UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt ( Richard Sinnott ( ), Jipu University of Glasgow, Scotland, UK

UK e-Science All Hands Meeting, September 2007 “Implementing Single Sign-On and VO Management in e- Health and e-Learning domains at Glasgow using Shibboleth” 1 year JISC project (Dec ’05 – Dec ’06) In partnership with NHS Scotland GLASgow early adoption of Shibboleth

UK e-Science All Hands Meeting, September 2007 Federated Trust Local authentication infrastructures are vital e.g. Campus student directories  Support existing infrastructures (e.g. registration, human resources) –Will normally have enrolled IN PERSON at the institution »With standard identity (birth certificate, exam results) –Will be (reasonably) well known by local staff Also the Regional Operators for a CA  Required decentralisation of credential verification due to travel/time restrictions –National CA would be impossible without this Remote authentication information will always be out of date Don’t want to have to learn lots of usernames/passwords

UK e-Science All Hands Meeting, September 2007 Federated Trust The best entity to authenticate a person is their home institution/company Info will be up to date They will always know a person better than a remote site Remote site may not know if user is still valid or not Can we utilise a user’s home credentials to access remote resources?

UK e-Science All Hands Meeting, September 2007 Campus Authentication Novell NSure Unified account management system at University of Glasgow Central authentication method for campus System may be queried through LDAP connection Production system!  Custom schema –Standard object classes + Novell definitions  NOTE: –‘uid’ attribute is guaranteed unique for every user on system –So we can use this as a database linking attribute »could come in handy…

UK e-Science All Hands Meeting, September 2007 Federated Authentication system using SAML for secure conversation Enables Single-Sign On to Web Pages and Portals Authentication is done by the user’s home institution Identity Provider (Origin) Authorisation (and access) is done by the resource Service Provider (Target)

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution WAYF Application Federation Authz Point browser to portal

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz Shibboleth redirects user to W.A.Y.F service

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz User selects their home institution

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz AUTHENTICATE Home confirms user ID in local LDAP and pushes attributes to the service provider LDAP

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz Portal logs user in and presents attributes to authorisation function

UK e-Science All Hands Meeting, September 2007 UserGrid Portal Home Institution Service ProviderIdentity Provider WAYF Application Federation Authz AUTHORISE Portal passes attributes to AuthZ function to make final access control decision

UK e-Science All Hands Meeting, September 2007 Identity Providers Identity Providers assert: The authenticity of the user  IdPs in a federation TRUST each others authentication assertions –IdP guarantees the user is who they say they are –Enforced by federation policy  Shibboleth requires external apps to actually do the authentication –SAML provides the transport mechanism for this assertion The privileges of the user  SAML Attributes carry extra information about this user which can be used by external resources to make access control decisions –These attributes need to be negotiated between IdPs and SPs –However a standard framework exists which SPs may adopt to enhance interoperability…

UK e-Science All Hands Meeting, September 2007 eduPerson An LDAP object class which defines widely-used attributes relevant to higher education Adopted by Shibboleth and the UK Access Management Federation. eduPersonAffiliation  Standard attribute definition (student, staff, affiliate) eduPersonPrincipalName  May be disabled for anonymous access eduPersonTargetedID  Persistent non-identifying… identifier eduPersonEntitlement  Custom attribute for carrying user privileges

UK e-Science All Hands Meeting, September 2007 eduPerson Campus opinion of effect of adoption of eduPerson schema…

UK e-Science All Hands Meeting, September 2007 Towards a Solution… Basic Shibboleth IdP configuration IdP SP AuthN request AuthN? y/n y/n to SP SP AuthZ request Atts? Atts. Atts to SP eduPerson not supported User Directory

UK e-Science All Hands Meeting, September 2007 Multiple Attribute Authorities IdP SP AuthN request AuthN? y/n y/n to SP SP AuthZ request Atts? Atts. Atts to SP User Directory Atts? Atts. Dept. A Dept. B User entries linked through unique ‘uid’ attribute eduPerson can be adopted at departmental level

UK e-Science All Hands Meeting, September 2007 The Techie Bit… Multiple attribute authorities implemented through additional JNDI connectors in resolver.ldap.xml Must set ‘noResultIsError’ to ‘false’  Prevents an error being thrown if a user is not found in a database  Needed because a user is not normally a member of EVERY department! Must set ‘propagateErrors’ flag to ‘false’  Stops any errors from halting query of multiple LDAPs Attribute connectors state which directories they will search

UK e-Science All Hands Meeting, September 2007 Specific Services University of Glasgow is now offering many online services for its students Some involve manipulation or extraction of sensitive personal data Most involve insecure (often cleartext) user information to be moved about Nearly all require:  Username and password to be entered each visit (even within the same browser session) –Is also possible that DIFFERENT usernames and passwords may be needed  Pre-registration for staff and non-students

UK e-Science All Hands Meeting, September 2007 GLASS Project Unifying Uni. Resources under Shibboleth utilising the NSure Directory Service SSO, Secure Attributes… WebMAIL

UK e-Science All Hands Meeting, September 2007 Moodle is an online course management system A Virtual Learning Environment (VLE) which allows educators to create online learning communities As of August 2006  15,768 registered sites in 163 countries (1241 in UK alone)  581,984 courses  6,033,505 users Individual site Moodle(s) can be very different  Different sites may require different user information to create a session

UK e-Science All Hands Meeting, September 2007 University of Glasgow Moodle Utilises the central campus LDAP server Requires the following entries for a user session  uid, givenName, fullName, mail, sn  (Uni. Of Glasgow Computing Services (CS) requirements) Entries usually retrieved through generic module A Shibboleth Authentication module is available  Extracts the correct attributes from the HTTP_SHIB_ATTRIBUTES header provided by Shibboleth Service Provider  “Pure Shibboleth” login, or multiple login types –CS prefer the latter, more flexible »Cost is user must specifically request a Shibboleth session on first visit.

UK e-Science All Hands Meeting, September 2007 WebSURF is an online service for manipulation and retrieval of personal details Student Services  Course registration/options  Access to personal exam results  Updating personal details –Address, Tel. No. Staff Services  View student records  Update course information WebSURF is authored by Glasgow University

UK e-Science All Hands Meeting, September 2007 GLASS Moodle Moodle ships with a Shibboleth authentication module Requires configuration… Shibboleth SP provides the 5 attributes in an HTTP header (HTTP_SHIB_ATTRIBUTES)  Each individual attribute is extracted using a CGI type header –HTTP_UID –HTTP_SHIBINETORG_SURNAME –HTTP_GIVENNAME –Etc Moodle forms a local username (if it doesn’t already exist)

UK e-Science All Hands Meeting, September 2007 GLASS WebSURF Much more complicated! WebSURF is a J2EE application which runs in a JBoss container Authentication is done with the generic JAAS module Shibboleth may interface with JBoss applications through the SPIE-JAAS module which takes the place of the generic JAAS

UK e-Science All Hands Meeting, September 2007 GLASS

UK e-Science All Hands Meeting, September 2007 GLASS BrainIT Using Shibboleth to provide sensitive clinical data to a Grid portal from an NHS database SP needs to host GridSphere, so a Tomcat/ajp_proxy setup is required  Have SSL enabled this portal as data is particularly sensitive eduPersonEntitlement used as the attribute required for access to portal  Different attributes correspond to different available parameters to query –brainIT_nurse – low privilege (e.g. DOB/Sex) –brainIT_investigator – high privilege (e.g. postcode, illness specifics)

UK e-Science All Hands Meeting, September 2007 GLASS

UK e-Science All Hands Meeting, September 2007 Summary GLASS infrastructure is basis for all Shibboleth- based projects at Glasgow e.g. EPSRC nanoCMOS project  Centralised authentication from NSure LDAP  Departmental Attribute Authorities at National e-Science Centre and Department of Electronics and Electrical Engineering –Each department controls the attributes required for access to their own service –LDAP directories linked using unique ‘uid’ attribute Experience gained in interfacing with new technologies (MediaWiki) Informs new Shibboleth based projects with other collaborators (e.g. SEE-GEO)

UK e-Science All Hands Meeting, September 2007 Demos This afternoon…. All afternoon!