Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185.

Slides:



Advertisements
Similar presentations
RSDB Installation & Configuration
Advertisements

EBSCOadmin Authentication
Federated Identity for Grid Architects Tom Scavo NCSA
Pakiti.
FIRST SESSION - XAMPP Jeongmin Lee.  Jeongmin Lee  CS  PHD  Machine Learning, AI  Web System Development.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Chapter Apache Installation on Linux. Acknowledgement The contribution made by Darrin Morison is acknowledged.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Authenticating REST/Mobile clients using LDAP and OERealm
SquirrelMail for Webmail AfNOG 2012 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Serrekunda, Gambia (Original Materials by Joelja)
APACHE SERVER By Innovationframes.com »
SquirrelMail for Webmail AfNOG 2013 Scalable Internet Services (SS-E) Presented by Michuki Mwangi Lusaka, Zambia (Original Materials by Joelja)
Linux Operations and Administration
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
SWITCHaai Team Federated Identity Management.
AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
INFM603 Project Presentation Jenny Wu Prachi Chhokar.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
Attribute Resolution. 2 © 2010 SWITCH Terms: Attribute A piece of information about a user. Each attribute has a unique ID and has zero of more values.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Integrating with UCSF’s Shibboleth system
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
Authentication. 2 © 2010 SWITCH Terms: Authentication Mechanism A concrete mechanism used to authenticate a user. Shibboleth 2 currently supports REMOTE_USER,
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Module 11: Securing a Microsoft ASP.NET Web Application.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Integrating and Troubleshooting Citrix Access Gateway.
Shibboleth at the U of M Christopher A. Bongaarts net-people March 10, 2011.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Presented by Lonnye Bower Fardin Khan Chris Orona APACHE WEB SERVER.
Campuses New to Shibboleth: WebSSO Barry Johnson
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
F5 APM & Security Assertion Markup Language ‘sam-el’
Multi-Domain Hosting CPTE 212 “Missing Slides” for 1/22/2015 John Beckett.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
The FederID project The First Identity Management and Federation Free Software.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Web and Proxy Server.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
Unit 7 Learning Objectives
Federation made simple
SAML Sicurezza II A.A Speaker: André Panisson, PhD student
HMA Identity Management Status
John O’Keefe Director of Academic Technology & Network Services
Identity Federations - Installation and operation
Shibboleth Implementation in EZproxy
Configuring Internet-related services
Shibboleth 2.0 IdP Training: Introduction
INTEGRATIONS WITH Single Sign-On
INTEGRATIONS WITH Enterprise HRIS
Presentation transcript:

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy Sicurezza II A.A

Sicurezza II, A.A. 2011/2012 Security Assertion Markup Language o XML-based open standard for exchanging authentication and authorization data between security domains Identity Provider (IdP) Service Provider (SP) SAML 2.0 as a Service Provider SAML 2.0 as a Identity Provider Shibboleth 1.3

Sicurezza II, A.A. 2011/2012 SimpleSAMLphp o SAML implementation written in PHP o Provides support for: SAML 2.0 as a Service Provider SAML 2.0 as a Identity Provider Shibboleth 1.3 A-Select, CAS, OpenID, WS-Federation and OAuth

Sicurezza II, A.A. 2011/2012 Requisiti o Apache o Ai nostri scopi è necessario anche la libreria PHP con supporto a libxml openssl zlib ldap

Sicurezza II, A.A. 2011/2012 Download e installazione o o Scaricare la versione tar -xvzf simplesamlphp tar.gz o La cartella samlidp conterrà l’ Identity Provider cp -R simplesamlphp $HOME/samlidp o La cartella samlsp conterrà il Service Provider cp -R simplesamlphp $HOME/samlsp

Sicurezza II, A.A. 2011/2012 Apache Configuration WARNING: When running an IdP and a SP on the same computer, the SP and IdP MUST be configured with different hostnames. This prevents cookies from the SP to interfere with cookies from the IdP. o Uncomment the following line on apache/conf/httpd.conf: Include conf/extra/httpd-vhosts.conf

Sicurezza II, A.A. 2011/2012 Apache Configuration o Edit the file apache/conf/extra/httpd-vhosts.conf and add: ServerAdmin DocumentRoot "/usr/home/…/apache/htdocs/localhost" ServerName localhost ServerAlias localhost ErrorLog "logs/localhost-error_log" CustomLog "logs/localhost-access_log" common Alias /samlidp /usr/home/…/samlidp/www Order allow,deny Allow from all ServerAdmin DocumentRoot "/usr/home/…/apache/htdocs/loopback" ServerName ServerAlias ErrorLog "logs/loopback-error_log" CustomLog "logs/loopback-access_log" common Alias /samlsp /usr/home/…/samlsp/www Order allow,deny Allow from all

Sicurezza II, A.A. 2011/2012 Identity Provider o Copy some required config files: cp samlidp/modules/sanitycheck/config-templates/config- sanitycheck.php samlidp/config/ o Edit samlidp/config/config.php Change the following values: 'baseurlpath' => 'samlidp/', 'tempdir' => '/tmp/samlidp', 'auth.adminpassword' => 'your_password', 'technicalcontact_ ' => 'your_ ',

Sicurezza II, A.A. 2011/2012 Identity Provider o Enabling the Identity Provider functionality: This is done by editing samlidp/config/config.php. The options enable.saml20-idp and enable.shib13-idp controls whether SAML 2.0 and Shibboleth 1.3 support is enabled. Enable one or both of those by assigning true to them: 'enable.saml20-idp' => true, 'enable.shib13-idp' => true,

Sicurezza II, A.A. 2011/2012 Identity Provider o Configuring the authentication module: The exampleauth:UserPass authentication module is part of the exampleauth module. This module isn't enabled by default, so you will have to enable it. This is done by creating a file named enable in samlidp/modules/exampleauth/ touch samlidp/modules/exampleauth/enable

Sicurezza II, A.A. 2011/2012 Identity Provider o Configuring the authentication module: The next step is to create an authentication source with this module. Configuration for authentication sources can be found in samlidp/config/authsources.php. Uncomment the following entry: 'example-userpass' => array( 'exampleauth:UserPass', 'student:studentpass' => array( 'uid' => array('test'), 'eduPersonAffiliation' => array('member', 'student'), ), 'employee:employeepass' => array( 'uid' => array('employee'), 'eduPersonAffiliation' => array('member', 'employee'), ), If you add other entries in the arrays, the entries will be available as attributes: 'student:studentpass' => array( 'uid' => array('test'), 'name' => array('Pippo'), 'eduPersonAffiliation' => array('member', 'student'), ),

Sicurezza II, A.A. 2011/2012 Identity Provider o Configuring the IdP: The IdP is configured by the metadata stored in samlidp/metadata/saml20-idp-hosted.php and samlidp/metadata/shib13-idp-hosted.php Keep them untouched!

Sicurezza II, A.A. 2011/2012 Identity Provider o Test it! Access

Sicurezza II, A.A. 2011/2012 Service Provider o Copy some required config files: cp samlsp/modules/sanitycheck/config-templates/config- sanitycheck.php samlsp/config/ o Edit samlsp/config/config.php Change the following values: 'baseurlpath' => 'samlsp/', 'tempdir' => '/tmp/samlsp', 'auth.adminpassword' => 'your_password', 'technicalcontact_ ' => 'your_ ',

Sicurezza II, A.A. 2011/2012 Service Provider o The SP is configured by an entry in samlsp/config/authsources.php: // An authentication source which can authenticate against both SAML 2.0 // and Shibboleth 1.3 IdPs. 'default-sp' => array( 'saml:SP', // The entity ID of this SP. // Can be NULL/unset, in which case an entity ID is generated based on the metadata URL. 'entityID' => NULL, // The entity ID of the IdP this should SP should contact. // Can be NULL/unset, in which case the user will be shown a list of available IdPs. 'idp' => NULL, // The URL to the discovery service. // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, ),

Sicurezza II, A.A. 2011/2012 Adding IdPs to the SP o The service provider you are configuring needs to know about the identity providers you are going to connect to it o This is configured by metadata stored in samlsp/metadata/saml20-idp-remote.php and samlsp/metadata/shib13-idp-remote.php o You will have to add the identity provider metadata to your configuration file. o You can find the metadata by going to your identity provider Open Go to the tab “Federation” and find the session entitled “SAML 2.0 IdP Metadata” Click on “Show metadata” Copy the PHP code for the metadata into samlsp/metadata/saml20- idp-remote.php

Sicurezza II, A.A. 2011/2012 Adding SPs to the IdP o The identity provider you are configuring also needs to know about the service providers you are going to connect to it. o This is configured by metadata stored in samlidp/metadata/saml20-sp-remote.php and samlidp/metadata/shib13-sp-remote.php o You will have to add the service provider metadata to your configuration file. o You can find the metadata by going to your service provider Open Go to the tab “Federation” and find the session entitled “SAML 2.0 SP Metadata” Click on “Show metadata” Copy the PHP code for the metadata into samlidp/metadata/saml20- sp-remote.php

Sicurezza II, A.A. 2011/2012 Test the SP and IdP o Go to your Service Provider: o Go to the tab “Authentication” and click on “Test configured authentication sources” o Click on “default-sp” o Select the identity provider you configured in the previous steps o Log in using the identity provider credentials

Sicurezza II, A.A. 2011/2012 SAML Web App o Create an application that uses SAML for authentication. Example script: protected.php <?php require_once('/.../.../samlsp/lib/_autoload.php'); $as = new SimpleSAML_Auth_Simple('default-sp'); $as->requireAuth(); $attributes = $as->getAttributes(); $uid = $attributes['uid'][0]; ?> Welcome,

Sicurezza II, A.A. 2011/2012 Logging o In both Service Provider and Identity provider, edit the config/config.php Change the following values: 'debug' => TRUE, 'logging.level' => LOG_DEBUG, 'logging.handler' => 'file', Check the logs under the log directory Use this tool to decode assertions (if encoded):

Sicurezza II, A.A. 2011/2012 Logging o Login to the previously created Web Application (protected.php) using the local Identity Provider o Check the log and extract the assertions o Check which data is available in the assertion: ID Issuer Subject Conditions Statements … (refer to the classroom lessons)

Sicurezza II, A.A. 2011/2012 SAML Open IdP’s and SP’s o Some open SAML Identity Providers o SAML Service Providers Google Apps ( ce_implementation.html) o Exercise: add SSOCircle as Identity Provider

Sicurezza II, A.A. 2011/2012 SAML Speaker: André Panisson, PhD student Università degli Studi di Torino, Computer Science Department Corso Svizzera, 185 – 10149, Torino, Italy Sicurezza II A.A Grazie per l’attenzione!

Sicurezza II, A.A. 2011/2012 © 2009 by André Panisson. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.