Shibboleth and IIS Integration Tips, Tricks, Alternatives

Slides:



Advertisements
Similar presentations
Introduction to Linux Recap Installing programs Introduction to Video Editing with Linux.
Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
20-753: Fundamentals of Web Programming 1 Lecture 11: Web Server Case Study Fundamentals of Web Programming Lecture 11: Web Server Case Study.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Server Roles and Features.NET Framework 3.51.NET Framework 4.5 IIS Web Server IIS Default Document IIS Directory Browsing IIS HTTP Errors.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Configuring PHP on IIS7 Making your application rock on IIS7 Taking advantage of the Windows platform Q&A at Open Space.
Configuring Apache tomcat Specifying the server port NOTE: Edit the install_dir/conf/server.xml and change the port attribute of the connector element.
April-June 2006 Windows Hosting Seminar Series Product Roadmap: IIS 7.0 Matthew Boettcher Web Platform Technical Evangelist (Hosting) Developer & Platform.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Linux Operations and Administration
AppCMD Quick Reference Guide for IIS 7 installed on Win2k8 Servers.
Corso referenti S.I.R.A. – Modulo 2 07 – Group Policy 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Securing Apache and PHP
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Promoting Open Source Software Through Cloud Deployment: Library à la Carte, Heroku, and OSU Michael B. Klein Digital Applications Librarian
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
HTML+JavaScript M2M Applications Viewbiquity Public hybrid cloud platform for automating and visualizing everything.
Integrating with UCSF’s Shibboleth system
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
Apache Web Server v. 2.2 Reference Manual Chapter 1 Compiling and Installing.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Chad La Joie Shibboleth’s Future.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
10/13/2015 ©2006 Scott Miller, University of Victoria 1 Content Serving Static vs. Dynamic Content Web Servers Server Flow Control Rev. 2.0.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Compatibility and Interoperability Requirements
IIS 7.0 for CFML Developers Vince Bonfanti. Introduction Vince Bonfanti President and co-founder of New Atlanta Software developer by training and trade.
Module 4 : Installation Jong S. Bok
March 12 & 13, 2007 IIS 7.0 for CFML Developers Deploying on IIS 7.0 with Adobe ColdFusion and New.
Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.
ArcGIS Server for Administrators
Efficient Deployment & Management of ASP.NET 2.0 Applications on IIS 6.0 Alexis Eller Program Manager Internet Information Services Microsoft Corporation.
What’s new in Kentico CMS 5.0 Michal Neuwirth Product Manager Kentico Software.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Shibboleth: An Introduction
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Running Kuali: A Technical Perspective Ailish Byrne (Indiana University) Jonathan Keller (University of California, Davis)
Web Access. Overview  Purpose  Prerequisites  Install Components  Enable Virtual Directories  IIS Configuration & Security  Troubleshooting.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
April-June 2006 Windows Hosting Seminar Series Technical Labs.
Deploying Software with Group Policy Chapter Twelve.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Open Solutions for a Changing World™ Copyright 2005, Data Access Worldwide June 6-9, 2005 Key Biscayne, Florida 1 Application Deployment Stephen W. Meeley.
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
Shibboleth Working Group, Fall 2010 Scott Cantor, OSU Chad LaJoie, Itumi, LLC.
2 Microsoft Confidential3 The Microsoft Web Platform is the software of choice when building web solutions or applications for your business, large.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Free Powerpoint Templates Page 1 Free Powerpoint Templates Chapter 4- Server Configuration.
Day 15 Apache. Being a web server Once your system is correctly connected to the network, you could be a web server. –When you go to a web site such as.
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.
Free, online, technical courses Take a free online course. Microsoft Virtual Academy.
Building More Powerful ASP.NET Applications with IIS7 Michael Volodarsky COM303 Program Manager Microsoft Corporation.
Web Server Administration Chapter 6 Configuring a Web Server.
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
Securing the Network Perimeter with ISA 2004
IS 4506 Server Configuration (HTTP Server)
Configuring Internet-related services
APACHE WEB SERVER.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Shibboleth and IIS Integration Tips, Tricks, Alternatives Scott Cantor OSU / Shibboleth Consortium

Local Background Local deployment of ~ 200 SPs, ~ 300 servers IIS usage ~ 60-70% No special software distribution Tailored documentation and configuration: https://webauth.service.ohio-state.edu/~shibboleth/ Little use of Windows AD features/security on campus

SP Technical Design “shibd” agent run as Windows service DLL installed as IIS ISAPI filter and extension Configuration external to IIS, not within GUI Not aware of .NET application boundaries/configuration 2.5 highly recommended due to improved installer for upgrades/patches

IIS Integration Specifics Native ISAPI modules cannot set server variables, so data is provided via custom headers Requests to IIS sites are mapped to hostnames using <Site> elements Applying rules/settings for content requires <RequestMap>

Mapping Examples <ISAPI normalizeRequest="true" safeHeaderNames="true"> <Site id="1" name="www.example.com"> <Alias>example.com</Alias> </Site> <Site id="135234524" name="alt.example.com"/> </ISAPI> … <RequestMapper type="Native"> <RequestMap> <Host name="www.example.com"> <Path name="secure" authType="shibboleth" requireSession="true"/> </Host> <Host name="example.com"> <Host name="alt.example.com"> </RequestMap> </RequestMapper>

Gotchas: File Permissions All accounts used by IIS processes need read access to most files in the Shibboleth installation Varies widely across IIS versions No access to private key(s) required Write access to log directory only

Gotchas: IIS Inheritance IIS filters globally or per-site, extension script mappings globally, site-level, directory/file-level Installer tries to install filter globally, script/handler mapping at root of each site Systems vary in overriding these settings at lower layers GUI is buggy and does not accurately reflect when settings are overridden or missing

Gotchas: WOW64 AppPools 2.5 releases install 32-bit and 64-bit binaries, but only one can be active IIS AppPools on 64-bit OS can be configured as 32-bit: Choose “Run as 32-bit” during install Run SetService32.bat after install and manually edit IIS filter/handler mappings Cannot run both types of AppPool at once

Gotchas: Headers The “safeHeaderNames” option removes punctuation from attribute names to avoid a .NET API vulnerability, but still advisable to avoid: System.Web.HttpRequest.ServerVariables Request("HTTP_VARIABLE_NAME") Setting REMOTE_USER not supported, sets HTTP_REMOTEUSER header Avoid unless you need feature that picks first value from a set of possible attributes

Gotchas: Virtualization Client view of scheme, hostname, port not the same as server view Example: https termination from client to load balancer, http from LB to server IIS DOES NOT SUPPORT THIS NATIVELY SP compensates with settings in <Site> elements to override scheme, name, ports; analogous to Apache ServerName and related commands

A bit on ADFS ADFSv2 integration with IIS principally relies on embedded WS-Federation token support inside .NET application layer No end to end SAML 2 protocol options Application uses .NET “claims” API to access user data from token Windows account impersonation via REMOTE_USER I think possible using sample code for older ADFSv1 style of integration