1. Shibbolizing uPortal and a Path for Delegated Authentication with Shibboleth Tom Barton, Scott Cantor, and Andrew Petro The Ohio State University, University of Chicago, and Unicon, respectively. Jasig Dallas 03 March 2009 © Copyright the author or authors. Some rights reserved. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/us/http://creativecommons.org/licenses/by-nc-sa/3.0/us/

2. 2 Agenda 1.Introduction 2.Use Cases 3.Shibbolizing uPortal Today 4.Delegated Shibbolized Authentication... in uPortal 5.… in Shibboleth 6.Conclusion

3. 3 Use Cases Shibbolizing uPortal

4. 4 Authentication and Single Sign On

5. 5 Federated Authentication

6. 6 ● The provider of the identity and the provider of the service (uPortal) may not be the same institution ● Users can authenticate using identities from anywhere in federation, to services anywhere in federation, with a healthy policy layer.

7. 7 Attribute release ● Just in time release of attributes to the portal at the time of user authentication ● Different from querying directories of attributes – Attributes released only in context of actual user authentication – Attributes may be of a federated identity, attribute information not necessarily available to portal in an institutional directory

8. 8 Delegated authentication ● User authenticates to portal ● Portal authenticates to a backing service on behalf of the user ● Data from backing service informs portal WSP http://www.flickr.com/photos/ntr23/730371240 /

9. 9 Code Sample <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> Callout: Code Sample Use Courier New, 18pt black, 1.5 line space for code samples with a grey bounding box as shown in the example. If the code sample is large enough, utilize the full slide format (as shown in the previous slide for diagrams and screenshots) Color-coding code is fine, but try to stick to traditional color-coding colors and don’t over-do it.

10. 10 Shibbolizing uPortal Today Authentication Attribute Release

11. 11 Authenticating to uPortal with Shibboleth Authentication

12. 12 Shibboleth for Authentication ● Shibboleth provides a Service Provider Apache module for authentication ● uPortal can delegate to container for authentication ● Ta-da!

13. 13 Shibboleth SP Authentication HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes

14. 14 Shibbolizing CAS? ● uPortal ships with a CAS server and support for using CAS for login ● CAS can be easily Shibbolized ● Shibbolize uPortal by Shibbolizing CAS? http://www.flickr.com/photos/javaturtle/117152990/

15. 15 Releasing Attributes to uPortal with Shibboleth Attributes

16. 16 User Attributes in uPortal JDBCLDAP Pluggable API User attributes subsystem

17. 17 Shibboleth attribute release HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes

18. 18 User attributes at login ● User attributes in the context of user login ● Not arbitrary queries of directories

19. 19 Capturing user attributes from SP HTTP: headers HTTP Headers HTTP headers set by the Shibboleth SP represent the authenticated user identifier (remote user) and user attributes HTTP header capturing filter

20. 20 Declare the filter in web.xml HttpHeaderFilter edu.jhu.services.persondir.support.http.HttpHeaderF ilter personDirectoryDaoName httpHeaderAttributeSource HttpHeaderFilter Login

21. 21 User attributes from Shibboleth JDBCLDAP DAO bridges to filter User attributes subsystem

22. 22 Declare the attribute source

23. 23 Canonical way to do this is in flux ● Not very much in flux, but a little in flux ● In Jira: PERSONDIR-37, PERSONDIR-49 ● The (a) DAO for this ships in Persondir 1.5 RC2 ● For now, if you're interested, please ping me. ● apetro@unicon.net

24. 24 Delegated Shibbolized Authentication... In uPortal

25. Portal Password Replay Password- Protected Service Channel PW

26. Look Ma, No Password! ● Without a password to replay, how am I going to authenticate my portal to other applications? ?

27. Proxy CAS CAS Web Application Web Browser https listener

28. 28 Oh, wait, this is Shibboleth ● Very similar idea. ● Portal presents SAML Assertion to Portlet ● Portlet presents SAML Assertion to IdP ● IdP issues Portlet a new SAML Assertion for purpose of authenticating Portlet to backing Web Service Provider ● Portlet presents Assertion to backing Web Service Provider, authenticating its request to the backing service.

29. 29 Delegated authentication WSP IdP

30. 30 Getting the SAML to the Portlet ● Solution parallel to that for conveying passwords and CAS Proxy Tickets to portlets ● Custom UserInfoService ● Portlets obtain SAML assertions (like passwords and CAS proxy tickets) via callback for a “magic” user attribute

31. 31 SAML to authenticate to a WSP ● Portlet presents SAML to IdP to get more SAML to present to backing WSP

32. 32 Delegated Shibbolized Authentication... In Shibboleth

33. 33 Changes in the IdP ● What's an IdP again? ● How is it changing?

34. 34 Changes in the SP ● What's an SP again? ● How is it changing?

35. 35 Policy Knobs http://www.flickr.com/photos/platinum/5452160 /

36. 36 (Not) Modeling Portlets as Principals

37. 37

38. 38 Evolution of Shibboleth ● Delegated authentication use cases are not a surprise

39. 39 Concluding remarks

40. 40 Where to learn more ● Internet2 Wiki Space: ● https://spaces.internet2.edu/x/TTM ● Tom Barton, Scott Cantor, Andrew Petro, Adam Rybicki, and Tamra Valadez at this conference

41. 41 Questions & Answers