Hosting a SAML-protected Web Site in Microsoft Azure Eric Kool-Brown Software Engineer University of Washington IT

SAML in Azure - Windows in Higher Ed2 A SAML Protected Web Site

SAML in Azure - Windows in Higher Ed3

SAML: what is it? Security Assertion Markup Language and much more A token format (using this language) A set of authentication protocols A set of bindings for the transfer of the protocol elements A set of OASIS specifications ratified in 2005 SAML in Azure - Windows in Higher Ed4

Some Terminology SAMLP – used to differentiate the protocol from the token format Service Provider – a protected web site, a.k.a. Relying Party IdP – identity provider, a.k.a. security token service Shibboleth – the community-developed reference implementation of SAML SAML in Azure - Windows in Higher Ed5

6

7

8

9 Lots of Options!

Options, We’ve Got Options Upload your Shibboleth SP VHD as an Azure VM –Could be either Linux or Windows Host WIF web app in an Azure web site and use ADFS as a protocol translator Use WIF and the SAMLP CTP extension Host Shibboleth SP as an Azure cloud service SAML in Azure - Windows in Higher Ed10

Azure Virtual Machine Use an MS-supplied OS image or upload your own (Linux or Windows) –If the former, upload web app remotely –If the latter, can configure locally, then upload the entire VHD VM bits stored in triple redundant Azure blob storage Scaling up requires manual configuration SAML in Azure - Windows in Higher Ed11

Azure VM Details Windows OS licensing: monthly cost of using MS-supplied Windows image includes OS licensing fee DNS needs to be configured in Azure; you supply a validated DNS name and Azure supplies the VIP for that name Adding instances for scaling requires manual configuration Ditto for monitoring SAML in Azure - Windows in Higher Ed12

Azure Web Sites Write web app in Visual Studio and deploy to Azure from VS Use WIF to “claims enable” your web app via its support for WS-Federation –WIF does not support SAMLP Use AD FS to translate from WS- Federation to SAMLP Azure handles scaling to add instances and configures load balancing SAML in Azure - Windows in Higher Ed13

Add a Cloud Web App Project SAML in Azure - Windows in Higher Ed14

Configure the Project SAML in Azure - Windows in Higher Ed15

Configure WS-Fed SAML in Azure - Windows in Higher Ed16

Sign-in to Azure SAML in Azure - Windows in Higher Ed17

Publish to Azure SAML in Azure - Windows in Higher Ed18

AD FS as a Protocol Translator SAML in Azure - Windows in Higher Ed19

Azure Web Sites Redux MS released a CTP extension to WIF 4.0 that supported SAMLP May be NLA and is certainly not supported by MS One UW web application in production using this CTP WIF 4.5 re-architected, the CTP won’t work with it (and claims-based web apps need to be re-written) SAML in Azure - Windows in Higher Ed20

Azure Cloud Service Web roles and worker roles Web role much more configurable than an Azure web site Shibboleth SP can be automatically installed using a startup script See my blog posts starting with g-a-shibboleth-sp-web-site-in-azure-part-1/ g-a-shibboleth-sp-web-site-in-azure-part-1/ SAML in Azure - Windows in Higher Ed21

Create a Cloud Service Project SAML in Azure - Windows in Higher Ed22

Add Roles to the Service SAML in Azure - Windows in Higher Ed23

Choose the Type of Web App SAML in Azure - Windows in Higher Ed24

Config and Definition Files SAML in Azure - Windows in Higher Ed25

Shibboleth SP Install Task SAML in Azure - Windows in Higher Ed26

Shib SP Files in Project SAML in Azure - Windows in Higher Ed27

SAML in Azure - Windows in Higher Ed28 echo calling msiexec to run the Shib MSI >> %temp%\install-shib.txt 2>&1 msiexec.exe /i Shibboleth-SP\shibboleth-sp win64.msi /quiet /L*v %temp%\shib-msi.txt /norestart echo calling xcopy to copy the config files >> %temp%\install-shib.txt 2>&1 xcopy /y /q Shibboleth-SP\*.xml c:\opt\shibboleth-sp\etc\shibboleth xcopy /y /q Shibboleth-SP\*.pem c:\opt\shibboleth-sp\etc\shibboleth xcopy /y /q "%systemdrive%\Program Files\Shibboleth\SP\lib\*.dll" c:\opt\shibboleth-sp\lib64\shibboleth echo calling appcmd to add the ISAPI handler >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd.exe set config /section:handlers /+[name='ShibbolethSP',path='*.sso',verb='*',modules='IsapiModule',scriptProcessor='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',requireAccess='Script',responseBufferLimit='0'] echo calling appcmd to add the ISAPI filter >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd set config /section:isapiFilters /+[name='Shibboleth',path='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',preCondition='bitness64'] echo calling appcmd to remove the ISAPI filter restriction >> %temp%\install-shib.txt 2>&1 %windir%\System32\inetsrv\appcmd set config /section:isapiCgiRestriction /+[path='C:\opt\shibboleth-sp\ lib64\shibboleth\isapi_shib.dll',description='ShibbolethWebServiceExtension',allowed='True'] echo calling icacls to grant User execute to the Shib folders so the ISAPI filter will load >> %temp%\install-shib.txt 2>&1 icacls c:\opt /grant "Users":(OI)(CI)(RX) echo calling icacls to grant NetworkService write to the Shib logging folder so the ISAPI filter can log >> %temp%\install-shib.txt 2>&1 icacls c:\opt\shibboleth-sp\var\log\shibboleth /grant "NetworkService":(OI)(CI)(RX,M) echo restarting the Shib service to pick up the config changes >> %temp%\install-shib.txt 2>&1 net stop shibd_Default net start shibd_Default

Publishing SAML in Azure - Windows in Higher Ed29 Similar to publishing an Azure web app from Visual Studio Takes longer to start due to time taken to install the Shib SP The install script is re-run each time an instance is spun up

Questions? SAML in Azure - Windows in Higher Ed30

Links SAML in Azure - Windows in Higher Ed31 Series of 5 blog posts on hosting a Shib SP in Azure: part-1/ part-1/ Test web site: Note that it is using a self-signed cert, so be prepared for browser warningshttps://uwshibsp.cloudapp.net/ Azure Portal: Azure Site-to-Site VPN: us/library/azure/dn aspxhttp://msdn.microsoft.com/en- us/library/azure/dn aspx Azure VPN Walkthrough: walkthrough/ (from 2012) walkthrough/ Azure Load Balancer: us/library/azure/dn aspx (VMs can have multiple "endpoints") us/library/azure/dn aspx Example of confusion between SAML token format and SAML protocol: foundation-does-not-officially-support-saml-2-0-use-wif-ctp-orhttp://stackoverflow.com/questions/ /windows-identity- foundation-does-not-officially-support-saml-2-0-use-wif-ctp-or

The University of Washington is one of the world’s preeminent universities and a recognized leader in educating the next generation of leaders, thinkers and doers. A multi-campus institution comprising UW Seattle, UW Tacoma and UW Bothell, as well as a world-class academic medical center, the UW is a focal point of the Puget Sound region’s intellectual and cultural life and a key contributor to Washington’s increasingly global reputation as a center of innovation and change. A progressive and quintessentially Northwest institution with a uniquely innovative and creative culture, the UW is driven to lead by successfully integrating the full assets of the university and its rich environs to address key issues of pressing human concern that make a lasting difference in the Northwest and around the world. SAML in Azure - Windows in Higher Ed32