Shibboleth Configuration in Tübingen

Transcription

1 Shibboleth Configuration in Tübingen Thomas Zastrow Yana Panchenko

2 The university Tübingen is member of the DFN AAI The computing center in Tübingen runs a centralized IDP for the whole university In the SfS, a Shibboleth service provider was installed: still hosts the old D-SPIN homepage 2

3 Two servers are running the main services for CLARIN D: Weblicht.sfs... Apache HTTPD + Shibboleth Proxy Tomcat WebLicht TCF Visualizer DCA Proxy amber.sfs... Tomcat Webservices Databases Resources SOAP Gateway... 3

4 Requirements for a SP Certificates from the DFN-AAI, integrated into OpenSSL BEGIN CERTIFICATE MIIFpzCCBI+gAwIBAgIED+vXfzANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJE RTEfMB0GA1UEChMWVW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjEcMBoGA1UEAxMTR2xv YmFsLVVOSVRVRS1DQSAwMTEpMCcGCSqGSIb3DQEJARYadW5pdHVlLWNhQHVuaS10 dwviaw5nzw4uzguwhhcnmtawnde5mtmynja3whcnmtuwnde4mtmynja3wjcbyzel MAkGA1UEBhMCREUxHzAdBgNVBAoTFlVuaXZlcnNpdGFldCBUdWViaW5nZW4xKDAm BgNVBAsTH1NlbWluYXIgZnVlciBTcHJhY2h3aXNzZW5zY2hhZnQxDjAMBgNVBAsT BURTUElOMREwDwYDVQQLEwhXZWJMaWNodDEmMCQGA1UEAxMdd2VibGljaHQuc2Zz LnVuaS10dWViaW5nZW4uZGUxJjAkBgkqhkiG9w0BCQEWF2VoQHNmcy51bmktdHVl YmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJJ+lISL licghmdtc5ekdkspkziefgf6u0i2yt+u/bx37xl4yovmmxjxrlqm4oevne67n8k8 4qe06B8xErFh3KqgC5Q5keUlQmXJu4wvABnk9AuxlwJKuGXI3PetBYdid10A7Iu 3Ki0s3j7+7yYTG6xXJt4qrE7rV/v79zBQcoKOwu1AMdfV9q8GRShEXCQ82P4IITT Q4z513p1e0mscDdBIunH6aThNCJA9rUBwEVX90HX5KHaOPSksHISylhjl/++XJFy /0wBpiZ4+7pN2S/go9J8A153NZSPhF2M5deyWgjT/K2LSudLnegIlRFTq1Kv89eE bf/zahunvakbqqidaqabo4ib5dccaeawcqydvr0tbaiwadalbgnvhq8ebamcbeaw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRmWkIAb3Vr zkttelxvwsx4nngcudafbgnvhsmegdawgbswwbtonx/i1kgcgngv4pxbnm3dqdai BgNVHREEGzAZgRdlaEBzZnMudW5pLXR1ZWJpbmdlbi5kZTCBkwYDVR0fBIGLMIGI MEKgQKA+hjxodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NsYXNzaWMtdW5pdHVlLWNh L3B1Yi9jcmwvZ19jYWNybC5jcmwwQqBAoD6GPGh0dHA6Ly9jZHAyLnBjYS5kZm4u ZGUvY2xhc3NpYy11bml0dWUtY2EvcHViL2NybC9nX2NhY3JsLmNybDCBrAYIKwYB BQUHAQEEgZ8wgZwwTAYIKwYBBQUHMAKGQGh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv Y2xhc3NpYy11bml0dWUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwTAYIKwYB BQUHMAKGQGh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvY2xhc3NpYy11bml0dWUtY2Ev chvil2nhy2vydc9nx2nhy2vydc5jcnqwdqyjkozihvcnaqefbqadggebagxjyoka uuwufzvszzutqnicslwwhmrb6g63crkbgbmsngfwiyhrizcjtpytdabj1lg2pryj YpbhHR4892JIAm1IkyR4sJvAKXgnzNHtTy1ZTmlP7BjekPb6pcSRWAra84A+bOWY +Q3KRITfEcUfsFw/PWYO8qwDurTWGBK3ReWkwLJ9y89XZDXQZt4A9RQnnBvnC7RU klkamxrv27neeug8eh0tufxsthulbclnnnhaat1c8m2awjwcwshg5ctr99musjtc NGifdwt0qWax50ASplgOtT/GZAw2E7HEEgbDA+6JcKpVlh+UMnk2JN+nkkKUjgnD wn2yhswhnnmiigy= END CERTIFICATE 4

5 5

6 Tübingen Software Environment Shibboleth Version 2.x Apache 2: mod_ssl, shib2 enabled DFN tutorial: 6

7 Configuration Virtual host in Apache (SSL): <Directory /var/www/login_s/> AuthType shibboleth ShibRequireSession On Require valid-user </Directory> -> Shibboleth configuration: /etc/shibboleth/shibboleth2.xml 7

8 hfps://weblicht.sfs.uni tuebingen.de/login_s/ 8

9 Local Authentification In addition to the Shibboleth login, there is another login way which makes use of the local Apache user management Its necessary because many CLARIN users don't have an account in the CLARIN identity federation 9

10 PHP: Display all server based variables <? $ = $_SERVER["eppn"]; echo "Wer bin ich: $ "; echo '<table border="1">'; foreach($_server as $k => $v) { echo '<tr><td>'.$k.'</td><td>'.$v.'</td></tr>'; } echo '</table>';?> 10

11 SAML Tracer SAML Tracer is an addon for Firefox: addons.mozilla.org/en- US/firefox/addon/samltracer/ 11

12 Conclusion The computing center in Tübingen was very helpful Also the people from the DFN AAI join the mailing lists! 12

13 Conclusion Attributes: it is not sure which attributes a SP gets from the IDPs Next step: secure web services and delegation 13

14 Delegated Authentication with Shibboleth Delegated authentication model among SAML-enabled services since Shibboleth v2.1.3: uses SAML2.0 Enhanced Client profile (ECP) for delegation multi-tier delegation possible 14

15 Use case for WebLicht: App1, WS2, WS3, WS4 are all protected with Shibboleth within Clarin federation App1 - WebLicht web application for chaining NLP tools WS2 - tokenizer from Uni 2 WS3 - tagger from Uni 3 WS4 - resources from Uni 4 used by WS3 for tagging 15

16 User App1 WS2 WS3 WS4 recognize both the original client App1/WS3 and the subject (user) and the fact that "delegate" client is accessing it on behalf of that subject as a result know that the user is signed-in and know the user identity can control or limit access of the user based on the user (and optionally the client) identity can apply internal authorization based on the user identity 16

17 Complications: Shibboleth above v2.1.3 is required requires additional relatively complicated configuration for all the participating parties: for IdP, for SPs that can delegate, for SPs that accept delegation not possible to specify that delegation from all SPs to all SPs is allowed I.e. each web service should know and specify in advance which other web service it can access, and by which other web service it can be accessed 17

18 What is possible with Shibboleth at the moment: Other restrictions / licenses Academic Community Free 18

19 Shibboleth & Tomcat There are some third-partie libraries which allow to integrate Shibboleth directly into Tomcat But: They are not official, there could be problems with versions, security etc. Solution: use an Apache HTTPD for the Shibboleth functionality and put Tomcat behind it, accessing Tomcat via mod_proxy_ajp 19

20 Apache HTTPD runs on port 443 with SSL: Tomcat runs on localhost on port 8080 (or another one): With the proxy: 20

21 <Location "/soapgate/"> Order Allow,Deny Allow from All ProxyPassReverse soapgate </Location> ajp://amber.sfs.uni-tuebingen.de:8009/ ProxyPass /soapgate ajp://amber.sfs.uni-tuebingen.de:8009/ soapgate 21