Federating with Web Applications Janusz Ulawski HEAnet Ltd November 11, 2010
Agenda 1 Providing access to your WebApp 2 Federated Access Software with SAML 2.0 support 3 Federating your WebApp Shibboleth Shibboleth SP - setup steps Passing attribues 3rd party apps Do it yourself Good practices 4 Summary
Providing access to your WebApp Agenda 1 Providing access to your WebApp 2 Federated Access Software with SAML 2.0 support 3 Federating your WebApp Shibboleth Shibboleth SP - setup steps Passing attribues 3rd party apps Do it yourself Good practices 4 Summary
Providing access to your WebApp Providing access to your WebApp Historical IP based AuthBasic Other local authentication central authentication central authentication + SSO And federated access
Federated Access Agenda 1 Providing access to your WebApp 2 Federated Access Software with SAML 2.0 support 3 Federating your WebApp Shibboleth Shibboleth SP - setup steps Passing attribues 3rd party apps Do it yourself Good practices 4 Summary
Federated Access Software with SAML 2.0 support Software with SAML 2.0 support Shibboleth SP simplesamlphp OpenSSO PingFederate Tivoli Federated Access Microsoft AD FS 2.0 Oracle Identity Federation...
Federated Access user http req protected content access granted shibsession valid? authorized? Shibboleth SP
Federated Access user http req protected content access granted shibsession valid? access denied authorized? Shibboleth SP
Federated Access user http req protected content WAYF access granted shibsession valid? access denied authorized? Shibboleth SP
Federated Access select IdP user http req protected content WAYF access granted shibsession valid? access denied authorized? Shibboleth SP
Federated Access select IdP user http req protected content WAYF access granted shibsession valid? access denied authorized? is IdP trusted? redirect to sp with selected IdP Shibboleth SP
Federated Access select IdP user http req protected content WAYF access granted shibsession valid? access denied authorized? is IdP trusted? redirect to sp with selected IdP error page Shibboleth SP
Federated Access select IdP user http req protected content WAYF Identity Provider Authentication process access granted shibsession valid? access denied authorized? is IdP trusted? redirect to sp with selected IdP error page Shibboleth SP generate and encode/sign SAML GET incl. SAML message
Federated Access <?xml version= 1.0 encoding= UTF 8?> <samlp:authnrequest xmlns:samlp= urn:oasis:names:tc:saml:2.0 : protocol AssertionConsumerServiceURL= https: / / sp. example.com / Shibboleth. sso /SAML2/POST D e s t i n a t i o n = h t t p s : / / idp. uni example. org / idp / p r o f i l e /SAML2/ Redirect /SSO ID= 86d85c2099bd5d3a8db609701a75edb5 IssueInstant= 2010 10 29T23:02:06Z ProtocolBinding= urn:oasis:names:tc:saml:2.0 :bindings:http POST Version= 2.0 > <saml:issuer xmlns:saml= urn:oasis:names:tc:saml:2.0 : assertion > https: / / sp. example. com / shibboleth</ saml:issuer> <samlp:nameidpolicy AllowCreate= 1 /> </ samlp:authnrequest> GET https: / / idp. uni example. org / idp / profile / SAML2 / Redirect / SSO?SAMLRequest=<encrypted message>
Federated Access select IdP POST incl. SAML response user http req protected content assertion consuming service WAYF Identity Provider Authentication process access granted shibsession valid? access denied authorized? is IdP trusted? redirect to sp with selected IdP error page Shibboleth SP generate and encode/sign SAML GET incl. SAML message
Federated Access <?xml version= 1.0?> <samlp:response..... > <! other information > <saml2:assertion.... > <! other information > <s a m l 2 : A t t r i b u t e S t a t e m e n t> <s a m l 2 : A t t r i b u t e FriendlyName= cn Name= u r n : o i d : 2. 5. 4. 3 NameFormat= urn:oasis:names:tc:saml:2.0 :attrname format: uri > <s a m l 2 : A t t r i b u t e V a l u e xmlns:xs=... x m l n s : x s i =... x s i : t y p e = x s : s t r i n g >joe. bloggs</ s a m l 2 : A t t r i b u t e V a l u e> </ s a m l 2 : A t t r i b u t e> </ s a m l 2 :AttributeStatement> </ saml2:assertion> </ samlp:response> POST https: / / sp. example. com / Shibboleth. sso / SAML2 / POST SAMLResponse=<SAML>
Federated Access select IdP POST incl. SAML response user http req protected content assertion consuming service WAYF Identity Provider Authentication process access granted shibsession valid? generate shibsession access denied authorized? is IdP trusted? redirect to sp with selected IdP error page Shibboleth SP generate and encode/sign SAML GET incl. SAML message
Federated Access Processing SAMLResponse by ACS (Assertions Consumer Service) 1 decrypting SAMLResponse 2 verifying if IdP EntityID is trusted 3 verifying if SAMLResponse is the response to SP AuthnRequest 4 extract and resolving provided attributes in SAMLResponse 5 filtering resolved attributes
Federated Access select IdP POST incl. SAML response user http req protected content assertion consuming service WAYF Identity Provider Authentication process access granted shibsession valid? generate shibsession access denied authorized? is IdP trusted? redirect to sp with selected IdP error page Shibboleth SP generate and encode/sign SAML GET incl. SAML message
Federating your WebApp Agenda 1 Providing access to your WebApp 2 Federated Access Software with SAML 2.0 support 3 Federating your WebApp Shibboleth Shibboleth SP - setup steps Passing attribues 3rd party apps Do it yourself Good practices 4 Summary
Federating your WebApp Shibboleth Federating WebApp using Shibboleth 1 setup Shibboleth SP 2 apache configuration 3 exchange metadata with Identity Providers 4 webapplication code modification
Federating your WebApp Shibboleth SP - setup steps Shibboleth SP source code available on http://shibboleth.internet2.edu/downloads.html includes apache module and daemon component each SP has a unique name called entityid
Federating your WebApp Shibboleth SP - setup steps Shibboleth SP <SPConfig.... > <! other i n f o r m a t i o n > <ApplicationDefaults id= default policyid= default entityid= https: / / sp. example.com / shibbo leth REMOTE USER= mail signing= false encryption= false > <! other information > <SessionInitiator type= Chaining Location= / Login isdefault= true id= Intranet relaystate= cookie entityid= https: / / idp uni. example. org / idp / shibboleth > <SessionInitiator type= SAML2 acsindex= 1 template= bindingtemplate. html /> <SessionInitiator type= Shib1 acsindex= 5 /> </ S e s s i o n I n i t i a t o r> <SessionInitiator type= Chaining Location= /DS id= DS relaystate= cookie > <SessionInitiator type= SAML2 acsindex= 1 template= bindingtemplate. html /> <SessionInitiator type= Shib1 acsindex= 5 /> <SessionInitiator type= SAMLDS URL= https: / / wayf. example.com /WAYF /> </ SessionInitiator> <! other information > <MetadataProvider type= Chaining > <MetadataProvider type= XML f i l e = idp metadata. xml /> <! other metadata > </ MetadataProvider> <! other information > <AttributeExtractor type= XML validate= true path= attribute map. xml /> <AttributeResolver type= Query subjectmatch= true /> <A t t r i b u t e F i l t e r type= XML v a l i d a t e = t r u e path= a t t r i b u t e p o l i c y. xml /> <CredentialResolver type= F i l e key= sp key.pem c e r t i f i c a t e = sp c e r t. pem /> <! other information > </ ApplicationDefaults> <! other information > </ SPConfig>
Federating your WebApp Shibboleth SP - setup steps Shibboleth SP attribute-map.xml <Attributes xmlns= urn:mace:shibboleth:2.0 : a t t r i b u t e map xmlns:xsi= h t t p : / /www.w3. org /2001/XMLSchema instance > <! mapping eppn > <A t t r i b u t e name= u r n : o i d : 1. 3. 6. 1. 4. 1. 5 9 2 3. 1. 1. 1. 6 i d = eppn > <AttributeDecoder xsi: type= ScopedAttributeDecoder /> </ A t t r i b u t e> <! mapping mail > <A tt ri b ut e name= urn: oid: 0.9.2342.19200300.100.1.3 id= mail /> <! other d e f i n i t i o n s > </ A t t r i b u t e s>
Federating your WebApp Shibboleth SP - setup steps Apache - steps enable shib module allow public access to /Shibboleth.sso location protect your content with Shibboleth
Federating your WebApp Shibboleth SP - setup steps Apache : protecting content active passive <Location / secure> Authtype Shibboleth ShibbolethRequireSession On # optional : headers ShibUseHeaders On r e q u i r e valid user </Location> <Location / contentfordcustudents> Authtype Shibboleth ShibbolethRequireSession On r e q u i r e afilliation student@dcu. ie </Location> <Location / secure> Authtype Shibboleth ShibbolethRequireSession Off require shibboleth </Location> access only for authorized users access level can be controlled on apache anymous access allowed access level can by controlled only in webapplication
Federating your WebApp Passing attribues Passing attributes both environment variables and request headers are supported historical REMOTE USER supported always environment variables should be used if it s possible IIS, Sun/iPlanet: only Request Headers can be used
Federating your WebApp Passing attribues SP Variables most variables are controlled by you except core variables built into the SP Environment Variables Request Headers Shib-Application-ID HTTP SHIB APPLICATION ID Shib-Session-ID HTTP SHIB SESSION ID Shib-Identity-Provider HTTP SHIB IDENTITY PROVIDER Shib-Authentication-Instant HTTP SHIB AUTHENTICATION INSTANT Shib-AuthnContext-Class HTTP SHIB AUTHNCONTEXT CLASS Shib-Authentication-Method HTTP SHIB AUTHENTICATION METHOD Shib-AuthnContext-Decl HTTP SHIB AUTHNCONTEXT DECL
Federating your WebApp Passing attribues examples I Java Environment Access request. getattribute ( Shib I d e n t i t y Provider ) Java Header Access request. getheader ( Shib I d e n t i t y Provider ) PHP Environment Access $_SERVER [ Shib I d e n t i t y Provider ] PHP Header Access $_SERVER [ HTTP SHIB IDENTITY PROVIDER ]
Federating your WebApp Passing attribues examples II ASP Header Access Request ( HTTP SHIB IDENTITY PROVIDER ) ASP.NET Header Access Request. Headers ( Shib I d e n t i t y Provider )
Federating your WebApp Passing attribues PHP, Ruby, etc - changes Zope/Plone behind Apache - only Request Headers can be used WebApps served by Tomcat behind apache mod jk JkEnvVar JkEnvVar JkEnvVar Shib Identity Provider eppn mail mod proxy ajp only passes envars with AJP prefix: use headers instead or add AJP prefix to envars by setting in shibboleth2.xml config <ApplicationDefaults id= default... attributeprefix= AJP_ >
Federating your WebApp 3rd party apps 3rd party apps most popular webapps already shibb enabled Moodle Drupal WordPress Mediawiki DSpace Google Apps/Email - Premier or Education Edition...
Federating your WebApp 3rd party apps Moodle
Federating your WebApp 3rd party apps Moodle
Federating your WebApp 3rd party apps Moodle
Federating your WebApp 3rd party apps Moodle
Federating your WebApp Do it yourself example code example code in PHP <?php i f (! empty ( $_SERVER [ Shib I d e n t i t y Provider ] ) && (! empty ( $_SERVER [ Shib Session ID ] ) ) ) { i f ( (! empty ( $_SERVER [ eppn ] ) && (! empty ( $_SERVER [ mail ] ) ) ) && (! empty ( $_SERVER [ givenname ] ) ) ) { echo Welcome. htmlspecialchars ($_SERVER [ givenname ] ). \n ; echo Username :. htmlspecialchars ($_SERVER [ eppn ] )., email :. htmlspecialchars ( $_SERVER [ mail ] ). \n ; } else { echo IdP hasn \ ' t provided some r e q uired a t t r i b u t e s \n ; } } else { echo session is t set. Please <a href =\ / Shibboleth. sso / Login? target=https : / /. $_SERVER [ SERVER NAME ]. $_SERVER [ REQUEST URI ]. \ >l o g i n </a> ; }?>
Federating your WebApp Good practices Good practices use passive lazy session protection allows anymous access; local authn; modular extension more flexible allow to set local token/pass if your webapp allows using some other clients than webbrowser never handle raw attributes values protect your site against xss always use global config allows you very quickly change settings of mapped attribites, handler name, etc
Summary Agenda 1 Providing access to your WebApp 2 Federated Access Software with SAML 2.0 support 3 Federating your WebApp Shibboleth Shibboleth SP - setup steps Passing attribues 3rd party apps Do it yourself Good practices 4 Summary
Summary It s t difficult
Summary Visit http://www.edugate.ie Thank you!