shibboleth@nersc.gov Steve Chan sychan@lbl.gov

Similar documents
Web app AAI Integration How to integrate web applications with AAI in general?

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Authentication Methods

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

E-LibUkr portal: Case study of Shibboleth and EZProxy in Ukraine.

Authentication and Single Sign On

SAML Federated Identity at OASIS

SAML-Based SSO Solution

Single Sign-On for the UQ Web

SD Departmental Meeting November 28 th, Ale de Vries Product Manager ScienceDirect Elsevier

SAML Security Option White Paper

Identity Federation For Authenticating and Authorizing Researchers

HP Software as a Service. Federated SSO Guide

SAML Authentication Quick Start Guide

SAML-Based SSO Solution

Shibboleth and Library Resources

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

External and Federated Identities on the Web

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

Integrating Web Applications with Shibboleth

Perceptive Experience Single Sign-On Solutions

Integration of Shibboleth and (Web) Applications

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Security Assertion Markup Language (SAML) Site Manager Setup

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Authentication Integration

Development and deployment of integrated attribute based access control for collaboration

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

Copyright: WhosOnLocation Limited

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Secure the Web: OpenSSO

Getting Started with AD/LDAP SSO

Web based single sign on. Caleb Racey Web development officer Webteam, customer services, ISS

Federating with Web Applications

Shibboleth : An Open Source, Federated Single Sign-On System David E. Martin martinde@northwestern.edu

Configuring EPM System for SAML2-based Federation Services SSO

The increasing popularity of mobile devices is rapidly changing how and where we

Shibboleth On-line Authentication System

Biometric Single Sign-on using SAML

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

SAML Authentication with BlackShield Cloud

Federated Identity Management

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Using Shibboleth for Single Sign- On

Single Sign On. SSO & ID Management for Web and Mobile Applications

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

How To Use Saml 2.0 Single Sign On With Qualysguard

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Federated Wikis Andreas Åkre Solberg

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Beyond the IP Address: Shibboleth and Electronic Resources

Evaluation of different Open Source Identity management Systems

External Identity and Authentication Providers For Apache HTTP Server

Agenda. How to configure

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

Shibboleth User Verification Customer Implementation Guide Version 3.5

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Running List: Collab Stuff Framework Services Appliance

Shibboleth Identity Provider (IdP) Sebastian Rieger

TABLE OF CONTENTS I. INTRODUCTION... 1

Flexible Identity Federation

Federated Identity Management Checklist

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Canadian Access Federation: Trust Assertion Document (TAD)

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

WebNow Single Sign-On Solutions

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Three Case Studies in Access Management

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Federated AAA middleware and the QUT SSO environment

OpenLogin: PTA, SAML, and OAuth/OpenID

From centralized to single sign on

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

Federated Identity Management

AAA for IMOS: Australian Access Federation & related components

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Getting Started with Single Sign-On

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

On Breaking SAML: Be Whoever You Want to Be

The role of authentication and eid interoperability in the access to scientific databases

Architecture of Enterprise Applications III Single Sign-On

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Egnyte Single Sign-On (SSO) Installation for OneLogin

CA Nimsoft Service Desk

Centralized Oracle Database Authentication and Authorization in a Directory

LIGO Identity Management: Questions I Wish We Would Have Asked

Logout Support on SP and Application

managing SSO with shared credentials

Federated Identity for Cloud Computing and Cross-organization Collaboration

Transcription:

shibboleth@nersc.gov Steve Chan sychan@lbl.gov

Intro What? What is Shib? What has been Shib-Enabled? Why? What problem is solved? Why should I care? Who? Where? Who is using it?

What is Shibboleth? Gratuitous Biblical Exegesis: The Gileadites captured the fords of the Jordan leading to Ephraim, and whenever a survivor of Ephraim said, "Let me cross over," the men of Gilead asked him, "Are you an Ephraimite?" If he replied, "No,, they said, "All right, say 'Shibboleth.'" If he said, "Sibboleth," because he could not pronounce the word correctly, they seized him and killed him at the fords of the Jordan. Forty-two thousand Ephraimites were killed at that time. -Judges 12:5-6 3

What is Shibboleth? Gratuitous Biblical Exegesis: The Gileadites captured the fords of the Jordan leading to Ephraim, and whenever a survivor of Ephraim said, "Let me cross over," the men of Gilead asked him, "Are you an Ephraimite?" If he replied, "No,, they said, "All right, say 'Shibboleth.'" If he said, "Sibboleth," because he could not pronounce the word correctly, they seized him and killed him at the fords of the Jordan. Forty-two thousand Ephraimites were killed at that time. -Judges 12:5-6 Ethnic Cleansing is in violation of LBL RPM section 7.01 ES&H: A. Policy It is the policy of Lawrence Berkeley National Laboratory to perform all work safely and with full regard to the well-being of workers, guests, the public, and the environment. Keys to implementing this policy are the following core safety values: [ ] Individuals demonstrate an awareness and concern for the safety of others. Fatal Shibboleth Login failures are a STOP WORK situation! 4

What is Shibboleth? Shibboleth The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacypreserving manner. The Shibboleth software implements widely used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework. Shibboleth also provides extended privacy functionality allowing the browser user and their home site to control the attributes released to each application. Using Shibboleth-enabled access simplifies management of identity and permissions for organizations supporting users and applications. Shibboleth is developed in an open and participatory environment, is freely available, and is released under the Apache Software License. From: http://shibboleth.internet2.edu/about.html 5

What is Shibboleth? SAML Security Assertion Markup Language Standard XML schemas for exchanging security and identity information and HTTP based protocols for passing XML messages back and forth 6

What is Shibboleth? SAML Security Assertion Markup Language Standard XML schemas for exchanging security and identity information and HTTP based protocols for passing XML messages back and forth Attributes Assertions about a user(principal) such as user id, name, organizational affiliation/roles. Much of it based on common x509/ldap attributes. Attributes are encoded and transmited in SAML 7

What is Shibboleth? SAML Security Assertion Markup Language Standard XML schemas for exchanging security and identity information and HTTP based protocols for passing XML messages back and forth Attributes Assertions about a user(principal) such as user id, name, organizational affiliation/roles. Much of it based on common x509/ldap attributes. Attributes are encoded and transmitted in SAML Federation Metadata standards supporting trust relationships to enable Federated Login 8

What is Shibboleth? SAML Security Assertion Markup Language Standard XML schemas for exchanging security and identity information and HTTP based protocols for passing XML messages back and forth Attributes Assertions about a user(principal) such as user id, name, organizational affiliation/roles. Much of it based on common x509/ldap attributes. Attributes are encoded and transmited in SAML Federation Metadata standards supporting trust relationships to enable Federated Login Shibboleth/SAML Shibboleth provides conventions for attributes, standards around metadata discovery and exchange, and policy controls to support privacy and other organizational goals to support the Research and Education community. Shibboleth 2.0 and SAML 2.0 converge on metadata standards 9

What is Shibboleth? Shibboleth Web Login transaction From: http://wiki.eclipse.org/saml2_idp 10

Why Single Sign On? Pro: Reduces password fatigue from too many different passwords Sensitive/Secure information is centralized and less exposed example: the web server gets compromised and used to harvest creds Fewer locations where passwords are maintained Convenience avoids possibly insecure workarounds by users example: having the browser cache passwords Centralized audit location Con: Training User is now logged into everything, and logout is more complex Admins have to learn new technology Single point of failure 11

What is using shib at NERSC? shib.nersc.gov is the Identity Provider (IdP) 12

What is using shib at NERSC? Communicates with LDAP, handles all credentials, returns attributes 13

What is using shib at NERSC? www.nersc.gov is a Service Provider (SP) 14

What is using shib at NERSC? Service Provider is a web application dependent on IdP for authentication 15

What is using shib at NERSC? The Service Provider (www.nersc.gov) requests authentication attributes from the Identity Provider (shib.nersc.gov). Once these attributes are received, the business logic in the SP decides on authorization for the user. 16

What is using shib at NERSC? ServiceNow 17

What additional features? Single Sign On (currently disabled) JAAS Authentication handler (stackable) Radius Authentication (otp for Web SSO) Possibly useful when traveling to Cyber-Mordor (aka China) Kerberos Authentication LDAP REMOTE_USER authentication IdP looks for $REMOTE_USER for authentication Database backed attributes (JDBC) 18

Who else is using shib? Popular in R&E Communities: UC Trust: UCB,UCLA, UCSD, UCD, UCM, UCSF, LBNL, UCI, UCR, UCSC, UCOP Major Research Universities: Caltech, CMU, Columbia, Cornell, Duke, Georgetown, GA Tech, JHU, MIT, Princeton, Purdue, RPI, Stanford, U Chicago, UIUC, Penn, Yale, etc Companies with strong.edu ties and research institutions: Apple, CollegeNet, Internet2, NIH, Smithsonian, ANL, Globus, Teragrid, VOMS Software As Service Providers: Google, Microsoft, Salesforce, Oracle, ServiceNow, IBM 19

InCommon Federation InCommon.org is a large identity federation Approx. 360 members Contains all of the members in previous slide Assurance Program Certificate Service NERSC is an affiliate Provides a Discovery Service Login entry point for applications that makes available all the Identity Providers of members 20

InCommon Federation 21

InCommon Federation 22

Science Identity Federation DOE Specific Federation Led by Mike Helm M_Helm@lbl.gov Mailing List: http://groups.google.com/group/science Basic discovery service Interesting service confluence.scifed.org Several test IDPs Blanket contract for InCommon membership Training Events (Shib Install Fest) NERSC is a member 23

What/Who else is Shib-Enabled? Shibboleth Wiki is good resource: https://wiki.shibboleth.net/confluence/display/shib2/shibenabled Elsevier Science Direct JSTOR American Chemical Society UC At Your Service Online Apples itunes U Blackboard Moodle Sakai Google Apps/Gmail GridSphere GridShib Joomla MediaWiki MoinMoin Wiki SYMPA Twiki Workpress Silverstripe ServiceNow Confluence Wiki Drupal Oracle 10g/11g BEA/Websphere Apache Webserver 24

Who/What could be ShibEnabled? Web applications are easily ShibEnabled with Apache Shib Module https://wiki.shibboleth.net/confluence/display/shib2/nativesplinuxinstall Once module is configured, shibboleth login info is passed in via CGI environment variables available to PHP, CGI, etc 25

Multidomain Login Demo Demo Wordpress instance at: https://webdev1.nersc.gov/~sychan/wpdemo/ WordPress 3.3 http://wordpress.org/download/ Shib Module 1.4: http://wordpress.org/extend/plugins/shibboleth/ Apache 2.2 and Shibboleth NativeSP Customized Login Page 26

Multidomain Login Demo Apache directives for shib: <Location /~sychan/> AuthType shibboleth ShibRequireSession Off require shibboleth </Location> Significant config directives for shibd back end to apache module. Documented at: https://sites.google.com/a/lbl.gov/csd-silverstripe/ web-administrator/shibboleth-sp-configuration/apachenativesp Shibboleth uses lots and lots of XML bring XML allergy meds You are in a maze of twisty little XML stanzas, all alike 27

Multidomain Login Demo Login Domain Director Page logindemo.php: <?php echo "<center>test login from the following authentication domains:<br/><br/><br/ >"; echo '<a href="https://webdev.nersc.gov/shibboleth.sso/login?entityid=https%3a// login.lbl.gov/idp/shibboleth&'. $_SERVER['QUERY_STRING']. '"><img src="http://www.berkeleyside.com/wp-content/uploads/2011/03/berkeley-lablogo.gif" alt="berkeley Lab" height="20%" width="20%"/></a><br/><br/><br/>'; echo '<a href="https://webdev.nersc.gov/shibboleth.sso/login?entityid=https%3a// shib.nersc.gov/idp/shibboleth&'. $_SERVER['QUERY_STRING'].'"><img src="http://www.nersc.gov/themes/nersc-sass/images/logo.png" alt="nersc Shib" /></a><br/><br/><br/><br/>'; echo '<a href="https://webdev.nersc.gov/shibboleth.sso/login?entityid=https%3a// shib.nersc.gov/idpjgi/shibboleth&'. $_SERVER['QUERY_STRING'].'"><img src="https://www.llnl.gov/news/news_images/logo_jgi_new.gif" height="10%"/></ a><br/>'; echo "</center>";?> 28

Questions? Brainstorming Do we have users that want to access resources at NERSC, but don t have NIM accounts? Are there applications at other sites that NERSC users want to access without getting account at remote site? Are there applications where we want groups from multiple sites to have access too, without consolidating user db? Do we want to allow some form of NERSC authentication on hosts that we don t really trust, or on remote networks where LDAP access would be undesirable? 29

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information