Download presentation
Presentation is loading. Please wait.
Published byAllyson Wright Modified over 9 years ago
1
AARNet Copyright 2011 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge, AARNet Authentication & Authorisation Services Technical Manager 25 th October 2013 Session 1: Hands-On #1
2
AARNet Copyright 2011 Hands-On #1 Topics Workshop Environment (description of VMs)Workshop Environment Recap: OpenConext Architecture SAML Proxy Deployment Scenarios OpenConext Installation (demo default installed components)OpenConext Installation OpenConext Components (in detail)OpenConext Components OpenConext Administration (default admin user account, demo adding users)OpenConext Administration Identity Provider Integration (hands on with instructions)Identity Provider Integration Service Provider Integration (hands on with instructions)Service Provider Integration 2
3
AARNet Copyright 2011 Hands-On #1 Topics Cont’d Groups/Teams Management (hands-on: team creation & population)Groups/Teams Management API Playground (hands-on: group information requests)API Playground OAuth, OpenSocial API and VOOT (technical detail)OAuth, OpenSocial API and VOOT Preview Session3: Hands-On #2 3 Non-third-party-sourced content is under the Creative Commons “Attribution 3.0 Unported” license. This means that you are permitted to freely copy, distribute, display, present, or perform material on the wiki, and create derivative works from it, for either commercial or non-commercial purposes.Creative Commons “Attribution 3.0 Unported”
4
Workshop Environment 4 Hands-On #1
5
AARNet Copyright 2011 VM Setup VM Environment –predetermined server names and IP addresses, certificates etc) –ocshopnn.tnd.aarnet.edu.au, ocidpnn.tnd…, ocspnn… Accessing VMs via “ssh –X” (you need to have a ssh client on your laptop) Network Configuration (see notebook for detailed instructions) –IP Addresses –Aliases –Configure Login via ssh public key Password for initial login, see white-board 5 Hands-On #1
6
AARNet Copyright 2011 Environment Diagram Networking 6 Hands-On #1
7
Recap: OpenConext Architecture 7 Hands-On #1
8
AARNet Copyright 2011 OpenConext Architecture 8 Hands-On #1 Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
9
AARNet Copyright 2011 SAML Proxy + Group Proxy 9 Hands-On #1
10
SAML Proxy Deployment Scenarios 10 Hands-On #1
11
AARNet Copyright 2011 Fed IdPs, Conext SPs Federation IdPs, OpenConext SPs (straight forward policy compliance) 11 Hands-On #1
12
AARNet Copyright 2011 Add Conext Only IdPs Becomes a little more ‘iffy’ from policy perspective 12 Hands-On #1
13
AARNet Copyright 2011 Nat Fed + Conext SP SP B, National Federation SP, can access Group Information 13 Hands-On #1
14
OpenConext Installation (~10 mins) 14 Hands-On #1
15
AARNet Copyright 2011 OpenConext Installation https://github.com/OpenConext/OpenConext-vm –Already downloaded Execution of installation Script Pre-requisite - Certificates Quick examination of the installation script –Setup –Dependencies –Components –Post Installation (e.g. database) OpenConext Files installed (including source code) What can go wrong & How to start again 15 Hands-On #1
16
AARNet Copyright 2011 What’s running? View processes running: ps –ax –grep httpd (ls /etc/httpd/conf.d) –grep tomcat (ls /var/lib/tomcat6/webapps) –grep shibd (ls /etc/shibboleth) –grep slapd (view using Apache Directory Studio) –grep mysqld (vi /etc/my.ini ; mysql –u root –p) Certificates (openssl x509 –in /etc/httpd/keys/openconext.pem) Database and LDAP Structure and Contents Default admin account –Use of Mujina to login as admin http://ocshopnn.tnd.aarnet.edu.au –Note: use Firefox, add developer extensions, create bookmarks, delete session shift+10 ecs 16 Hands-On #1
17
AARNet Copyright 2011 Adding Users to Mujina IdP Mujina IdP is provided for development and initial deployment –Default administrative user Adding users to Mujina –REST interface –ocshop$ cat `which addjane` New developments in Mujina –Multiple Users –Persistence Mujina SP (another handy tool) –See ServiceRegistry list of SPs (integrated in default installation) –https://mujina-sp.shopfront.aarnet.edu.au/https://mujina-sp.shopfront.aarnet.edu.au/ 17 Hands-On #1
18
OpenConext Components 18 Hands-On #1
19
AARNet Copyright 2011 OpenConext Components Logical Architecture –SAML Proxy (EngineBlock – Mujina IdP and SP built-in, see ServiceRegistry) –Group Proxy (API – Grouper built-in, see Manage) Components –Engine & Profile –ServiceRegistry –API & API Playground –Manage –Teams –Grouper –Mujina IdP and SP 19 Hands-On #1
20
AARNet Copyright 2011 OpenConext Components 20 Server components making up OpenConext –Mix of Java servlets running under Tomcat, PHP & Zend, JavaScript … Hands-On #1
21
AARNet Copyright 2011 EngineBlock Engine (SAML Proxy) –Based on Corto ( originally developed by WAYF, Denmark) https://sites.google.com/site/cortopages/ –SAML2.0 (WebSSO profile, saml2int.org) compliant authentication proxy –Features ( from https://wiki.surfnet.nl/pages/viewpage.action?pageId=14713446 )https://wiki.surfnet.nl/pages/viewpage.action?pageId=14713446 Proxy SP and IdP SAML assertions Relies on metadata management by Service Registry Discovery service for proxied IdPs Attribute management, user Consent & ACLs for privacy and authorisation Entity Metadata Generation Includes “Profile” service allowing for user account view & basic management Explore cd /etc/httpd/conf.d ; grep engine * -l cat engine.conf engine-internal.conf profile.conf ssl.conf vomanage.conf cd /opt/www/OpenConext-engineblock ; find. | grep \.php 21 Hands-On #1 Source: https://sites.google.com/site/cortopages/
22
AARNet Copyright 2011 ServiceRegistry ServiceRegistry (SAML metadata management) –Uses “JANUS” (developed by WAYF, Denmark) http://code.google.com/p/janus-ssp/ –web-based registry for SAML2 SP & IdP metadata, ARP, ACL information –Features Protected SP (requires SAML authentication) Attribute Release Policies for Services Configurable User Consent for IdPs Attribute Manipulation (PHP scripted) Configuration versioning and multiple entity states (test, prod) Extensible metadata schema to non-SAML metadata (e.g. group related metadata) Explore cd /etc/httpd/conf.d ; cat serviceregistry.conf cd /opt/www/OpenConext-serviceregistry ; find. | grep \.php 22 Hands-On #1 Source: https://code.google.com/p/janus-ssp/
23
AARNet Copyright 2011 API OpenSocial/VOOT API (Group Proxy) –Java (developed by SURFnet) –Features –Allows for the exchange of person and group info using standardized REST AP –implements a partial OpenSocial Container implementation People and Group REST API calls (extended with the VOOT protocol) –authorization uses Oauth v2 (preferred) and optionally OAuth v1 (deprecated, legacy) –The API supports three calls: Retrieve person information, i.e.: attributes of a user Retrieve a list of groups the user is a member of Retrieve the list of people that are members of a group the user is a member of. –API playground is built in for testing purposes Explore cd /etc/httpd/conf.d ; cat api.conf cd /opt/www/OpenConext-api ; ls –R | less ; find. | grep \.java cd /var/lib/tomcat6/webapps/api.$OCDomain ; ls -R | less 23 Hands-On #1
24
AARNet Copyright 2011 Manage Configuration utility for API –PHP (developed by SURFnet) –Features: –Configure Group Providers (Internal Grouper, and External) –Configure Virtual Organisations –Consent & ACLs for release of group information –OpenConext Usage Metrics Explore cd /etc/httpd/conf.d ; cat manage.conf cd /opt/www/OpenConext-manage ; ls –R | less ; find. | grep \.php 24 Hands-On #1
25
AARNet Copyright 2011 Teams Federated tool for management of group relationships –Java (developed by SURFnet) –Front end to built-in Group Provider Grouper, extensible for Ext GPs –Features: –Secure team management service (requires federated authentication) –GUI for team creation and membership management Email based workflow Supports Public and Private teams Supports team member roles admin, manager, member Allows adding groups from connected group providers into teams Explore cd /etc/httpd/conf.d ; cat teams.conf cd /opt/www/OpenConext-teams ; find. | grep \.java cd /var/lib/tomcat6/webapps/teams.$OCDomain ; ls -R | less 25 Hands-On #1
26
AARNet Copyright 2011 Grouper Internal Group Provider service used by Teams –Java (developed by Internet2) http://www.internet2.edu/grouper/ –Features: –Grouper provides comprehensive group management Hierarchical groups Delegated authentication of group administrators –Grouper WebGUI available via SAML login Explore cd /etc/httpd/conf.d ; cat grouper.conf cd /var/lib/tomcat6/webapps/grouper.$OCDomain ; ls -R | less 26 Hands-On #1 Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
27
OpenConext Administration (~5 mins) 27 Hands-On #1
28
AARNet Copyright 2011 OpenConext Administration What’s involved in administering an OpenConext deployment? –Identifier and namespace management Is this part of application configuration? If so, where are basic app configurations (in which config files?) User Management –Promote users to “admin” via Service Registry Register SAML entities –Add & maintain IdPs and SPs via Service Registry Register External Group Providers –Add & maintain Group Providers via Manage Update software when new versions available –Respond to security alerts 28 Hands-On #1
29
AARNet Copyright 2011 Roles and responsibilities Who can perform admin functions in OpenConext ? –Default admin accounts –Concept of ‘user’ in Service Registry –Promoting the user to “admin” Example from SURFconext – Administration control Why/when should a user be promoted to ‘admin’ Best-practices from SURFconext experience Functional administrative roles –Manage (Create VO’s) –Teams (Create Groups/Teams 29 Hands-On #1
30
Identity Provider Integration (~10 mins) 30 Hands-On #1
31
AARNet Copyright 2011 Identity Provider Integration View ServiceRegistry “Create connection” interface Basic Process: –Provisioning IdPs to trust Engine SP Obtain Engine SP metadata, include in IdPs SP metadata store Ensure IdPs release the required attributes to Engine SP –Registration of IdP in OpenConext via ServiceRegistry Create IdP SAML2.0 connection with IdP entityID Import and/or configure IdP metadata (provision trust in Engine) Include info for OpenConext discovery service (e.g IdP logo) Configure user consent and attribute manipulation Where is engine attribute policy and attribute mapping configured? 31 Hands-On #1
32
AARNet Copyright 2011 ServiceRegistry interface 32 Hands-On #1
33
AARNet Copyright 2011 Shibboleth IdP Integration Create a connection on your OpenConext VM to your Shib IdP –IdP on separate VM, preinstalled and functional (initially configured to trust your Shibboleth SP) Shibboleth IdP installed on a separate VM –LDAP identity source – users are sam,sid,sue,sal password … –/opt/shibboleth-idp/conf/relying-party.xml, attribute-resolver.xml, attribute-filter.xml –/opt/shibboleth-idp/metadata/sp-metadata.xml –Obtaining the shibboleth IdP metadata Engine SP metadata –Obtain metadata from https://engine.ocshop01.tnd.aarnet.edu.au/idp/metadata (via ServiceRegistry)https://engine.ocshop01.tnd.aarnet.edu.au/idp/metadata –Add SP metadata to IdP sp-metadata.xml IdP ‘connection’ in ServiceRegistry –To add IdP, need to create connection in ServiceRegistry. Login as ‘jane’ –Import metadata (fill in gaps, including logo location – this will appear in DS) –Access “Manage” and verify that can see Shib IdP and log in using identity. 33 Hands-On #1
34
AARNet Copyright 2011 SimpleSAMLphp IdP Integration Create a connection on your OpenConext VM to your SSphp IdP –IdP on separate VM, preinstalled and functional (initially configured to trust your SimpleSAMLphp SP) SimpleSAMLphp IdP already installed on a separate VM –LDAP identity source (same as used for Shib). –/www/simplesamlphp/config/config.php, authsources.php –/www/simplesamlphp/metadata/saml20-idp-hosted, saml20-sp-remote –Obtaining the SimpleSAMLphp IdP metadata, converting to XML Engine SP metadata –Obtain metadata from https://engine.ocshop01.tnd.aarnet.edu.au/idp/metadata (via ServiceRegistry)https://engine.ocshop01.tnd.aarnet.edu.au/idp/metadata –Convert engine SP metadata to SimpleSAMLphp format, add to IdP saml20-sp-remote IdP ‘connection’ in ServiceRegistry –To add IdP, need to create connection in ServiceRegistry. Login as ‘jane’ –Import XML metadata (fill in gaps, including logo location – this will appear in DS) –Access “Manage” and verify that can see Shib IdP and log in using identity. 34 Hands-On #1
35
Service Provider Integration (~10 mins) 35 Hands-On #1
36
AARNet Copyright 2011 Service Provider Integration View ServiceRegistry “Create connection” interface Basic Process: –Provisioning SP to trust Engine IdP Configure SP to use Engine as sole identity provider Obtain Engine IdP metadata, include in SP’s IdP metadata store Ensure SP is provided the required attributes by Engine IdP –Registration of SP in OpenConext via ServiceRegistry Create SP SAML2.0 connection with SP entityID Import and/or configure SP metadata (provision trust in Engine) Select ARP (engine attribute filter) from those defined Configure metadata manipulation Include SP icon and link on OpenConext services page 36 Hands-On #1
37
AARNet Copyright 2011 ServiceRegistry interface 37 Hands-On #1
38
AARNet Copyright 2011 Shibboleth SP Integration Your OpenConext VMs still running, also IdP VM –You will have already confirmed that your SP – attribute reflector - is accessible from your IdP –(but not now as you’ve integrated the IdP with OpenConext, so now have an orphan SP) Shibboleth SP already installed on a separate VM –Apache, modJK and Tomcat. –/etc/shibboleth/shibboleth2.xml, attribute-policy.xml, attribute-mapping.xml –/etc/shibboleth/idp-metadata.xml –Obtaining the shibboleth SP metadata from URL https://domain.name/metadatahttps://domain.name/metadata Engine IdP metadata –Obtain metadata from https://engine.ocshop01.tnd.aarnet.edu.au/sp/metadata (via ServiceRegistry)https://engine.ocshop01.tnd.aarnet.edu.au/sp/metadata –Add IdP metadata to SP idp-metadata.xml Create SP ‘connection’ in ServiceRegistry –To add SP, need to create connection in ServiceRegistry. Login as ‘jane’ –Import SAML2.0 IdP metadata (fill in gaps, including logo location – this will appear in DS) –Add SP logo to the OpenConext homepage –Access OpenConext homepage and verify that can see Shibboleth SP and log in using identity. 38 Hands-On #1
39
Groups/Teams Management (~10 mins) 39 Hands-On #1
40
AARNet Copyright 2011 Create a Team Teams service (GUI front-end to Grouper) –Grouper “group” model Hierarchical, with ‘stems’, OpenConext constrains to flat groups Can add groups from other Group Providers ? –Public vs Private Teams (we’ll create public teams) Team Creation –Access “Teams” via icon (or https://teams.$OCDomain/ )https://teams.$OCDomain/ Who can create a team ? (see ServiceRegistry “Teams” SP config) –Config’d so anyone can create a team Create a team (name as you like it) –You’re the “admin” of the team. You’re recommended to add other admins. 40 Hands-On #1
41
AARNet Copyright 2011 Create a Team 41 Hands-On #1
42
AARNet Copyright 2011 Adding Members to the Team Admin initiated (invite user) –Admin can invite members (email address, invitation message) Email to user inviting to join –User responds via link on email Accepts or Rejects membership –User can visit Teams or Profile to verify membership of the team User initiated (request membership of public team) –View public teams in Teams and request membership Email to manager notifying of membership request –Manager responds via link in email, or visits Teams directly Accepts or rejects user request –Admin can verify team information updated via Teams 42 Hands-On #1
43
API Playground (~10 mins) 43 Hands-On #1
44
AARNet Copyright 2011 API Playground Architecture Visit API Playground via home page (or https://api.$OCDomain/v1/test )https://api.$OCDomain/v1/test Note Teams SP metadata (view in ServiceRegistry) Three steps: (note: using OAuth V2.0 Authorization Code Grant) –OAuth Settings ( change OAuth Key to https://teams.$OCDomain/ )https://teams.$OCDomain/ –OAuth Authorization ( obtain authorization, involves authentication ) –OAuth Requests (explore result of API Requests) https://api.$OCDomain/v1/social/rest/groups/@me (default)https://api.$OCDomain/v1/social/rest/groups/@me also try https://api.$OCDomain/v1/social/rest/people/@me https://api.$OCDomain/v1/social/rest/people/@me/ https://api.$OCDomain/v1/social/rest/people/@me 44 Hands-On #1
45
OAuth, OpenSocial API and VOOT (a brief protocol discussion) 45 Hands-On #1
46
AARNet Copyright 2011 Oauth 2.0 Authz Code Grant 46 Hands-On #1 Source: (reproduced in) http://ldapwiki.willeke.com/wiki/OAuth 2 Authorization Code Flow)http://ldapwiki.willeke.com/wiki/OAuth 2 Authorization Code Flow
47
AARNet Copyright 2011 OpenSocial API (latest) OpenSocial Core API Server Specification 2.5.1 3.2 OAuth 2.0 Support Core Gadget Servers MUST support the authorization server, resource server and client roles defined in section 1.1 of the Open Authorization 2.0 specification [draft-ietf-oauth-v2-22]. A Core Gadget Server MUST provide authorization, token issuance and resource access endpoints per the OAuth 2 specification. A Core Gadget Server MUST implement the authorization code and client credential types described in section 4 of the Open Authorization 2.0 specification. Core Gadget Servers SHOULD implement the implicit grant type. Core Gadget Servers MAY implement the refresh token pattern described in section 1.5 of the OAuth 2.0 specification. (latest) OpenSocial Social API Server Specification 2.5.1 2.1 People Containers MUST support the People Service. Containers MUST support retrieving information about a person. 2.2 Groups Containers MAY support the Groups Service. 47 Hands-On #1
48
AARNet Copyright 2011 VOOT API VOOT is a very simple protocol for cross-domain read-access to groups, focusing on HE&R requirements. Authentication of the client and the user is established using OAuth 2.0, and the group protocol. VOOT is a standalone specification, that intentionally aims to be partly compatible with OpenSocial v2.0. OpenConext –Exchange of group and person information Standardized REST API based on OpenSocial 1.1 API –Subset of OpenSocial 1.1 + {voot_membership_role} attribute –Supported calls: Retrieve a list of groups the user is a member of Retrieve the list of people that are members of the user’s group – Security OAuth 2.0 protected resource server OAuth 1.0a supported (for now) OpenConext ‘API playground’ is provided for testing OAuth/VOOT calls 48 Hands-On #1
49
Preview Session 2: Hands-On #2 & #3 (the ‘ work ’ in ‘ workshop ’) 49 Hands-On #1
50
AARNet Copyright 2011 50 Simple Dev Examples Simple “HelloWorld” example in Java (will show/explore Scribe OAuth library) PHP (will show/explore implementation by SURFnet) Any takers for trying a Grails or Python implementation. Links : http://grails.org/plugin/oauth-scribe https://github.com/litl/rauth Can try to use Eclipse, however network may be to slow If so, use your favourite text editor Hands-On #1
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.