/2019 16

1.2 Component Model Shibboleth Core OpenSAML Protocol Engine Metadata Trust Credentials SP Core IdP Core Attribute Resolver ARP Engine NameID Resolver Authentication Authority (HS) Attribute Authority (AA) Attribute Filtering Access Control Session Cache mod_shib, isapi_shib, etc. Protocol Engine 5/11/2019 17

1.2 Pluggable C++ Interfaces Metadata Trust Revocation Credentials Attribute Acceptance Filtering Configuration SHAR Listener (remains too RPC-centric) Session Cache Request Mapping Access Control 5/11/2019 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.