Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.incommon.org Shibboleth Training: Round Two 1 www.incommon.org.

Similar presentations


Presentation on theme: "Www.incommon.org Shibboleth Training: Round Two 1 www.incommon.org."— Presentation transcript:

1 www.incommon.org Shibboleth Training: Round Two 1 www.incommon.org

2 Welcome (back) to the training and thanks (again) to our hosts SP(Service Provider) day A few slides to reinforce key concepts (flows, terminology) and dig a little deeper The SP's role in the wonderful world of applications

3 www.incommon.org Why is Shared Identity Important? Authoritative user data(attributes), expressed to a service Many applications, many users, not many credentials –People and applications are complicated Regulatory compliance –Excellent auditability of who, what, when, and how for data release Cloud! –*aaS, NET+

4 www.incommon.org Federated Identity Single Sign-On (SSO) with bells and whistles added to fit a multi-domain world –More evolution than innovation Single Log-Out(SLO)... becomes a nearly intractable problem Provisioning –Can be a mess, mostly out of scope for Shibboleth Federations scale trust and simplify operations –Distinct from federated identity, as you'll find out with some vendors

5 www.incommon.org Terminology Identity Provider (IdP) Service Provider (SP) Discovery Service (DS) Federation Enhanced Client & Proxy (ECP) Authentication Authorization Metadata Attribute Assertion Subject entityID Entity attributes

6 www.incommon.org SAML 2.0 On the Wire Large piles of XML that we'll help you to digest AuthnRequest SAMLResponse SAML 2.0 can do far more than this, but these are the fundamentals Browser tools like SAML Tracer and web consoles give you a great HD view of the action

7 n

8 www.incommon.org SAML 2.0 On the Wire: Outbound AuthnRequest GET https://sp.testshib.org/Shibboleth.sso/TestShib?entityID=https%3A%2F%2Fidp.testshib.org%2Fidp%2Fshibboleth HTTP/1.1 Host: sp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://sp.testshib.org/ HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:43:07 GMT Server: Apache/2.2.15 (CentOS) Set-Cookie: _shibstate_1379266987_5fd8=https%3A%2F%2Fsp.testshib.org%2Ftesting%2Fsample.jsp; path=/; HttpOnly Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Location: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJdb4IwGIX%2FCuk9lA9FaISE6cVM3C TCdrGbpWCVJtCyvmUf%2F35V3OaWzLumPe8573nSOdCu7Uk26EZs2cvAQFvvXSuAnB4SNChBJAUORNCOA dE1KbK7NfEdl%2FRKalnLFlkZAFOaS7GQAoaOqYKpV16zh%2B06QY3WPRCMoXe08YeGV45UB1yYQyVbphs HQOKjrY%2FzTVEia2l0XNCj48883%2F0xMBfY7LDnLTtPb9mOK1ZrXBQbZK2WCXp2ozCcUDbbT%2F0gjNzYo %2FvQq%2BJpEERRFE9qIwMY2EqApkInyHe9wHZj25uW3oxMAuLOnpCVn6vecLHj4nCdSzWKgNyWZW6PjR6 ZglMbI0Dp%2FEiXnILVBe%2FrtvQLMkr%2FQwrfSG3o5%2FgiZYzsyb2xXS1z2fL6w8raVr4tFKOaJchDOB1Hfv% 2BH9BM%3D&RelayState=cookie%3A1379266987_5fd8 Content-Length: 832 Connection: close Content-Type: text/html; charset=iso-8859-1

9 www.incommon.org SAML 2.0 On the Wire: Outbound AuthnRequest https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequesthttps://idp.testshib.org/idp/profile/SAML2/Redirect/SSO?SAMLRequest= fZJdb4IwGIX%2FCuk9lA9FaISE6cVM3CTCdrGbpWCVJtCyvmUf%2F3 5V3OaWzLumPe8573nSOdCu7Uk26EZs2cvAQFvvXSuAnB4SNChBJ AUORNCOAdE1KbK7NfEdl%2FRKalnLFlkZAFOaS7GQAoaOqYKpV1 6zh%2B06QY3WPRCMoXe08YeGV45UB1yYQyVbphsHQOKjrY%2Fz TVEia2l0XNCj48883%2F0xMBfY7LDnLTtPb9mOK1ZrXBQbZK2WCXp 2ozCcUDbbT%2F0gjNzYo%2FvQq%2BJpEERRFE9qIwMY2EqApkIny He9wHZj25uW3oxMAuLOnpCVn6vecLHj4nCdSzWKgNyWZW6PjR6Zg lMbI0Dp%2FEiXnILVBe%2FrtvQLMkr%2FQwrfSG3o5%2FgiZYzsyb2x XS1z2fL6w8raVr4tFKOaJchDOB1Hfv%2BH9BM%3D &RelayState=cookie%3A1379266987_5fd8

10 www.incommon.org SAML 2.0 On the Wire: Outbound AuthnRequest Decoded <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL=”https://sp.testshib.org/Shibboleth.sso/ SAML2/POST"https://sp.testshib.org/Shibboleth.sso/ SAML2/POST Destination="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO ID="_08664ae7f52368091af61b953388894c" IssueInstant="2013-09-15T17:43:07Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> https://sp.testshi b.org/shibboleth-sp

11 www.incommon.org SAML 2.0 On the Wire: Some of the Authentication Process GET https://idp.testshib.org/idp/AuthnEngine HTTP/1.1 Host: idp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://sp.testshib.org/ Cookie: JSESSIONID=7457D9BC57AB79F47FDC449D267C3A05; _idp_authn_lc_key=19b41e7b8030fefc158a5124fa4e8dd0ada81b7e220cad9d71dba38d4be61bf9 HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:43:08 GMT Expires: 0 Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Location: https://idp.testshib.org:443/idp/Authn/UserPassword Content-Length: 0 Connection: close Content-Type: text/plain; charset=UTF-8

12 www.incommon.org SAML 2.0 On the Wire: Response POST POST https://sp.testshib.org/Shibboleth.sso/SAML2/POST HTTP/1.1 Host: sp.testshib.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO Cookie: _shibstate_1379266987_5fd8=https%3A%2F%2Fsp.testshib.org%2Ftesting %2Fsample.jsp Content-Type: application/x-www-form-urlencoded Content-Length: 18165

13 www.incommon.org SAML 2.0 On the Wire: Response Body POST RelayState: cookie:1379266987_5fd8 SAMLResponse: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlN BTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zcC50ZXN0c2hpYi5vcmcvU2hpYmJvbGV0aC5zc28vU0FNTDIvUE9TVCIgSUQ9Il8 3NTZjN2NlMzFjZjFjM2MwNWFmMDc5YWQxOTA0MThlOSIgSW5SZXNwb25zZVRvPSJfMDg2NjRhZTdmNTIzNjgwOTFhZjYxYjk1MzM4ODg5NGMiIEl zc3VlSW5zdGFudD0iMjAxMy0wOS0xNVQxNzo0ODowNy4zMTJaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpc zpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aX R5Ij5odHRwczovL2lkcC50ZXN0c2hpYi5vcmcvaWRwL3NoaWJib2xldGg8L3NhbWwyOklzc3Vlcj48c2FtbDJwOlN0YXR1cz48c2FtbDJwOlN0YXR1c0NvZ GUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbDJwOlN0YXR1cz48c2FtbDI6RW5jcnlwdGVkQ XNzZXJ0aW9uIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48eGVuYzpFbmNyeXB0ZWREYXRhIHht bG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgSWQ9Il84NmE5Zjg0NzEzYWZmNDg2OTg5MTc0MTYwY2I2YzAxZCIgV HlwZT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjRWxlbWVudCI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6 Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI2FlczEyOC1jYmMiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIvP jxkczpLZXlJbmZvIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48eGVuYzpFbmNyeXB0ZWRLZXkgSWQ9Il9hMjYxYj E5MzA1ZTI5MGUyMjgwYzQ0NzhmOTEyY2QzZCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpFbm NyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjcnNhLW9hZXAtbWdmMXAiIHhtbG5zOnhlbm M9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwM DAvMDkveG1sZHNpZyNzaGExIiB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyIvPjwveGVuYzpFbmNyeXB0aW9uTWV 0aG9kPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUVQakNDQXlhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcw QkFRVUZBREIzTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1HQTFVRUNCTU0KVUdWdWJuTjViSFpoYm1saE1STXdFUVlEVlFRSEV3cFFhWFIwYzJ KMWNtZG9NU0l3SUFZRFZRUUtFeGxVWlhOMFUyaHBZaUJUWlhKMgphV05sSUZCeWIzWnBaR1Z5TVJnd0ZnWURWUVFERXc5emNDNTBaWE4w YzJocFlpNXZjbWN3SGhjTk1EWXdPRE13TWpFeU5ETTVXaGNOCk1UWXdPREkzTWpFeU5ETTVXakIzTVFzd0NRWURWUVFHRXdKVlV6RVZNQk1 HQTFVRUNCTU1VR1Z1Ym5ONWJIWmhibWxoTVJNd0VRWUQKVlFRSEV3cFFhWFIwYzJKMWNtZG9NU0l3SUFZRFZRUUtFeGxVWlhOMFUyaHBZ aUJUWlhKMmFXTmxJRkJ5YjNacFpHVnlNUmd3RmdZRApWUVFERXc5emNDNTBaWE4wYzJocFlpNXZjbWN3Z2dFaU1BMEdDU3FHU0liM0RRRUJ BUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREp5UjZaClA2TVhrUTl6NlJSemlUMEF1Q2FiRGQzeDFtN25MTzlaUlBicjB2MUxzVStubkMzNjNqTzhuR0Vxc 3FrZ2laL2JTc081bHZqRXQ0ZWgKZmY1N0VSaW8yUWs5Y1l3OFhDZ21ZY2NWWEtIOU0rUVZPMU1Rd0VyTm9iV2JBamlWa3VoV2N3TFdRd1REQm 93ZktYSTg3U0E3S1I3cwpGVXltTng1ejFhb1J2azNHTSsrdGlQWTZ1NHNoeThjN3ZwV2JWZmlzZlRmdmVmL3krZ2FseGpQVVFZSG1lZ3U3dkNiallQM0 9uMFY3Ci9JdnpyK3IyYVBocDhlZ3h0MDBRWHBpbE5haTEyTEJZVjNOdi9sTXNVekJlQjcrQ2RYUlZqWk9IR3VROG1HcUVic2o4TUJYdmN4SUsKYmN wZUs1WmlKQ1ZYUGZhcnp1cmlNMUc1eTVRa0tXK0xBZ01CQUFHamdkUXdnZEV3SFFZRFZSME9CQllFRktCNndQRHh3WXJZU3ROagpVNVA0YjR BakJWUVZNSUdoQmdOVkhTTUVnWmt3Z1phQUZLQjZ3UER4d1lyWVN0TmpVNVA0YjRBakJWUVZvWHVrZVRCM01Rc3dDUVlEClZRUUdFd0pWV XpFVk1CTUdBMVVFQ0JNTVVHVnVibk41YkhaaGJtbGhNUk13RVFZRFZRUUhFd3BRYVhSMGMySjFjbWRvTVNJd0lBWUQKVlFRS0V4bFVaWE4wV TJocFlpQlRaWEoyYVdObElGQnliM1pwWkdWeU1SZ3dGZ1lEVlFRREV3OXpjQzUwWlhOMGMyaHBZaTV2Y21lQwpBUUF3REFZRFZSMFRCQVV3Q XdFQi96QU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFjMDZLZ3Q3WlA2ZzJUSVpnTWJGeGc2dkt3dkRMCjArMmR6RjExT25wbDVzYnRrUGFOSW NqMjRsUTR2YWpDcnJHS2R6SFhvOW01NEJ6cmRSSjd4RFl0dzBkYnUzN2wxSVpWbWlacjEyZUUKSWF5LzVZTVUrYVdQMXo3MGg4NjdaUTcvN1k0 SFczNDVyZGlTNkVXNjYzb0g3MzJ3U1lOdDlrcjcvMFVlcjNLRDlDdVB1T2lkQmFjbwpzcERhRnlmc2FKcnVFOTlLZDZFdS93NUtMQUdHK20waXFFTkN6 aURHelZBNDdUbmdLejJ2UFZBK2Fva29PeW96M2I1M3FldGk3N2lqCmF0U0VvS2p4aGVCV3BPK2VvSmVHcS9lNDlVbTNNMm9nSVgvSkFsTWFJbm grdllTWW5nUUIyc3g5TEdrUjlLSGFNS05JR0NEZWhrOTMKWGxhNHBXSngxdz09PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L 2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlc lZhbHVlPmk3eFJ6YUpleDkzZlJsbmNUeDRrQy81UCtOMjdQL3gxYWNzbkJ4RzBDZjlaamo5c0FkOGJiMW0zYWRraUszaEs1SHplY2ZoZEhXcjRBTE5N bjUvY1UxdVN6OFpzMnNPcExMTzloWFFka2pkY1ZPM2lLcTdlUHlpOWc5M1I2VUp4QzEzM2RkQ1Jwd3NiWjN6QW9ZdnFhQkdpZ3hFcnkrTEtrRVhVe mhZUEhkSWlodHRBZkVvcm5EMGhtWFBpSmVKQmRoUDhkbTBtY3BndkkvM2FiRmsvckVETEk1SGJYZ2h4c3RlRWZQbktIbit2MHBxWWZvcloySE4x ZzVtek94b2hpTVFCa3pjNzNkYlltNGV3ZGIrS29ERk5QNTdWeGFrdkg4UDNCM2ZsczR0QnpDTldqU21ieUhNeDFFS1A5SjRRNU5RQk1acTYraU9ZNH VYVEhnTHRFQT09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kczpLZXlJbmZvPjx4ZW 5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT5hRGVSNE V0cXQ2OGtDMCs3R1pQZGxnaktrMlQvNk05d1hWek1UeFJvVDA5aDZBRGRIZUtVSE1WVVczN0phVW15cUt3bHdZVEViV0hNZGFJSkRkNGQxTWlH RnJUUkprN2VJRjhidHhWWjRhR2pjc1BIa2JITDMrc1BDanpDbVUvM3pQTHA3SDRIMGlJWHRJb3l1SkNmQWpoL3NYVzNDRUUzL2U1SDFkM1ZpM1l yajZJaGMwYTVXYjZvb3BMUmFGUGp6czZ3bUh4RlVmNktjUXNwU2d5aWlQVHpHbm9EQjhvWGF1dTVybW1uZHdsRXNIdXpWcGpOY0dNTE5xSFdK cHBUSUZvTTRyM2FTQU5UN1hmN1VUZVhiVlRyNjdNOUJ6MTg5VkczYWhNVTlNNy9jblYvWFhjcktFQUZQQmFPODFQN2E0cit6VTVNS1VZRE9NZT U3NHBWY3Q4KzMxMUpib1ZSeW9pN3p2Z0MxRzB6bEFQVzVjaTFtZlNlUnBHMVV0clNlejVEQ2lSUndYYkRROUIyNlQrN080MUN1Z3FNTUNjOW1LZ mJGYmpkd0RYL294cFN5STM0akdVeFhNeDF6dmg2dmFzN2owenN5dStubzRJeFVQWU5vZDUwak8zWHV3OVBMZi80WkVmNUZDQm80S1hDVUpn dEpFMTJEcktuSU5IdVRVcGxSaFgwWkVXdWU5TXJlM2lROGZ2M3BhWjloUjZURVlFdy95QWNtcnM3YTVDUU9iVWZsQndUZTQ3blJDMjYyc240WEM xdzgwRW9JQ1lzV2k5SUpmcmtORTFsS3lYVTk4V3hmUHByZlNiem8yNk9EYjBNS3llNGdJY1VOd0Z1V0REckVobnU1Z3VGakJkUmpVcThBYWhvajZ3 dVVOUFRlYVh4L0ttUTVvQXE2YzJRKzllYjdqcHhTWVRYdEtLb21RenlFYmpkMkJUTGhObytYM1lTMmhkTExXbEVMYjFJWWpVbTZCYmpEWk9TZ2Iyc EdJUmRDVlZHNk5lak94UkE3dDAxUE5Dd3NOMVVOWUtrbTZkMkk2cDZmY2FxRnFBNXgyemZXSDZuTzF4MDZFdzhjYWRvNnlTVnhBZjEyNzFMOX VjeG9SdEVXNDNSdVlDNU4xRFBCTHBFNlZFS05UbTNTODBlS01YNlZodUMva25SSU14a2lOb3NKN2lQKzBCZmRhdm5zVEZReW9ET09ZNGFFem 9UV1lDdFlidGNETHl3K29SbjZabCtqMXR2VStMNENKY1dVeXNUblJwdW5SKzNheEV4TzVieEc4RTZLWXdqOFR4SWtMeTAyQXgyUEphelBiNExEWm RMam56bGl4Sk14eEtXcWdMQm43VmJiTFB4Wnh2Z3ZLeGRjRHFTYnZ1Szdtc0NUS3lqRklCWlpCMm8wTGl6bkpkL015aWJiUjU4VXMvMWVTcjNyQU dCRCtaSGxZNkdpS1VTTnQzd1hyaWNGcWIyL1QwYWFVL3JjM3lvU054Z3BlWk1aZ1FQMnBUYjVRN1JORmZSa0lQWHdoMDZUNi9CU2dxQytKUHV FdWdyRVhEdTdiWVp3eVdsZkVQem1LT1duMi9tZXpLSTRiZ0JtU2tLM1E1NkFhUFRLTnNEdU9hY2hiNEI3cHZtbTd6RlB2NUhMK1EvczFaSko1Sll1Ymo ycko3S1VXVVhUeTY4eGNNdVUxNWVXQWhlK3c4elA2NndQTHFSKyt6cjNwVHVNNm1wazFRZG1SYi9nUWZTS0VjYlpnV2llMnM0MlJ5WndEV3VFaG 1ueUJZS3N1WCtXMTdxcGVVbEtQQ0tDOTVERXNIZ2V1MWdIcjV2UXlJNHpHM3V5QkFuTnZ3N0I5c1RqMldCT2xEeHlUcGVoY0xnb3FjbzhzQU5zMkt zUUdabUFlQ0RXRnJyVFhXT2JvVEp1RTBzZm1wN1hWZ1RLd0VsRy9YZ1FLRytTaHhoY2hLdDVsdEhrVWVEMFYxVFJtN2l6c1hnTTBnTnlwYU9uWFV 5UGtxeUhWQTcvcytjQnk5aE1xR1VGTnhSMVBidGVDRjR6eGdPeFlHdlNpcDNoazRxMWY4MU9IZVJLb0lUd3VyUFc1Q3dUTTRtZEdVRmtiRUU0TEps T1Q0ZjA4VHkzZFprUEx1K2luN3RPRFBhZlBseEhqb002YmV6ZUI4QUZubFpndXhQMS80SmwxMWM0R1l1UXFiMjdnWTBTRlIwcGZMZFFxVUpzTTV KQmhJeURzSVBhRzFWOXVqTC9qaDN2Um1lNC9kQUhWeFBUeEkyQ3lDamZmcGx3TkxrYWd3d0RldTh3N2Ewa0FVKzRaUXlJOStjWlIzRitySzlObWp vdktZS05tWVFlcnFvNk1hMFFKWmVzRDVnZFVkS2dLYXNMdUhTWDZMdUNUVjk4UGQwWVNKZmJHT2x4aFdkckg3WE9vWndGeDJTQW9yV0h2TT dUWjBDeDFQYnRnWERRMStqaGxDVGVZN3doVUQydy84NVRjYnJ1aW9YOE4waEZUT1BJOWt3d2xnMVdhMzdBOGtiUS9yaW5TNmRDQ0RJM1ov VEdzcnpTUkFWRnBzOUFZRGlBZ2tQSjJmazVJSWdtRkxFbWtuT3hUL2dpOWg3YklhMVBBQ0hnUTBqY3JKbllzNzk1MHNndmNRSW1TSGJCcE5WU GpDa2hRcUVzczhGdVJPWjRXM0xEQ0ZHTHpoQkRkb3lXOWQrVFM4OE1Gejl6VU9OSDFaUUVXYXJPdGhjV2dBWkxCSk5rdngvUXYzRUVKbHlQLz BZOGgxMFFtNnZmaklBNWMwMVIydFRkd2d5OVYwS2hrU1duRzRoMThaamZtWWN2QTdGQ3h0aUl3NHpYZ2NZRFVNQm9PeUR1VjNDU29Tb0NQe jI3TzVjbmVCR1dCa1dZaXpSdzkvYkMzMDZ1anRNazJGL3lrY0ZCS2x4aTRHK21JRCtneHVwdjY0bG1yVmt1QWlxeUM4aU9ickF4QWozY1dBR1krTkJH NFZvOVhVMzJrV3N2dHMzYk9VL1M1bklwVklSVFJqNUdkSkJjeTdpeW1nbzd0akt4YXpZV21wZnZnazNQbnZiR2lmOXVLS1hiRDc0RG53bGE3TnZqck 4zbUlBakhkZUVITjhXWjBFYXUzQWlvc0RvNTFubVYvc3pqZm1ReEhXaVNIRWVtZWd5aGNqcExra3B0RVI0M2k3VGYxcVg1RWNCU2xReG1zUFdha1 lUa0RUKzNWVkw4UUxWc1A4V2hkY1lQaldHem1HdDZZNDdrSkFwUVYzNThDOWlqUUhkSTBhUFpLSVBlbHRndjFCS2NOOStxcHhiTHEzUEhUaklzV C9XSzdKM2JhbC9IdjJzUUNCMGsreGdTcGErcDZjSFRDcWszek16bitEQ0M5NS8zNVZ5RGFnTkkycGsyWDhPMEd4RCtnNG5lTHNVWi95WnVnQTVD R0xBNVR5ZFFlQzFPYVZCaWk4ZEtxUVE1bjZoZWJDNjVQRE1EVWZHQ2xtQ0lZaEVTYy9DVVV5UldpTWJmaG11bG9YU25tNHFVK2VvdTIzVXZUaz VUSENpYkJ4RmJBQ1BkM1AwYzFjeER6Rll0TU1BUkpwVUxCTmRqWGF2Tlcxcm1nb0xYS2Q5L09SLzdCQ2xwNURGOEtncWdKc1FJSFcyQ2c0UnVo c0g5SUhTTFVpTDg0dTRNZ3BVUHhpNmsydldXbnVibEdNVm0ySFMyZVpoK1Vva2N5U2V2ZGVnTm53bjJDVEJ6NFB0V09Hb01iOVpkUFZzQ24wVW R0dXNFaDZTMGhEYXBXWUVsWGI2U3orS0hzbkh4VlA2YTBzM3JvWkVTVldZRmxTVGJNbVdhT2hwUlA2WTMzdXQ3MVBWdVByUzFjcCsrYWE1U3 BuT1lMenZPQktmR3NMYzI0ck10dGhpUFFreCswNkw1N3JGY0R1a3cxa3VZL0RPT0NBOGRERTQvUFJNZnRYTHV6V2NUTW5naUc0WEVuOEFOc WdtOFIyWGkyVkJxbktkdnpPSFFSaU01aUo0Sitob3NsUnhGek02bFVpdnN3eCtBTk1HTkVaUnM1STlISDA4eUphblM0S2VUNW1yVzV1aEx0QXdrNGw rcDZJSkZOUndjc3NDcHpCRGVNNHJRQ0JKNWdtOWFFZmt1a2YzTTdJeVF3UkF4N1grdzhGOGROb3FEeXIrRzBtWE14dHl6WXdvdWloTDc1NU5Da E9jcWF3ZmdBaTcyRHlxcEprMDlEc1BEb1hoTis3SkIyUXRZRlcwUmFLV000TnRLZ29vQTlwSFZmQVhPZG1ONGNTbjB2dzVvYU9qNEJNNVBoNXJNM 3FmTmMrN0lnemdtTnlGVlFCZlMrelY5MTBMQlRTUzlTN1RjWnc1SEVZdWRwZ2pxMTVISGMrM0dMeGJvN1dacFVhRXUyR2ZqRWp2MXdZOTRWaS8 2clZpMlFtUTEwcEhHbHU2bmQ4WWN3NDJrdlFxZVc1U0VrVXJDUTkyYmltT2FrZ3FFQ3R5K2VGNjFJRTF1dkRwaUtxN1F0YU5NNEZCWU1ORk80VW hNMjNmWVhGVVpsN2tpemJNR1YvOXNFUnB2dlNZWjBKckpJWEVFT2ovMWRycHVUYkp3amlmZGMwVVB5Zm1aQmRkR3ZSQUlSem50WjFyWDAy SnAvamdIcHpVR3ZMdElzR29wUXQxMk9UQXRYL2RFQm1WNStvU0RxeWRtZ1ZtMFp3ZVN1cXYrWS9nRmIyUmFJdlducTdiNmUrMVdMTWl3SjBMR 0dEc0tHakhCNFFVM2pydTdLTlBnT2t6aUczNTYxTXFYSjlDWkZYaU94RHdudk1nd0lUT1VvSHZUU3kyS0ZnMGs0Rk5iSFV1bGF4a2NKbjZoSlVuZFBIe GxVR0Zwck55dUhVZ2t1Q3ljem8rWVRJMUE2eHJUZGV2ZVc1QVRCT3VWb1J0TXlTWTB1Z2YyRElEK1dFeEkxL0ZzRzNlbWtiM3lSSEN3VjJwTGNsen FhckJzQTYvd3dEODNCMEk3cEcxUFRrK0ZVRW8zd21qR0hOakRpTFZzZXlkK0IxVkZYNDZoUUhuekt1a2dRdHFpOEJBcGY0eERoRU1GV1IzRmJ5d VphYzZPV3ZZck9uZGNsYzlBVVpEc2FSWm04M1BYK3IrNG5PM25GWjRoVVYrRVZoWGVpL21WYVB2RzdWOVFBRkQ5R3R6QUZBRUUwTG9uYUg xR1lIZzdhZmhzTGdEVTBrYVR2cmw0cENuUzdpV2loWVppVUdKT2JYZWk1ZlAxMVpKUDJaZ1kxRFlodmJJcFduQ1MyTW5RRkVCbmQ3Q0JNdGxibkt CeCtZQ3lGUzl2ekdDOHRtd3h3UTl6WE9JRS9SclhDbXo0L2JWMzBCY1NXWlZvY0JEYlEycXliakdhT0RDUDJYMk9iMmtTRDJTRUI0TWxqRUFidmczNj JPeGlUSFdKR3ZFbkNWZGdFS3JJMG1EcEsrQzFCTjJmNGo2UGYvN3k0eWtOR3ljZkpraW1zdnBXWERiV2ZqdGxuMk1NS0w2SFlyUFhYYjlBMUtTdz VLTTdSQ3Q5dFRjZzVJNFo0L042SGQxcDcwY3hxR1RIZVVhR2FpVkxDc3BacVNvSzQxaTBnUjFDcXFYMXl0TUpRM08vRTZEVDhXTFdxMm5DUkFn ZHpJQm5rQkJNeUhmdEJGYnFJaTVUYUNlT09sUHRJY1F5TnBmREZCSGpFcUZkejRaQi93aUZZTUpUYlRET3U5V2UwcUZMUUt4NzVmK0ovbU5IQ 2o4UzFnN1dORHg5WnRtM1dzK3VrS3RQU0tER3RMTDN0dXJiNkpmc3RIWFVuWEtLR0hiVmtmdTN2K3RDSnZiWWkvNFhlS1FNVHprbW02dVdNL3R WMlh0azdQWk1ZdmJuQTZvalR1Z04vWXJRUDk3Qi9ra2hVeXJVOW9NeFVzbndIM3RqRFFMZlZLODB5S2srOEgvRkh2M2k0VytuNm1tNUIyMkgrU1dq NG1iV3BDQVg2OFU3Y3VoRXZSRVQ0U01zZ3JoVUI4VnBJVWRUbnBXWHdvSnZCYVNNSHhmTFhxb1dwMmJ3RHNHL25mR1BHN041OGtiejJYNnh ZWS9rTUpOajlwSUcySzJwcW1MeDBmeUh4YWplM2tUUHl4NDUyTER4RldyUEx5R3A5azA5S1VleEh1eTdMNnoxckxMbEVNTXhaMkRCMW11elhFM HY4b1VPSFcvczJxQ1BlQmFRZWE0bUw2YjAxaUNYN0FLVjR1dVZWeFZCRnVXTmd1UkdWeERrOG1WL28rUzdGeUtiOU5HZS84TTJsdElsUDJNdFB XTEc0cjFqRzBEQmxScmU2Y0lzdmhGbFJlRmE1NE10MEptVWdqallldnpraWFIQUVveVIvWHRabjJlNjB4VnFRcDBmMFlieWxEdmtwRnJwcHNsaVdYZk 1uSFBrUjE1N2hCK3NsNjQ1alRhZ1hOR29zbTZXbGZKaFlZelJRV2JVNVNPK3Bqams2dTVDVEZGTkYxNGZUaFZxa0RHWm5BV1NCUGw2OWdvalVI bmF2UnZvY2w3Y29WcFpNOTFrYVBKZmQ2MXlXaGJ2Z2toK0U5Tytvdkc1cGMvZHNJUEtLSUtYRlhmR21TRnkwRWdQc2ZVd2psbTM1dFE4OWx3aW N6WWdOWTBZd1NlcXI1QnZQR1U4ejh2eXBNbU9ENjNidldIRk5MOFE4Tkk1elRnL1RNSUQ0THZDNUkrVzVkeE1zc2RqYzRTK0tXTDA3M0xYQTNHN XR4aktQWVBsY0NRNk9OTmNXV1lBUFdCbHhxbmZtdUc2eS9iZUxidTQ0NHZnMG10S04vRDBhMGMzWDgxZVB4a2NmdjM5QzZtRFAzS1hNK2R5eU JyVnpOQnhESjlaUEJrN3ZHbnZDSXpBYjViNVV3bzFZRTZvU0xWSzJqQ1lmMy9saHZtR25pT3kwT1haUmt4NnZ6MGpOTTdnNWNRcVBxRXpQWGF3 V0dqTzhkTm5iVE5tN2xkeVp5RUZsZ3QzVjdIWWRrNXdDYVBKU240OENQNy8rMUIrcVR6RTBWWDdkbERSVjlVQ05YTFZEazZsZk1qRldRZDhwbEdy R05oV2hoc2VOZ0ZKdmg0YmdGU0lvcVJoTW0wV1grZEs5YzBua1pVaVliR1VzSHYySHFQd3NYZzlRTW5hYXV0VnRYWEN4M010ejd0RkMrdjEyMjhT U0hSMkdFV2hnYk1Lb0hVU0xuWCtKMklVNFg5bHc1TjJuelkvWFFQUGJTdzNOWmZnemt1R2NldDBkdDhySjBocnlTenUrU0NMMnBneHBQQndSUU1 NMEN4enphcDBvejkyWFRmSlExVGtGLzJ5S2JOVHZTS0l6V3VsNkJ0MmdUb0wzM0l4UVVwcEErYjRHNHRXV0NEY3YvSWl3VmwwVEM3eHRIK2xlR Tc3a1l6Yzh1YTdVemxZekxqcG5wTGlUc0I4VHkyR1NtZ00zMSs5bnpTZ2k3R3VJaUtEZjlyOHViNGU1ZUpsYnloOUhUQjd4dHB5TGhVNG5YREN1SklIU 3EyaTUrSk9neHdzOGx1eCtMTUFhVTZHdndrTlNWd2p2aEZLN3lFcndhUUxEZ2U4SXFjRjErcGRTQ3hLSzRITnY5eWREOXFqYzdaVXdRM2QvektWa HY0S24rMWRrcmEzY2lLQVJucDZYUENPbGRRUU9wRW5JYlZ2N0pDcWJySmNnMU9pLzhKc3dBSDlab3hFc1hJTy9Udit0S0tIdjNzSjdzcVJvV0s5cjN3 dGlaMUtVVWVSaEROcVdGZ0tuRUhuU1NaeExUL0YzT2x6bjJ4YVdYMzdtaFlZWXU4c1k2VzlFSC96dzBaWmVFVWQ0WlprbG9sajlkRUswYnhVWGgy d2NDcHYyU3dnbWJxc2tyT3BjMTVTcEhrUTUzZUY1K1RtSUF0alhRT0o2UW5PWWFycm9wSjhiYnd4OXVNYnpxL2JiNDlQRFYzd0djOWZHV2o2cDVU QUVuN0RoQnB6SHk4eUhNZXFnVU8yMllVci9tUGVSRzJCSXd5eThRZlRvd1hQcm9IYlpaYUVrc3lZMGJBOHZZWVA0WTRuVUV6R2tUV01wajRkdFV XaThRV1NVY0o0MGlHcjlBZnk3V1oxTkplTjBrMGdFYXFoNy83L21OL2JTcGJzKzZHT0drbDRXYVplZmh1VFBLbWdIRlVWNUlCVE9xd1VxQUlhTkovYm hOVzhaSHREOFBNTzVvUldlY3VBcS9NSTczZ0pzak1lNUdXUWhLNnBmWE9vamMrSWZZSndBajR0YXloM3RiK0Q4d3hyY3g0YlpoN1lMWGRlSHpKc DM1ekJtdmhySE5oMzJKY3VUdG9QWUphbnJjWm9zbHZPMHVVUWpmdml6V1p5MldVb0RUM2l3Kzk1WC9uclg1Z3FMRE5hQUFPcnFmV2RrUmErZ0 tJYW9HVlEvNjFHU3QxUzJxbnpuY2VFMjBoejBpWDFVY3NGNEhPcm83aUpqSEpvN21kaTF2QVBnQnNaQjJzdnNaZ3hlNzRMb2RLSGRJdVBwV2UwV kFvQmNiSDloZmlWeFZiWkVlU1hiUHlSUFNsaUJsc1MraGRuYkd3Skp5anBWd1kzNXptV1pNakJYSmJhN3hwZTV6WitNMERCTXRtNkNmUkZheU82T VNOQkpxWGx5Y2VWb2RFWTU4VzdQOGszSi9pOHRvRUJVQk01Qks3TlJ6Yk50MUZEMWZoN0dEYmlPaEJIV1BvNk55U0VPOVJaL3FyM3lwbVh4Tl E5ckNaMmphMWZQYkIxRlVmZDlLNWt3Zi9QRTdXeDFyK3B2RXZXVVhuVWRaR1l1aFZRZHBnczdYUW5WZE5ZbDdrb1lWUFJ2a2V1ajdmekVWZjEv WkVFcThqTVJiSUdkUVh5clFEdU91Qy9JTUY0WTllUzBYUUZIcklYNUVNZlVzd2hOaVZ2bnB3VVNzUUovYTZoZ0dCYTJML01xYklwaFFrcVhYOUZ0Z m5vdlppRWh4YWNqNlFSeHgxQm1jVUhEK3RPNHcrWXZKTGZBQ0ZuRXplUG9KangwTDVVN2pCYXZpNnhwUmNldWNnK2hUL3l4KzhCU05zeGxZY ndKSktucUNTRGlCZnJFaWNDUTExK3JiTGp3Zzdpa3Yzdm1mVE9nR1J1WlNDaTFDUXVxa2Nuc29tT05SNFpycUxUT2h2dXlxUGM3aW9YQWtPc0Q5 NWpqTWh0NjFRWmlwV1d5akZ3b2l2VmNmKzNDTkZOdVJaYmhBVlFMTDVxdXh4b0RnVndTRDA0bThzclpGTlNzbDlwaEcwTXBncTNzSE9hcG9udW R4Qm5ZMi9xR2l2eWtVMWVVVGh0b1lDeDZINHVzdzdWV0lYVnB5cXFmVnB0NzZuUjFFR3F0ZzJHTW9xYUN5Zm9iWkRGandCazBMc2tKa3JNclUxQ 09xSDFVbmYzOG9TZlJmMjZvTzRRWnFPbzRqcWFNYm0yOC9ubHRCb2thQ3p1ZEgwbVFGWmc0Rk1XUlRrTkxXY2hrT0FyOGlpN3QzQkw4UmFiem 9JdzdpOTl0eE5jR1l1bE45c081MFJ1elh1azdCVUw0YW81S1dBV0Q3RjdaNHZKNC9TT255bmxUem1PY0JtVExEWFZ0dVRQNzJ0cGo5SEUza01jMzdl cEtseUZlOFVIajVtR0NCM2NuUSs1eGkvaFlEenh5Wldob1RyY3RSSGFOWVErTlVpN0xUeXFPQkoxbGR4RVk0WXpvN0tCK0hSSnpPUm0yT1pyYXhL WWplb0NsWDk4cFZ1ZmRPc1RqQlRadU5HS2c2NHJPakZ3STRweXA3R1o4ZUVBeVJGQ1BlVHYwSDZyTW41RnNoUlJmdzR0Y0lrRXdRTWczb1RO Zmo5LzQ2R0ZYUnk3dmNGUFEwUkFQKzYrM0ViOHMxZ0x1ZEt6UW4vQVh6T2oyektpb3dLSVlNOEFHb21rQW1WVGZmZVVkeGYxdE1ISmczTktJdz RiZ0xhWnAyNVQ2RFdTMmMzZnd3S0JNUmlLa1h1ZnRyQ1FPeHhMUmk5T3Yrb0U4VTBVSDczQzBEWGtOQUlnTzBNTW5BcGtSOXZwdGoyTEFsd2 YrbkJBQWhTQzEyS1NVem1ORy9sNUZhWS84MUhtSWhSZlpHWmEycllDNStLV2JjSGdKZnZ3allZaU5RdXJ5UW5DVVFHTnJRa2QxbXl6citQL2tSYTR CUmlmVzhPWUxycGdBZ2puUC8yZ2tZRWcxV0ZRWUE3NjZibnVwRnowaWZidUNUQ1ZIQTZnUXQram1DWVhNdnZBSXlhVThxVDBIQ0FDc2VsY2xB dEhacEVUZDBvaGtYcjVQWk1HdEU5V2U3T040eEVGZHNRZXVDTC9ubkRnWnE5L3N0blFOWGRBNy81bE5OY1lwRCsyRGZPN3FRVjA0S3JsT1Bxb XZIck8rM1UvcjN5Z25EM09tNm5sN2RMQUZVVjRZd3ZJejVSK3BCU3l5VDZtZG54dkhJL0lTM3I2QnNlaHNrS25lSE1pbVF0TEhtNTlVQkxSOWgxcG1UZ 2JIdmhJNCtmME1jZU00UGJ0bE43cXoydGI3d2RxNFdPNklWdlNubVJPVnkwaXg5K2JCaFZwbTBNZkYzc0MraWpDU2VHQW91aXRRQ0VZbnVRZEd5 K2ZKNGRTN3RVQTZMUWtaaGl5UlVMbTZUNkJiU1lIWEViWFcwOTRwSnU3R2pMazRYMXNMVGIvRmxXTnRXRGpOSjFoVnpyc1ZTTFRKN3FlUEIx SS96YjJFcFc0aWdTM1Q1THV2U3dwUzF3b2FZMDhoOHJJWmxrZE1SdWJPeDJqeUt4ajJ3NXlBMkJhTm0wNCs3UFp4R3kwRGhaMlBrZVkzME8vaW pPWHgrQm5pMjdXVzJuQjV5WlcxeVdTRjlmdEQramg2WDdoYjUzc2hRTUNDYVpPTU04SFdlNFVGd3NvOWxvNzYwYmxIMmY1VEgxL2lRcUxGNEUz VXRJVG85aklYZUl6V0c4VG9CKzI3KzVnMlB5Mm1qazN1UVZUVVE5Qisvd1NVbU54Snl6UlJOUkhUWnFra2JRQUtvUjhLMHFwN3c1NmxPZ3ExQk93 WnRkZmVsczB0VDdFWlMzRS8xVnl6Ym9vYUdvcW5CWXpjU2wxWTRxS2JMa2dMWFV3RmVSUUxYUjNkbzJoVW5ONG9ZQjRIU3dUZ1hCaW9MWV BvY3hKTUFZa3JyU1V6N3JBS3UrMlZBZHVpenM1VEhsSVBtQUpYOG5LNURjVGZiR0JVTGdlajlZaHZVZVFGbUZwUUx5d3FJVUU2dWdBWDJ3NXRx WWJLc2JwVWJhaCtkRWgxQnlDb2daLzZ2RlZNaWxBU0ZZV05oMlBqRjJPd2VVdXFPd2xlSGJ6YktYVUx5ZEZWTEZzK1FmMUx6WFB2QTNqQmF3T Uo0WG1QYkFraUhtaTRjV2lycEJsUW9PVjVXb294Um92UHk0K09VeGw0ZHEzWlRPcGNwN09QL2IwT2Jmc1V0bE45TmQrV1BJcUpkUlhNR3NZQ2NX UWJINi9hb2YreFJZVmtmTlRaTjN2L0tuRlptWVNSVXNZVHRhanV0VlVCYWJ0SFlpWGFTem1ySkJsSnBZdzk3TWZZUmUwb3ZHbnlxd0ZCZUFRbk50d 3ZIWStab VUTzJiR0tXeURmdHlWUE9HbktTV25zQ1dlOGl2VlQyaDRGQUpYcDBEQUc4SldlK25xbktDNzlGU1AxWjRlVnd6ZC9DaEp6TkVTd0cxTWh4TE0zWGwrdzlKQ 1oxM0tnL0JEZ1lHY0VwU1NaVHdsc20wZzRxb2hKUCsvY3FSeWdIZHlYeGxKZ2UzYUFneS9HdnU4TmVyNXRRTzd4aEUwOER0Nk5LcWd4THRrc0Vq YWVJR2lISzZzdGpoRjdRMTJXMGNmZkVjWHRPMzhONnFSTnc0bVY0TTBJR3hUT2t4bkVXOFY2SERQRGE0eWd5N1RNY2hxZHZKYlNUYUpxekFi Q0ZLZ1gxMTVqb05uR2J5ZGhpMHYvNDdlRW40eG05aWR4dW83a2VUeHZaOEZKTS9pOGh6aWVqRzdwdWJ2Z3l1dXhhQ1ZKeUl4Z0RmNmVBUG0 2enR4T3JrcFdDcjNBV0t4dUpRamFZdHl3Ni9jZTNMMFdOenQ2c0ZFOUhibTBRM1hFTmZDSmZHOGh0N2tkOUoxNDlXVXVsVmtvSGh3S2ZpN3JITlBw V2xYV3N4cnZCbkpLcElIczFubVFiVjhidWZrWEhNak9OSm9OSjNROUtlMm1rVG1xdC9zelF3djc0c3JXSFhDNW5GSkkwL0xQWi9UcmxGY3VhOFJSVjZ hbEhiUm9ONkI1R3E0RWY5N0xwU1g0MEsyRWZsU1RmbG9VTHkxcFZoR2c3eVdHQWhkUEphN0Irbkp4NWVsRWF1MXBCMFZwdjBNY0RvN2k5V2t 1a09LUGkrODFIWCthb3Z6VmRnQ3RJY2R6YmR5Szhob2hMNkNDZC9kV0VtU3JqNlMxSllZTEdBUlZJV2VCVmR4M1BBeElWR0lDQnBKb28zSE9NO G9hSXQ2eENRQTAzWGN3azVscmMvY08ya2FyN0swNGJIZUg2YU1Ud2JVM1pRbDBnZXp0QWU1aHFpRlFCTStyd0hONlZwYnlkdWpYQ3gvNXluclV qVi81bTU4bGhOK2NyODEyWlVWaFZKZitTSmRkVnUxamZTNEZLZ2NWTEJBak5wcFYwVUM2cFFPTTBoZm5BTWdtd0phVjFoMW4wWWJUUHZ0b W1BTlBwLzdxbW5iQlJFUWJWUi9iL00zdnA1RWJhcGd5Zm5EdEN1bXBZVk1zbjVndy91dzd2OUhCUzlacmdxU28wb01udm1vVDlGNEtiYm9zU0VnUUk vdElUaGhqRFVBSnhLTDAwdkVCbEV6RmZxQy9EKzFWSmZ4VHlEMjV0d0VaUHNJSXp4UjlzR01EcHBtOVVmSkw3OTEvRm1adzFQSVFVVERzbE44 Y3o3U0hLVSt1YWhzNHp6MzY5TTNaamdkbWloQWNjSHVpMXlRci83VUYrSFZPb2wyK1VFK3BER2o0ZVpwQ1FwOUtHbVdNM1Y1NHFuemxYUHBP L0dZMkxVN3ZWYUpnNCtzbWw4eTlMWWlqbXBLVk1xSDlTcXk5NnNFNWdNemticVY2Tm1CaUtwclBuZk03ZXVScHZBRHFPYXpscTk4UDlIRkJEZmoy bm1PdkY4VzI4bzVzLzhYbXFNUkJGYnRpVE5GL1QvTG40bG8yeWdNM1F3VEE9PTwveGVuYzpDaXBoZXJWYWx1ZT48L3hlbmM6Q2lwaGVyRGF0Y T48L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWwyOkVuY3J5cHRlZEFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4=

14 www.incommon.org SAML 2.0 On the Wire: Response Decoded <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://sp.testshib.org/Shibboleth.sso/SAML2/POST" ID="_756c7ce31cf1c3c05af079ad190418e9" InResponseTo="_08664ae7f52368091af61b953388894c" IssueInstant="2013-09-15T17:48:07.312Z" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" >https://idp.testshib.org/idp/shibboleth

15 www.incommon.org SAML 2.0 On the Wire: Assertion Decrypted https://idp.testshib.org/idp/shibboleth http://www.w3.org/2000/09/xmldsig _eeb8e86508a287a76650811310111869 https://sp.testshib.org/Shibboleth.sso/SAML2/POST https://sp.testshib.org/shibboleth- sp https://sp.testshib.org/shibboleth- sp urn:oasis:names:tc:SAML:2. 0:ac:classes:PasswordProtectedTransport Member

16 www.incommon.org SAML 2.0 On the Wire: Session Created HTTP/?.? 302 Found Date: Sun, 15 Sep 2013 17:48:07 GMT Server: Apache/2.2.15 (CentOS) Set-Cookie: _shibsession_64656661756c7468747470733a2f2f73702e74657374736869 622e6f72672f73686962626f6c6574682d7370=_0c4133a61ce1abb3b04faa 379dbb1e4a; path=/; HttpOnly _shibstate_1379266987_5fd8=; path=/; HttpOnly; expires=Mon, 01 Jan 2001 00:00:00 GMT Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Location: https://sp.testshib.org/testing/sample.jsp Content-Length: 308 Connection: close Content-Type: text/html; charset=iso-8859-1

17 www.incommon.org SAML 2.0 On the Wire: What does the SP finally set? Session Expiration (barring inactivity): 459 minute(s) Client Address: 131.252.248.198 SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Identity Provider: https://idp.testshib.org/idp/shibboleth Authentication Time: 2013-09-15T17:48:07.046Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Attributes affiliation: 1 value(s) cn: 1 value(s) entitlement: 1 value(s) eppn: 1 value(s) givenName: 1 value(s) persistent-id: 1 value(s) sn: 1 value(s) telephoneNumber: 1 value(s) unscoped-affiliation: 1 value(s)

18 www.incommon.org SAML 2.0 On the Wire: What does the application finally see? How the application sees and uses the information exposed by the SP depends on the application, the environment, and the language Here are some examples

19 www.incommon.org Integration Example -- Java public String getUser(HttpServletRequest req){ return (String) req.getRemoteUser(); } or return (String) req.getAttribute("uid");

20 www.incommon.org Integration Example -- PHP $user = $_SERVER["uid"]; echo "User UID is: $user";

21 www.incommon.org Integration Example -- ASP Request("HTTP_uid") ASP.NET Request.Headers("uid")

22 www.incommon.org Application Integration Moving out of the “Science” zone and into the “Art” zone Two main points of integration: session management, attribute use Session management handled by HTTP queries Attributes available per above Rule of Thumb: applications try to handle everything internally and require “domestication” Every state of understanding reached with an application is unique

23 www.incommon.org More Integration Information Apache can be used as a front-end for a Java servlet container; fastCGI support also exists –Other implementations like OIOSAML, pySAML, ruby- saml, simpleSAMLphp, etc. offer alternatives, but tend to be less fully featured Many fun problems for the solution-oriented individual The SP is written as an Apache module or IIS ISAPI filter paired with a daemon, shibd The SP can be integrated with applications in a thousand ways –Typically, attributes are received as environment variables and some special URL's to make Shibboleth things happen at for app

24 www.incommon.org Today's Agenda Us talking at you(apologies, done for now) A self-paced installation and configuration of the SP Quick tour of the SP configuration files covering pieces you didn't need to work with SP Productionalization Discussion And, at any time, ask your questions, raise your hand, engage with us!

25 www.incommon.org Thank you! Now, the real fun begins... (these links are also in the emailed workshop information for a superior copy/paste experience) Linux SP: https://spaces.internet2.edu/x/LoLNAQ Windows SP: https://spaces.internet2.edu/x/aYH8https://spaces.internet2.edu/x/LoLNAQ 25


Download ppt "Www.incommon.org Shibboleth Training: Round Two 1 www.incommon.org."

Similar presentations


Ads by Google