Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor cantor.2@osu.edu Copyright.

Published byBenedikt Bayer Modified over 5 years ago

Similar presentations

Presentation on theme: "Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor cantor.2@osu.edu Copyright."— Presentation transcript:

1 Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor Copyright Scott Cantor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Getting Started GPG-signed source and Win32 binaries at Source: opensaml-1.0.tar.gz shibboleth-1.2.tar.gz Read doc/INSTALL.txt in each thoroughly for build assistance and common problems and compiler notes Binaries: win32/shibboleth-1.2-win32.exe Additional Windows binaries for other libraries, MySQL, and Apache 1.3 and 2.0 5/11/2019 2

3 Current Build/Install Issues
UNIX Some packages may install uncleanly on non-GNU/Linux platforms. “make install” will overwrite configuration files Windows Installer modifies path, rebooting normally required Uninstaller can remove files but will leave behind environment changes and SHAR service mod_shib_13.so and mod_shib_20.so built against Apache packages on the web site, unlikely to work with an arbitrary install 5/11/2019 3

4 Out of the Box Installs in a hybrid configuration supporting the InQueue sample IdPs and a “localhost” IdP matching the default configuration of the origin Uses a dummy key pair named “localhost”, which allows the default install on both ends to run on a single server Advanced deployment session will discuss PKI configuration and naming issues 5/11/2019 4

5 Service Provider Architecture
INTERNAL EXTERNAL ARP <Requester> Web Resources Shibboleth Application(s) <RequestMap> providerId Service Provider(s) Unit of Access Control Unit of Session Management and Configuration 5/11/2019 5

6 What is a Service Provider?
Collection of resources that share a common set of requirements for user attributes Unit of policy in attribute release by IdPs Entity to whom assertions are issued by IdPs Key Requirements: Choose a providerId, a unique (URI) name for your service; good choice is an URL controlled by the SP's organization: Publish metadata about your SP that can be used by partners or incorporated by federations for use by IdPs 5/11/2019 6

7 Service Provider Metadata
<SiteGroup Name="urn:mace:inqueue" xmlns="urn:mace:shibboleth:1.0"> <DestinationSite Name="urn:mace:inqueue:example.edu"> <Alias>Example State Service Provider</Alias> <Contact Type="technical" Name="InQueue Support" <AssertionConsumerServiceURL Location=" <AttributeRequester Name="wayf.internet2.edu"/> </DestinationSite> </SiteGroup> 5/11/2019 7

8 Service Provider Metadata
1.2 introduces a limited set of metadata required from SP's to properly interact with 1.2 origins. 1.3 is expected to support both the older format and the SAML 2.0 metadata format, which includes the ability to publish descriptions of attribute-consuming services within an SP. Some metadata may be general, some may be partner-specific, but format should be consistent. 5/11/2019 8

9 Attributes Shibboleth (the project) involved in standardizing attributes and semantics, along with related efforts such as InCommon Shibboleth (the software) knows nothing about specific attributes or semantics, except: Encourages use of unique single-part naming of attributes via URIs SAML attribute values can be arbitrary XML; simplifying this requires some assumptions 5/11/2019 9

10 Attribute Types Built-in support for Simple and Scoped Attributes
string-valued atomic serialization filtering based solely on value e.g. eduPersonEntitlement, eduPersonAffiliation, sn, givenName Scoped compound serialization filtering based on value and/or scope e.g. eduPersonPrincipalName, eduPersonScopedAffiliation, eduPersonTargetedID 5/11/2019 10

11 Attribute Examples eduPersonPrincipalName eduPersonTargetedID
Non-privacy-preserving persistent user identifier Apps maintaining user lists that migrate to EPPN can be instantly Shib-aware eduPersonTargetedID Currently an attribute, a privacy-preserving persistent user identifier modeled on Liberty Likely becomes an alternate SAML NameIdentifier format in 2.0 5/11/2019 11

12 Attribute Examples eduPersonScopedAffiliation eduPersonEntitlement
Small set of values scoped/contextualized to a DNS-style subdomain Could be considered a role expression with the roles derived from eduPersonAffiliation and the group derived from the scope (e.g. eduPersonEntitlement Usually represents the result of an authorization policy applied by the IdP and asserted directly to the SP Useful but seductive 5/11/2019 12

13 Writing Shibboleth Applications
Does Shibboleth have an API? You can: Programmatically request authentication Access the raw SAML attribute assertion Access the user's IdP's providerId Access the SAML AuthenticationMethod URI Access the individual SAML attributes in stringized form Works from any language ;-) For many applications, no Shibboleth-specific coding necessary 5/11/2019 13

14 Writing Shibboleth Applications What's Different?
WAYF issues Reliance on authentication as authorization rapidly falls apart Shibboleth sessions: here to help you Most deployments must deal with implications of user privacy controls: assume nothing, fail gracefully 5/11/2019 14

15 Use of PKI Service Providers use keys for distinct purposes:
SSL server for user interactions, out of scope SSL client authentication on attribute queries Digitally signing SAML requests (FUTURE) Receive wrapped encryption keys to decrypt XML (FUTURE) Different federations or IdPs MAY require different certificates be used SP metadata identifies (by name) the keys used by an SP so an IdP can authenticate them 5/11/2019 15

16 Use of PKI Service Providers must:
Verify XML signatures created by IdPs Validate SSL server certificates to authenticate IdPs Signature verification keys and CA lists MAY depend on IdP or federation IdP metadata identifies (by name) the keys used by an IdP so an SP can authenticate them A Trust Provider is a pluggable SP (and soon IdP) component that decides how to validate signed messages and SSL certificates Metadata says "use key Foo", Trust says "validate key Foo with CA Bar" 5/11/2019 16

17 1.2 Component Model Shibboleth Core OpenSAML Protocol Engine
Metadata Trust Credentials SP Core IdP Core Attribute Resolver ARP Engine NameID Resolver Authentication Authority (HS) Attribute Authority (AA) Attribute Filtering Access Control Session Cache mod_shib, isapi_shib, etc. Protocol Engine 5/11/2019 17

18 1.2 Pluggable C++ Interfaces
Metadata Trust Revocation Credentials Attribute Acceptance Filtering Configuration SHAR Listener (remains too RPC-centric) Session Cache Request Mapping Access Control 5/11/2019 18

Download ppt "Shibboleth Service Providers: Technical Requirements and Considerations or How I Spent My Winter/Spring/Summer Vacation Scott Cantor cantor.2@osu.edu Copyright."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor 2003. This work.

Shibboleth 1.0: Federations, Metadata, and Trust Scott Cantor The Ohio State University and Internet2 © Scott Cantor This work.
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Columbia Educational Resources Online: A Shib-Enabling Case Study Carol Kassel Columbia University Digital Knowledge Ventures (DKV) Copyright Carol Kassel.

Columbia Educational Resources Online: A Shib-Enabling Case Study Carol Kassel Columbia University Digital Knowledge Ventures (DKV) Copyright Carol Kassel.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Similar presentations

Ads by Google