Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Advanced Operational Issues and Recommendations or Tomcat Ate My Brain Scott Cantor cantor.2@osu.edu Copyright Scott Cantor 2004. This work.

Published by碗鲤 奚 Modified over 5 years ago

Similar presentations

Presentation on theme: "Shibboleth Advanced Operational Issues and Recommendations or Tomcat Ate My Brain Scott Cantor cantor.2@osu.edu Copyright Scott Cantor 2004. This work."— Presentation transcript:

1 Shibboleth Advanced Operational Issues and Recommendations or Tomcat Ate My Brain
Scott Cantor Copyright Scott Cantor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Identity Provider Considerations
Apache/Tomcat Basics Deployment/Configuration Strategy Load Balancing Performance User Authentication Attribute Authority Extensibility 4/25/2019 2

3 Apache/Tomcat Basics Why do we need Apache?
Tomcat supports SSL client authentication, but not without validation Why is Apache 2.0 a problem? Client authentication cannot be applied to a subset of the tree (patch pending) What is JK? Standard Apache/Tomcat protocol called AJP 1.3 Newest implementation available in mod_jk2 + Coyote (somewhat harder to configure than older versions) 4/25/2019 3

4 mod_jk2 Various binaries available from Configuration of module done in /usr/local/apache/conf/workers2.properties Key settings: Port for Tomcat Coyote Connector URL trees to map into Tomcat 4/25/2019 4

5 Coyote Generalized architecture supporting multiple communication channels, can be used like old TCP-based connector Configured mostly in /usr/local/tomcat/conf/jk2.properties Key Settings request.tomcatAuthentication = false 4/25/2019 5

6 Common Pitfalls Apache request pool MUST be <= Tomcat connector maxThreads or you WILL get Server Errors. Enabling SSL client authentication to AA <Location "/shibboleth/AA"> SSLVerifyClient require SSLOptions +ExportCertData +StdEnvVars </Location> SSLCACertificateFile conf/inqueue-ca-bundle.crt Apache 2.0: Run the AA in its own vhost Use mod_ssl's "engine" log to help diagnose SSL errors 4/25/2019 6

7 Deployment/Configuration Strategies
Default configuration uses relative paths for origin.xml, resolver.xml, ARP files, metadata Relative paths are resolved from within the shibboleth.war "virtual file system" By default, Tomcat expands warfiles when it deploys them, seducing you into editing files in the expanded tree. Resist its siren call! 4/25/2019 7

8 Deployment/Configuration Strategies
A modest proposal: Unpack tarball into a permanent location on disk Modify webAppConfig/origin.xml and src/conf/origin.xml to reference other files and directories using absolute file:/// URLs Maintain configuration files, ARPs, etc. in the permanent location Edit /usr/local/tomcat/conf/server.xml, search for unpackWARs, and set to false (foul beast!) To install, run ant, copy endorsed jars, copy warfile to /usr/local/tomcat/webapps, start tomcat To change settings, edit files in permanent location and restart tomcat 4/25/2019 8

9 Load Balancing Primary consideration when load balancing is shared state between Authentication Authority (HS) and Attribute Authority. For opaque NameIdentifier formats (like Shibboleth handles), the AA must recover the principal name. The CryptoHandleGenerator <NameMapping> type enables this in a stateless manner. 4/25/2019 9

10 Load Balancing 1.2 SPs can query multiple Attribute Authority endpoints, but timeouts make this relatively impractical. Redirects to the Authentication Authority must be to a single endpoint. Generally, IdP should not expose load balancing and use an invisible mechanism. 4/25/2019 10

11 Performance As recounted in previous sessions, IdP overhead is driven by authentication overhead and signing overhead Highly CPU bound Essential to limit number of active requests to Authn Authority based on throughput, number of CPUs to prevent thrashing 4/25/2019 11

12 Performance Apache xml-security 1.1 is ~3 times faster
Approximately 15 or so threads per CPU is probably a starting point, but needs study Tunable via maxHSThreads attribute in root of configuration file 4/25/2019 12

13 User Authentication Currently lacks any direct support for user authentication, just a typical secured web application Variety of mechanisms can be used via Apache or Tomcat SSO is the responsibility of the authentication mechanism 4/25/2019 13

14 User Authentication Looking ahead:
Need a clean interface to authentication providers JAAS may be an ideal candidate Need some additional flexibility to assign qualities to providers (passivity, session reuse, authentication context) 4/25/2019 14

15 Some Attribute Authority Extensibility Points
NameMapper Translates between SAML NameIdentifier and principal name ARP Engine Attribute Resolver Data Connector Attribute Definition SAML Attribute Value Handler 4/25/2019 15

16 Service Provider Considerations
Architecture Lazy Sessions Load Balancing / Web Farms Attribute Query Handling 4/25/2019 16

17 Service Provider Architecture
INTERNAL EXTERNAL ARP <Requester> Web Resources Shibboleth Application(s) <RequestMap> providerId Service Provider(s) Unit of Access Control Unit of Session Management and Configuration 4/25/2019 17

18 How To: Protect Resources <RequestMap>
Every incoming request is “decomposed” into [http(s)]://[hostname]:[port]/[path]/[path]/… Default implementation supports applying settings at the host, port, and path level: applicationId requireSession (Apache: ShibRequireSession) exportAssertion (Apache: ShibExportAssertion) <AccessControlProvider> (Apache: require) Pluggable component 4/25/2019 18

19 How To: Protect Resources
<RequestMap> in shibboleth.xml: <RequestMap applicationId="default"> <Host scheme="https" name=" <Path name="~scantor" requireSession="true"/> </Host> </RequestMap> httpd.conf / .htaccess: <Directory /home/scantor/www> AuthType shibboleth ShibRequireSession On require shibboleth (or valid-user or user or…) </Directory> 4/25/2019 19

20 How To: Protect Resources Processing Model
Incoming request must be filtered by module/filter <RequestMapProvider> parses request and returns settings, including applicationId If default, then <Applications> element settings apply. Otherwise, a combination of default <Applications> and specific <Application> settings apply. A providerId is ultimately associated with the request for the purposes of requesting attributes of the identity provider's AA. 4/25/2019 20

21 How To: Protect Resources Assertion Consumer Services (shireURL)
Applications contain (among their resources) one or more shireURL virtual endpoints implemented by Shibboleth. SP's publish their shireURL values as <AssertionConsumerService> elements in metadata. (Why? For security/privacy when persistent user identifiers used or attributes are pushed.) Basic rule: the RequestMap also processes requests to the ASC, and must map the request to the proper applicationId 4/25/2019 21

22 How To: Protect Resources Assertion Consumer Services (shireURL)
When first access is to SP and a session is required, redirect to WAYF/IdP must include "shire" parameter containing ASC endpoint. Three syntaxes supported for shireURL: /Shibboleth.shire ASC MUST be SSL-protected, or many attacks become possible. 4/25/2019 22

23 How To: Lazy Sessions Defers decision to establish session to resource. Enables stacking of multiple authentication methods (with caveats and much user confusion) With Apache, minimal content settings still required (AuthType shibboleth, require shibboleth) Simple "API" (works from any language): Issue redirect to an Assertion Consumer Service with a "target" parameter containing the resource to come back to 4/25/2019 23

24 Load Balancing / Farms SPs have a high degree of flexibility with respect to handling redirects in both Apache and IIS All aspects of the redirect (protocol, hostname, port) can be configured using httpd.conf commands or (for IIS or eventually Java) shibboleth.xml 4/25/2019 24

25 Attribute Query Handling
New with 1.2, SPs can tailor how they react to query failures: Ignore/Propagate Retry Interval Timeouts Expiration Strictness Rich combination of optional/required behavior and accuracy tolerance 4/25/2019 25

26 Auditing IdP and SP each support transaction/audit logs separate from error logs Track issuance of handles to principals, and creation of sessions against those handles for specific applications Simple cross-referencing of handles to identify attackers (though handles can be ugly) 4/25/2019 26

27 Metadata / Trust Fabric
Provider IDs Metadata vs. Trust/Revocation Bilateral Agreements Federations 4/25/2019 27

28 Provider IDs Every Identity and Service Provider MUST have a unique name (within the set of interacting providers). URIs guarantee uniqueness Implementation has moved away from applying policy based on partial name matching, and toward using metadata to aggregate providers as necessary 4/25/2019 28

29 Metadata Operational details that define the providers, the protocol endpoints, support for particular features Also used to identify (indirectly) the names of public keys used by providers to do particular things Implementation of abstract metadata API fully pluggable (LDAP, etc.) Future SAML 2.0 metadata: Allows key identification by value Supports metadata for a wider set of SAML features Allows Attribute Authorities to publish support for attributes Improves interoperability 4/25/2019 29

30 Names Endpoints Keys 4/25/2019 30
<SiteGroup Name="urn:mace:inqueue" xmlns="urn:mace:shibboleth:1.0"> <OriginSite Name="urn:mace:inqueue:example.edu"> <Alias>Example State University</Alias> <HandleService Location=" Name="wayf.internet2.edu"/> <AttributeAuthority Location=" Name="wayf.internet2.edu"/> <Domain>example.edu</Domain> </OriginSite> <DestinationSite Name="urn:mace:inqueue:example.edu"> <AssertionConsumerServiceURL Location=" <AttributeRequester Name="CN=wayf.internet2.edu, OU=TSG, O=University Corporation for Advanced Internet Development, L=Ann Arbor, ST=Michigan, C=US"/> </DestinationSite> </SiteGroup> 4/25/2019 30

31 Trust / Revocation MACEochists believe in separation of key identification from key validation Additional layer required to map from key names in metadata to certificates and/or CAs to validate a key binding In theory, replaceable by non-Shibboleth services provided by OS or other middleware Revocation supported in a basic kind of way 4/25/2019 31

32 For a key named localhost, use the embedded certificate For an identity provider in InQueue SiteGroup or the OSU IdP, use a pair of CAs <Trust xmlns="urn:mace:shibboleth:trust:1.0" xmlns:ds=" <KeyAuthority VerifyDepth="0"> <ds:KeyName>CN=localhost, O=Shibboleth Project, C=US</ds:KeyName> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>BASE64BLOB </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </KeyAuthority> <KeyAuthority VerifyDepth="5"> <ds:KeyName>urn:mace:inqueue</ds:KeyName> <ds:KeyName>urn:mace:incommon:osu.edu</ds:KeyName> <!-- Verisign/RSA Secure Server CA --> <!-- InCommon CA --> </Trust> 4/25/2019 32

Download ppt "Shibboleth Advanced Operational Issues and Recommendations or Tomcat Ate My Brain Scott Cantor cantor.2@osu.edu Copyright Scott Cantor 2004. This work."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor 2003. This work.

Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

Similar presentations

Ads by Google