Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your web application PDI, January 2017

Published byLee Curtis Modified over 5 years ago

Similar presentations

Presentation on theme: "Your web application PDI, January 2017"— Presentation transcript:

1

2 Your web application PDI, January 2017
Shibboleth Your web application PDI, January 2017

3 Presenter: Adam Warren
ACNS employee, previously Web communications, previously ACNS  Middleware developer Administer 100,000 Google accounts Involved in the 2007 rewrite of EID from cold fusion to .NET Been using eID Webauth for a long time…

4 Agenda eID Webauth review Shibboleth basics
Protecting your pages/sites Shibboleth metadata One Way to Manage Session Store metadata Do early timeouts redirects: for web apps

5 But First… Authentication (AuthN) vs Authorization (AuthZ)

6 eID WebAuth > eID WebAuth only does AuthN <
Setting up eID WebAuth: Preregistered eService – get a Token ID and set a “return” page Two web forms (login and login-proc) Two round trips to the server Must do something with “invalid” logins Must do AuthZ

7 eID WebAuth (2) Authenticating on a web app – first round trip
App determines user must authenticate Login page sends Web Request to eID server with eService token eID server answers with some HTML – a login form that posts to eID User logs in, form posts to eID eID server evaluates the login, sends user to preregistered “result” page carrying an AuthenticationID

8 eID WebAuth (3) Authenticating – second round trip
Login-proc re-bundles token with AuthenticationID, makes another Web Request eID server answers with delimited set of data on the person as well as an answer on if the user is valid or not

9 eID WebAuth (4) Processing
Must look at “ValidUser” property, make decisions Metadata returned, if valid user: eName PrimaryEID EIDIRID ISISIRID ARIESIRID HRIRID AssociatesIRID CSUID

10 eID Webauth (5) Problems You have to handle invalid users
Not much data except for IDs; requires subsequent lookups Round-trip (login form) spoofing Does not implement single sign-on Retiring!

11 Enter Shibboleth Replacement for eID WebAuth
In production in very high-traffic web apps RAMweb Canvas LMS Library, Parking, others Timeline: eID WebAuth support ends July 1st 2017

12 What is Shibboleth? Web based single sign on with three components
The Identity Provider (IdP) – does user authentication The Service Provider (SP) – protects online resources The Discovery Service (DS) – links SP to user’s IdP (not always needed)

13 Shibboleth Identity Provider (IdP)
IdP does User Authentication, provides user information to the Service Provider, located at the home organization, which maintains the user's account. At CSU: Run by ACNS Redundant, load balanced Works just fine when Oracle is unavailable

14 Shibboleth Service Provider (SP)
Protects online resources Consumes information from the Identity Provider (IdP). Generally installed on the same server as the resource. At CSU: Runs on your web server (IIS, Apache/Linux) Already set up on ACNS web servers ACNS timeout is 8hours session/1hour inactivity (default)

15

16 Shibboleth Flow User requests a protected resource (your web page)
If user lacks session, gets sent to the service provider Service Provider issues Authentication Request The SP sends the user to the Identity Provider User Authenticated at Identity Provider The IdP checks if the user has an existing session.. If none, IdP validates username and password

17 Safer > Logins only happen on the IdP <

18 Shibboleth Flow (2) Identity Provider issues Authentication Response
and sends user back to the Service Provider. Service Provider checks Authentication Response SP validates the response, creates a session for the user, and makes metadata available to the protected resource. Resource returns Content Like before, user is asking for protected resource But now, user has a session and the resource knows who they are Must still do Authorization

19 Richer Data In addition to all the ID numbers (Aries, CSU-ID, EIDIRID, ad nauseum) Shibboleth also returns: displayName: Firstname Lastname eduPersonNickname: Firstname eduPersonPrincipalName: This one is a key and the preferred identifier Mail: whatever alias , like Sn: lastname givenName: Firstname

20 Session Timeouts for Single Sign-On
IdP Session CSU IdP: 8 hours 2 hour inactivity timeout SP Session Default: 8 hours Application Session Set your own wsnetdev2.colostate.edu/cwis262/shibbolethpdi/session_timing.aspx

21 Implementing Shibboleth
Decide what resource to protect Make use of the metadata you get from the IdP Manage your own session

22 Protecting Resources Can “protect” an entire folder or a single web form/page Best practice: Protect one page with the Shibboleth SP If using ACNS servers: Joe Volesky with the filename Probably call it authorize instead of login Protect other pages by checking local session Send users to authorize page if local session is expired or nonexistent

23 Shibboleth Metadata Resources protected by the SP return metadata in the header. See:

24 Shibboleth Metadata (2)
Wrap this metadata into a little class and only loop once ShibUserData.cs

25

26

27 Shibboleth Metadata Class
Your one protected page spins up one ShibUserData object Just pass in the headers to the constructor Now you have all the SAML attributes from the IdP in an object that holds them in individual, type-correct properties

28 Managing Session in your App
Create a ShibSession class Holds a ShibUserData object, and AuthZ, and a few others Store one instance of itself in the ASP.NET session Allows access to session properties in a type-safe way From inside a class file OR on any aspx page, in the same way No more HttpContext.Current.Session[“MySession”]…

29 Managing Session (2) Benefits it saves you from a lot of type-casting
you don't have to use hard-coded session keys throughout your application (e.g. Session["loginId"]) you can document your session items by adding XML doc comments on the properties of MySession you can initialize your session variables with default values (e.g. assuring they are not null)

30 Shibboleth Session Class
Properties: A ShibUserData object Intended Destination (for redirecting back) Login time (implement faster timeout) AuthZ Add more AuthZ properties for multiple types of AuthZ e.g., AuthZnormal, AuthZsuper

31

32 Implementing ShibSession (1)
On your Authorize page: Set ShibSession User and Date properties

33 Implementing ShibSession (2)
On your Authorize page: Do AuthZ Could be a database lookup Could be a simple ename check Could be GROUPER…

34 Implementing Shibboleth (3)
Redirect if necessary

35 Now to “Other Pages” Example: simple one-page web app
Three things to examine: Does user have an application session? Is user’s session fresh enough? Is user Authorized?

36 Other Page – Check for Session

37 Other Page – Check Timestamp

38 Other Page – Check Authorization

39 Demo Default page is default.aspx Authorize page is authorize.aspx

40 Resources Joe Volesky for shibboleth-protecting a file on WSNDETDEV2/WSNET2 Files used in this demo: ShibUserData.cs and ShibSession.cs Authorize.aspx, Authorize.aspx.cs Default.aspx, Default.aspx.cs Web Sites shibboleth.net and wiki.shibboleth.net variables-from-any-class-in-asp-net

41 Questions?

Download ppt "Your web application PDI, January 2017"

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Employee Self-Service (ESS). Agenda Introduction 1 Terminology 2 Employee Self-Service Components 3 More Information 4 Questions & Answers 5.

Employee Self-Service (ESS). Agenda Introduction 1 Terminology 2 Employee Self-Service Components 3 More Information 4 Questions & Answers 5.
ASP.NET Best Practices Dawit Wubshet Park University.

ASP.NET Best Practices Dawit Wubshet Park University.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Email Address 3.Course Syllabus 4.Major.

Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Address 3.Course Syllabus 4.Major.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.

Dynamic Web Pages. Web Programming  All our web pages so far have been static pages. 1. We create a web page 2. We upload it to the web server 3. People.
Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.
Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.

Stanford University EH&S A Service Oriented Architecture For Rich Internet Applications Sheldon M. Heitz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie(name, value, expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.

CSE 154 LECTURE 13: SESSIONS. Expiration / persistent cookies setcookie("name", "value", expiration); PHP $expireTime = time() + 60*60*24*7; # 1 week.
1 Agenda Views Pages Web Parts Navigation Office Wrap-Up.

1 Agenda Views Pages Web Parts Navigation Office Wrap-Up.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Murach’s ASP.NET 4.0/VB, C1© 2006, Mike Murach & Associates, Inc.Slide 1.

Murach’s ASP.NET 4.0/VB, C1© 2006, Mike Murach & Associates, Inc.Slide 1.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Similar presentations

Ads by Google