Shibboleth Service Provider Workshop

Shibboleth Service Provider Workshop Bart Ophelders - Philip Brusten shib@kuleuven.be June 2010

Shibboleth Service provider workshop This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. 2

Acknowledgements What's new in Shibboleth 2 Chad La Joie [SAMLConf] http://docs.oasis-open.org/security/saml/v2.0/saml-conformance- 2.0-os.pdf Liberty interoperability testing: http://projectliberty.org/liberty/liberty_interoperable/implementations Shibboleth 2.0 InstallFest Service Provider Material Ann Arbor, MI SP Hands-on Session SWITCH https://spaces.internet2.edu/display/shib2 3

Program Introduction: What is Shibboleth? Shibboleth 2.x: What has changed? Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration 4

Introduction: What is Shibboleth? Quote from http://shibboleth.internet2.edu: The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. 5

Introduction: What is Shibboleth? Terminology Authentication: says who we are Authorization: says which resource we can access SP: Service Provider (Resource) IdP: Identity Provider (Home organisation) WAYF: Where Are You From DS: Discovery Service 6

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider Components: Identity Provider (IdP) Service Provider (SP) Where Are You From (WAYF) User Agent (UA) 7

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider SAML1.1 profile: Browser/Artifact Initial request from UA to document X No active Shibboleth session, UA redirected to WAYF 8

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider WAYF asks UA to choose an IdP (if not already set in cookie) Redirect UA to selected IdP 9

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider IdP prompts the UA for credentials (Username/Password, x509, digipass, etc). IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc) 10

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider IdP resolves attributes for the authenticated principal and creates SAML assertion (authentication & attribute statement) Redirects UA with references to these assertions (Artifacts). 11

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider Shibboleth service or daemon dereferences the Artifacts on a secure backchannel with SSL mutual authentication. Invisible for the UA. 12

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider The Shibboleth service verifies and filters the information and gives it to the Shibboleth module (via RPC or TCP). The Shibboleth module or Webserver will authorise the principal. 13

Identity Provider Architecture Shibboleth v1.3 HTTP redirect HTTP interaction WAYF Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider 2 The active sessions with every component will provide the single sign-on experience. 14

Shibboleth 2.x: What has changed? General SAML2 protocols Authentication Request Protocol (SP initiated) Force re-authentication Passive authentication Assertion Query and Request Protocol Artifact Resolution Protocol Single Logout Protocol (Not supported by the IdP yet) NameID Management Protocol NameID Mapping Protocol Encryption and signing of sensitive information Distributed configuration (pull) Federation Metadata Attribute-map Attribute-filter 16

Shibboleth 2.x: What has changed? Identity Provider Own authentication modules LDAP Kerberos IP-based PreviousSession (SSO) REMOTE_USER (cfr. CAS) No SAML2 force authentication Very flexible attribute resolving Very flexible attribute filtering (with constraints) Clean audit logs etc 17

Shibboleth 2.x: What has changed? Discovery Service Successor of WAYF SAML2 Identity Provider Discovery Profile Multi-federation support 18

Shibboleth 2.x: What has changed? Service Provider Multi-protocol support New attribute filtering policy language Support for ODBC based storage of state Significant performance improvements 19

Identity Provider Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider SAML2.0 profile: Web browser SSO + HTTP POST binding Initial request from UA to document X No active Shibboleth session, UA redirected to DS 20

Identity Provider Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS SP takes back control Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider DS asks UA to choose an IdP (if not already set in cookie) Redirect UA back to SP with selected IdP as parameter. 21

Identity Provider Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider SP sends SAML Authentication request to the IdP. IdP prompts the UA for credentials, if necessary. IdP uses backend to verify credentials (LDAP, ADDS, SQL, etc) 22

Identity Provider Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Shibboleth module x Webserver Identity Provider User Agent/Browser SAML response Authentication statement Attribute statement Webserver Shibboleth service Service Provider The IdP resolves and filters the principal s attribute information and constructs a SAML assertion. This assertion can optionally be signed and/or encrypted. Next, the IdP POSTs a response to the SP. 23

Identity Provider Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider No callback! Shibboleth service Service Provider The Shibboleth service decrypts, verifies and filters the response and gives it to the Shibboleth module (via RPC or TCP). The Shibboleth module or Webserver will authorise the principal. 24

Identity Provider Architecture Shibboleth v2.x HTTP redirect HTTP interaction DS Shibboleth module x User Agent/Browser Webserver Webserver Identity Provider Shibboleth service Service Provider 2 Again, the active sessions with every component will provide the single sign-on experience. 25

Concept of Federation Group of entities, both IdPs and SPs. Can map on existing Associations (e.g.: BELNET, Associatie K.U.Leuven, K.U.Leuven, etc) App X K.U.Leuven Toledo App Y K.U.Leuven W&K App Z App Z Federation K.U.Leuven Federation Associatie K.U.Leuven 27

Concept of Federation Benefits Scalable Simplifies things WAYF service (IdP discovery) Metadata Describes entities (protocol support, contact information, etc) PKI management Trust Since Shibboleth v2.x = single point of trust Digitally signed http://shib.kuleuven.be/download/metadata 28

Resource Registry Metadata management tool Based on open source from SWITCH and modified by INTIENT and K.U.Leuven Adapted for K.U.Leuven Multi-federation support Identity Provider 1-many link Service Provider 1-many link 30

Resource Registry 31

Resource Registry For now only internal use In a later stage available for: Resource Registry Administrators To approve resources from a certain IdP Resource Administrators For administering SP information (self-service) Home Organisation Administrators For administering IdP information (self-service) Federation Administrators Signing metadata file Roles can be assigned independently 32

Resource Registry Currently hosting: Federation K.U.Leuven Federation Associatie K.U.Leuven Federation K.U.Leuven UZLeuven Test federation K.U.Leuven 33

A word on ADFS Active Directory Federation Services v1 Part of Microsoft Windows Server 2003 R2 WS-Federation Passive Requester Profile (WS-F PRP) Shibboleth v1.3 has implemented WS-Federation: Passive Requestor Interoperability Profile specification for both IdP & SP Two ways of working NT-Token based Claim based 35

Identity Provider A word on ADFS E.g. Implementation at K.U.Leuven ADFS Web Agents Account partners TRUST TRUST K.U.Leuven OWA Resources - OWA - EVault - Sharepoint - etc TRUST TRUST EVault Webserver IdP K.U.Leuven FS Sharepoint 36

A word on ADFS 37

A word on AD FS 2.0 Version 2.0 Officially released on 5 May 2010 Windows Server 2008 and Windows Server 2008 R2 Only claims based Compatible with ADFS v1.0 Liberty Interoperable Implementation Tables SAML2.0 operational modes: IdP lite SP lite 38

A word on AD FS 2.0 39

A word on AD FS 2.0 40

A word on AD FS 2.0 Identity Providers Windows Live ID Other 5) Use claims in token Application STS STS 4) Submit token WIF Token Internet Token 3) Authenticate user and get token for selected identity 2) Select an identity that matches those requirements Browser or Client CardSpace 2.0 User 1) Access application and learn token requirements Shamelessly copied from David Chappell s presentation at TechEd 2009 41

Environment RedHat Enterprise Linux 5.5 (Tikanga) Debian 5.0 (Lenny) Windows Server 2008 R2 Username: shib / root Passwords: P@ssw0rd Remote Access Linux: ssh Windows: Remote desktop 43

Environment RedHat Enterprise Linux 5.5 (Tikanga) 8 virtual machines DNS: worksh-rh-n.cc.kuleuven.be IP: 10.2.4.N Debian 5.0 (Lenny) 4 virtual machines DNS: worksh-db-n.cc.kuleuven.be IP: 10.2.4.2N Windows Server 2008 R2 10 virtual machines DNS: worksh-w8-n.cc.kuleuven.be IP: 10.2.4.4N + 10.2.4.50 44

Environment Shibboleth IdP DNS: worksh-idp.cc.kuleuven.be IP: 10.2.4.9 https://worksh-idp.cc.kuleuven.be/idp/status (only accessible through VMs: 10.2.4.0/24) 45

Environment Shibboleth standard base http://shib.kuleuven.be/ssb_sp.shtml $WORKSH_HOST = worksh-[rh db w8]-n.cc.kuleuven.be 46

Environment Key/Certificate generation - We ve done it for you Webserver Located at $PKI Signed by TerenaSSL CA Shibboleth SP Self-signed worksh-idp.cc.kuleuven.be: /home/shib/shibbolethspworkshop/certificates/shibboleth-sp Certificate: sp-[rh db w8]-n-cert.pem Key: sp-[rh db w8]-n-key.pem Save at $PKI Test certificates openssl x509 in $cert issuer noout 47

SSL certificates Use of self-signed certificates in backend No need for commercial certificates Longer lifetime No truststore to maintain for commercial CAs Revocation (just remove certificate) Trustbase of commercial signed certificates can become quite large Separate certificate for front- and backend 48

Environment Tools An absolute must: Syntax friendly editor RHEL: vim Debian: vim $ apt-get install vim Windows: notepad++ or SciTE HTTP client RHEL: links Debian: links Windows: local browser SCP or WinSCP Check your time now! Always work case sensitive! 49

mod_auth mod_shib mod_ssl... Installation - Overview IIS Shibboleth service Apache Shibboleth handler /Shibboleth.sso Shibboleth handler /Shibboleth.sso ISAPI filter Shibboleth RPC port 1600 Unix socket 50

RHEL webserver $ yum install httpd mod_ssl php DocumentRoot: /var/www/html ($DOCROOT) Configuration: /etc/httpd Logs: /var/log/httpd ($WEB_LOG) ServerName $ vim /etc/httpd/conf/httpd.conf Line 265: ServerName $WORKSH_HOST Start/Stop service $ service httpd start $ service httpd status httpd (pid ####) is running 51

RHEL webserver Prepare test application $ mkdir /var/www/html/secure $ vim /var/www/html/secure/index.php <?php header('location: https://'.$_server['server_name'].'/shibboleth.sso/session');?> 52

RHEL webserver - SSL $ vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/$worksh_host.pem SSLCertificateKeyFile /etc/pki/$worksh_host.key SSLCertificateChainFile /etc/pki/terenasslchain.crt $ service httpd configtest $ service httpd restart $ openssl s_client connect localhost:443 53

Debian webserver $ apt-get install libapache2-mod-php5 DocumentRoot: /var/www ($DOCROOT) Configuration: /etc/apache2 Logs: /var/log/apache2 ($WEB_LOG) ServerName $ vim /etc/apache2/sites-available/default $ vim /etc/apache2/sites-available/default-ssl Line 2, add: ServerName $WORKSH_HOST Start/Stop service $ apache2ctl start $ apache2ctl status 54

Debian webserver Prepare test application $ mkdir /var/www/secure $ vim /var/www/secure/index.php <?php header('location: https://'.$_server['server_name'].'/shibboleth.sso/session');?> 55

Debian webserver - SSL $ a2enmod ssl $ vim /etc/apache2/sites-available/default-ssl SSLCertificateFile /etc/pki/$worksh_host.pem SSLCertificateKeyFile /etc/pki/$worksh_host.key SSLCertificateChainFile /etc/pki/terenasslchain.crt $ a2ensite default-ssl $ apache2ctl configtest $ /etc/init.d/apache2 restart $ openssl s_client connect localhost:443 56

Windows Server 2008 - Apache Download: http://httpd.apache.org : Win32 Binary including OpenSSL 0.9.8m (MSI Installer) DocumentRoot: c:\htdocs ($DOCROOT) Configuration: c:\apache2.2 Logs: c:\apache2.2\logs ($WEB_LOG) ServerName C:\Apache2.2\conf\httpd.conf Line 171: ServerName $WORKSH_HOST Start/Stop service using the Apache monitor in the tray 57

Windows Server 2008 - Apache Prepare test application $ mkdir C:\htdocs\secure Create index.html file <html> <head> <title>redirect</title> <meta http-equiv="refresh" content="0;url=/shibboleth.sso/session"> </head> </html> 58

Windows Server 2008 Apache - SSL c:\apache2.2\conf\httpd.conf LoadModule ssl_module modules/mod_ssl.so [..] Include conf/extra/httpd-ssl.conf #Include c:/opt/shibboleth-sp/etc/shibboleth/apache22.config c:\apache2.2\conf\extra\httpd-ssl.conf SSLCertificateFile c:/pki/$worksh_host.pem SSLCertificateKeyFile c:/pki/$worksh_host.key SSLCertificateChainFile c:/pki/terenasslchain.crt Restart Apache2.2 via the tray $ openssl s_client connect localhost:443 59

Windows Server 2008 - IIS IIS Server Manager: Add Web Server (IIS) Role with ASP.NET ASP IIS 6 Management compatibility ISAPI filter ISAPI extensions IIS Management console IIS Management Scripts and Tools (Powershell) Documents: c:\inetpub\wwwroot\ ($DOCROOT) $ net start w3svc 60

Windows Server 2008 - IIS Prepare test application $ mkdir C:\inetpub\wwwroot\secure Create Default.asp file <% Response.Redirect "/Shibboleth.sso/Session" %> 61

Windows Server 2008 IIS - SSL Import certificate $ certutil p changeit importpfx c:\pki\$worksh_host.p12 $ Get-ChildItem cert:\localmachine\my Or use MMC Certificate snap-in 62

Windows Server 2008 IIS - SSL Configure IIS Right click website Edit bindings 63

Windows Server 2008 IIS - SSL Add.. Select SSL certificate Result 64

Shibboleth SP installation $ cd /etc/yum.repos.d $ wget http://download.opensuse.org/repositories/security://shibbole th/rhel_5/security:shibboleth.repo $ yum install shibboleth[.x86_64] (Accept GPG key 0x7D0A1B3D) Certificates $ cp $PKI/sp-rh-N-cert.pem $SHIB_CONF/sp-cert.pem $ cp $PKI/sp-rh-N-key.pem $SHIB_CONF/sp-key.pem $ service shibd start Done by RPM after installation /etc/httpd/conf.d/shib.conf /etc/rc.d/init.d/shibd 65

Shibboleth SP installation $ cd /etc/apt/sources.list.d/ $ vim lenny-backports.list deb http://www.backports.org/debian lenny-backports main contrib non-free $ apt-get update $ apt-get install debian-backports-keyring $ apt-get update $ apt-get -t lenny-backports install libapache2-mod-shib2 $ cp $PKI/sp-db-N-cert.pem $SHIB_CONF/sp-cert.pem $ cp $PKI/sp-db-N-key.pem $SHIB_CONF/sp-key.pem $ chown _shibd $SHIB_CONF/sp-key.pem 66

Shibboleth SP installation Configuration files provided by deb packages /etc/apache2/mods-available/shib2.load /etc/init.d/shibd Create/etc/apache2/mods-available/shib2.conf <Location /secure> AuthType shibboleth require shibboleth </Location> $ a2enmod shib2 $ /etc/init.d/shibd restart $ /etc/init.d/apache2 restart 67

Shibboleth SP installation Download MSI packet from http://shibboleth.internet2.edu/downloads/shibboleth/cppsp/latest/ Run shibboleth-sp-2.3.1-win32.msi 68

Shibboleth SP installation 69

Shibboleth SP installation After installation it is better to restart the OS Copy the self-signed keypair $ copy $PKI/sp-w8-N-cert.pem $SHIB_CONF/sp-cert.pem $ copy $PKI/sp-w8-N-key.pem $SHIB_CONF/sp-key.pem Restart Shibboleth service 75

Sanity checks Shibboleth ISAPI filter must be the first in the ordered list 76

Sanity checks Access Shibboleth handler from your browser https://$worksh_host/shibboleth.sso Access session handler from your browser https://$worksh_host/shibboleth.sso/session A valid session was not found. See how a Shibboleth error looks like https://$worksh_host/shibboleth.sso/foo 77

Bootstrapping the SP Goals: 1. Working SP against a single IdP 2. Enable debugging of session attributes 3. Avoid clock complaints 79

Bootstrapping the SP Choose your entityid https://$worksh_host Should be: Unique Locally scoped Logical representative Unchanging Seen on the wire, configuration files, metadata, log files, etc 80

Bootstrapping the SP Relax some requirements, set your entityid and default IdP entityid $SHIB_CONF/shibboleth2.xml logger="syslog.logger" clockskew="1800000"> <Host name= $WORKSH_HOST redirecttossl="443"> <ApplicationDefaults id="default" policyid="default" entityid="https://$worksh_host <SessionInitiator type="chaining" Location="/Login" isdefault="true" id="intranet" relaystate="cookie" entityid= https://worksh-idp.cc.kuleuven.be" <Handler type="session" Location="/Session" showattributevalues="true"/> 81

Bootstrapping the SP Provide metadata remotely from test IdP $SHIB_CONF/shibboleth2.xml <MetadataProvider type="chaining"> <MetadataProvider type="xml" uri="https://worksh-idp.cc.kuleuven.be/idp-metadata.xml" backingfilepath="idp-metadata.xml" reloadinterval="3600"/> Backup at $SHIB_RUN Uncomment whole <MetadataProvider> Comment <MetadataFilter> Normally: Provide your SP s metadata to IdP But, already done for you :-) Metadata self-generated by your Service Provider https://$worksh_host/shibboleth.sso/metadata 82

Bootstrapping the SP For IIS: Get site id (Run powershell as Administrator) $ Import-Module WebAdministration $ dir IIS:\Sites Set correct site ID and name <InProcess logger="native.logger"> <ISAPI normalizerequest="true" safeheadernames="true"> <Site id="1" name= $WORKSH_HOST"/> 83

Bootstrapping the SP Quick test Make sure configuration works $ shibd tc $SHIB_CONF/shibboleth2.xml WIN$ shibd check $SHIB_CONF/shibboleth2.xml Service Provider reloads shibboleth2.xml automatically when it changes Try it with a browser https://$worksh_host/secure/ /secure/ is protected by shibboleth2.xml (<RequestMap>) Login with shibn / P@ssw0rd Get session information https://$worksh_host/shibboleth.sso/session (you should see various attributes) 85

Bootstrapping SP - Logout Local logout https://$worksh_host/shibboleth.sso/logout This won t delete your session on the IdP! Close the browser in order to remove ALL your session cookies Or delete session cookies using the browser or an extension, e.g.: Firefox Web Developer extension 86

Bootstrapping SP Discovery Service Change the default SessionInitiator $SHIB_CONF/shibboleth2.xml <SessionInitiator type="chaining" Location="/Login" isdefault="false" id="intranet" relaystate="cookie" <SessionInitiator type="chaining" Location="/DS" id="ds" relaystate="cookie" isdefault="true"> [ ] <SessionInitiator type="samlds" URL="https://wayf.associatie.kuleuven.be/shibbolethwayf/WAYF"/> </SessionInitiator> Try again https://$worksh_host/secure/ 87

Configuration Basic configuration Attribute handling Session Initiation Access control Adding a separate application Service provider handlers Session Initiators/Discovery 89

Basic configuration Goals: 1. Understand purpose and structure of SP configuration files 2. Increase log level to DEBUG 3. Configure metadata and add signature verification 90

Important directories $SHIB_CONF Master and supporting configuration files Locally maintained metadata files HTML templates (customize them to adapt look&feel to your application) Logging configuration files (*.logger) Credentials (certificates and private keys) $SHIB_RUN UNIX socket Remotely fetched files (metadata, attribute-map) $SHIB_LOG shibd.log & transaction.log $WEB_LOG (written by Shibboleth module/isapi filter) native.log 91

Configuration files in $SHIB_CONF shibboleth2.xml main configuration file apache*.config Apache module loading attribute-map.xml attribute handling attribute-policy.xml attribute filtering settings *.logger logging configuration *Error.html HTML templates for error messages locallogout.html SP-only logout template globallogout.html single logout template Recommendation: Adapting *.html files to match the look & feel of the protected application improves user experience. 92

shibboleth2.xml structure Outer elements of the shibboleth2.xml configuration file <OutOfProcess> / <InProcess> <UnixListener> / <TCPListener> <StorageService> <SessionCache> <ReplayCache> <ArtifactMap> <RequestMapper> Needed for session initiation and access control <ApplicationDefaults> Contains the most important settings of your SP <SecurityPolicies> 93

ApplicationDefaults structure You are most likely to change something in here: <ApplicationDefaults> <Sessions> Defines handlers and how sessions are initiated and managed <Errors> Used to display error messages. Provide here logo, e-mail and CSS <RelyingParty> (*) To modify settings for certain IdPs/federations <MetadataProvider> Defines the metadata to be used by the SP <TrustEngine> Which mechanisms to use for signatures validation <AttributeExtractor> Attribute map file to use <AttributeResolver> Attribute resolver file to use <AttributeFilter> Attribute filter file to use <CredentialResolver> Defines certificate and private key to be use <ApplicationOverride> (*) Can override any of the above for certain applications 94

Logging First thing to do in case of problems shibd.log and transaction.log written by shibd, native.log written by Shibboleth module/filter *.logger files contain predefined settings for output location and default logging level (INFO) along with useful categories to raise to DEBUG Log time is in UTC (~GMT) 95

Logging Raise categories $ vim $SHIB_CONF/shibd.logger log4j.rootcategory=debug, shibd_log To implement *.logger changed: $ touch shibboleth2.xml $ tail f /var/log/shibboleth/shibd.log Try again https://$worksh_host/secure/ 96

Metadata features Metadata describes the other components (IdPs) that the Service Provider can communicate with Four primary methods built-in: Local file (you manage it) Remote file (periodic refresh, local backup) Dynamic resolution of entityid (=URL) "Null" source that disables security ( OpenID model) Security comes from metadata filtering, either by you or the SP: Signature verification White and blacklists 97

Signature verification The Test IdPs metadata is signed. Until now, it was loaded without checking, which is not secure and not recommended! First, increase security: $SHIB_CONF/shibboleth2.xml Uncomment MetadataFilter for signature verification: <MetadataProvider type="xml [ ] uri= https://worksh-idp.cc.kuleuven.be/idp-metadata.xml > <MetadataFilter type="signature certificate="sp-cert.pem"/> </MetadataProvider> 98

Signature verification Run $ shibd tc $SHIB_CONF/shibboleth2.xml WIN$ shibd check $SHIB_CONF\shibboleth2.xml and in the output you will see: WARN OpenSAML.MetadataFilter.Signature [3]: filtering out group at root of instance after failed signature check: ERROR OpenSAML.Metadata.Chaining [3]: failure initializing MetadataProvider: SignatureMetadataFilter unable to verify signature at root of metadata instance. Metadata could not be loaded because it was signed with a different key (we broke the setup). So, let s get the right key 99

Signature verification Get certificate from IdP: $ cd $SHIB_CONF $ wget https://worksh-idp.cc.kuleuven.be/workshidp.cc.kuleuven.be.pem Then fix it: $SHIB_CONF/shibboleth2.xml <MetadataProvider type="xml [ ] > <MetadataFilter type="signature certificate= worksh-idp.cc.kuleuven.be.pem"/> </MetadataProvider> Run again $ shibd tc $SHIB_CONF/shibboleth2.xml WIN$ shibd check $SHIB_CONF\shibboleth2.xml 100

Attribute handling Goals: 1. Understand how attributes are transported 2. Learn how attributes are mapped and filtered 3. See how attributes can be used as identifiers 4. Add an attribute mapping and filtering rule 102

SP attribute terminology Push Delivering attributes with SSO assertion via web browser Pull Querying for attributes after SSO via back-channel (SP -> IdP) Extraction Decoding SAML information into neutral data structures mapped to environment or header variables Filtering Blocking invalid, unexpected, or unauthorized values based on application or community criteria Resolution Resolving a SSO assertion into a set of additional attributes (e.g. queries) 103

Scoped attributes Common term for attributes that consist of a relation between a value and a scope, usually an organizational domain name E.g. affiliation = student@kuleuven.be Makes values globally usable or unique Lots of special treatment in Shibboleth to make them more useful and "safe" Alternatively, split value and scope into separate attributes: affiliation= student and homeorganization= kuleuven.be 104

Attribute mappings SAML attributes from any source are "extracted" using the configuration rules in /etc/shibboleth/attribute-map.xml Each element is a rule for decoding a SAML attribute and assigning it a local id which becomes its mapped variable name Attributes can have one or more id and multiple attributes can be mapped to the same id The id can also be used as header name in the webserver for this attribute 105

Dissecting an Advanced Attribute Rule <Attribute id="affiliation" aliases="aff affil" name="urn:mace:dir:attribute-def:edupersonscopedaffiliation"> <AttributeDecoder xsi:type="scopedattributedecoder" </Attribute> casesensitive="false"/> id The primary "id" to map into, also used in web server environment aliases Optional alternate names to map into name SAML attribute name or NameID format to map from AttributeDecoder xsi:type Decoder plugin to use (defaults to simple/string) casesensitive How to compare values at runtime (defaults to true) https://spaces.internet2.edu/display/shib2/nativespattributeextractor 106

Adding attribute mappings Add first and lastname SAML 2 attribute mappings: $SHIB_CONF/attribute-map.xml <Attribute name="urn:oid:2.5.4.4" id="sn aliases= surname /> <Attribute name="urn:oid:2.5.4.42" id="givenname"/> After saving, changes take effect immediately but NOT for any existing sessions Therefore, restart your browser (or delete your session cookies) and continue on next slide 107

K.U.Leuven attribute mappings Attribute-map made compatible with 1.3 naming conventions $SHIB_CONF/shibboleth2.xml <! <AttributeExtractor type="xml" validate="true" path="attributemap.xml"/> --> <AttributeExtractor type="xml" uri="https://shib.kuleuven.be/download/sp/2.x/attribute-map.xml" backingfilepath="attribute-map.xml" reloadinterval="7200"/> 108

Common identifiers Local userid/netid/uid ( intranet userid ), e.g. u1234567 Usually readable, persistent but not permanent, often reassigned, not unique email address, e.g. Foo.bar@kuleuven.be Usually readable, persistent but not permanent, often reassigned, unique edupersonprincipalname, e.g. u1234567@kuleuven.be Usually readable, persistent but not permanent, can be reassigned, unique edupersontargetedid / SAML 2.0 persistent ID Not readable, semi-permanent, not reassigned, unique 109

Common identifiers Legacy attribute placeholder for the SAML 2.0 persistent NameID format: opaque pairwise (IdP/SP) original motivation was privacy, but strongest features are lack of reassignment and immunity to name changes <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://worksh-idp.cc.kuleuven.be" SPNameQualifier="https://worksh-rh-1.cc.kuleuven.be"> stringupto256chars </saml:nameid> In web server environment, persistentid= https://worksh-idp.cc.kuleuven.be! https://worksh-rh-1.cc.kuleuven.be!stringupto256chars 110

REMOTE_USER Special single-valued variable that all web applications should support for container-managed authentication of a unique user. Any attribute, once extracted/mapped, can be copied to REMOTE_USER Multiple attributes can be examined in order of preference, but only the first value will be used. IIS doesn t support to set the REMOTE_USER https://spaces.internet2.edu/display/shib2/nativespattributeaccess 111

Changing REMOTE_USER In case your application needs to have a remote user for authentication, you just could make Shibboleth put an attribute (e.g. sn ) as REMOTE_USER: $SHIB_CONF/shibboleth2.xml REMOTE_USER= sn eppn persistent-id targeted-id" If sn attribute is available, it will be put into REMOTE_USER Attribute sn has precedence over eppn in this case This allows very easy shibbolization of some web applications 112

Attribute filtering Answers the "who can say what" question on behalf of an application Service Provider can make sure that only allowed attributes and values are made available to application Some examples: constraining the possible values or value ranges of an attribute (e.g. edupersonaffiliation, telephonenumber,...) limiting the scopes/domains an IdP can speak for (e.g. university x cannot assert faculty@university-z.edu) limiting custom attributes to particular sources 113

Default filter policy As default, attributes are filtered out unless there is a rule! Shared rule for legal affiliation values Shared rule for scoped attributes Generic policy applying those rules and letting all other attributes through. Check $SHIB_LOG/shibd.log for signs of filtering in case of problems with attributes not being available. You would find something like no rule found, removing all values of attribute (#attribute name#) https://spaces.internet2.edu/display/shib2/afpattributefilterpolicy 114

Session initiation Goals: 1. Learn how to initiate a Shibboleth session 2. Understand their advantages and disadvantages 3. Know where to require a session, what to protect 116

Content protection and session initiation Before access control (will be covered later on) can occur, a Shibboleth session must be initiated Session initiation and content protection go hand in hand Requiring a session means the user has to authenticate Only authenticated users can access protected content 117

Content protection settings Protect hosts, directories, files or queries Apache.htaccess (dynamic) or httpd.conf (static) Apache / IIS / other RequestMap Requires Shibboleth to know exact hostname Very powerful and flexible thanks to boolean/regex operations Try accessing https://$worksh_host/ You should get access because the directory is not protected 118 https://spaces.internet2.edu/display/shib2/nativespaccesscontrol

Content protection with.htaccess Prepare webserver (<Directory name= $DOCROOT >) AllowOverride AuthConfig Let s protect the directory by requiring a Shibboleth session: $ mkdir $DOCROOT/secure2 $ vim $DOCROOT/secure2/.htaccess AuthType shibboleth require shibboleth ShibRequestSetting requiresession 1 Synonym for the last line (used in Shibboleth 1.3): ShibRequireSession On 119 https://spaces.internet2.edu/display/shib2/nativespaccesscontrol

Test content protection rule Clear session and then access https://$worksh_host/secure2 Authentication is enforced and access should be granted By now, all authenticated users get access Content protection with authorization will be covered later 120

Content protection with RequestMap $ vim $DOCROOT/secure2/.htaccess AuthType shibboleth require shibboleth $SHIB_CONF/shibboleth2.xml <Host name= $WORKSH_HOST redirecttossl= 443 > </Host> <Path name= secure2 authtype= shibboleth requiresession= true /> Module (mod_shib or ISAPI filter) provides request URL to shibd to process it Clearing session and then accessing /secure2/ now, one also is forced to authenticate 121

RequestMap Fragility By default, Apache "trusts" the user s web browser about what the requested hostname is and reports that value internally To illustrate the problem, try accessing this URL: https://$ip/secure2 Script can be accessed unprotected/without a session? How to fix? Make Apache use configured ServerName httpd.conf UseCanonicalName On IIS: normalizerequest https://spaces.internet2.edu/display/shib2/nativespisapi 122

Other content settings Requesting types of authentication E.g enforce X.509 user certificate authentication Redirect to SSL Custom error handling pages to use Redirection-based error handling In case of an error, redirect user to custom error web page with error message/type as GET arguments forceauthn Disable Single-Sign on and force a re-authentication ispassive Check whether a user has an SSO session and if he has, automatically create a session on SP without any user interaction Supplying a specific IdP to use for authentication 123 https://spaces.internet2.edu/display/shib2/nativespcontentsettings

Lazy Sessions The mode of operation so far prevents an application from running without a login. Two other very common cases: Public and private access to the same resources Separation of application and SP session Semantics are: if valid session exists process it as usual (attributes in environment array, REMOTE_USER, etc.) But if a session does NOT exist or is invalid, ignore it and pass on control to webserver/scripts 124

Lazy Sessions example Construct URL https://$worksh_host/shibboleth.sso/login?target=https://$worksh_host/shibboleth.sso/session Shibboleth handler: https://$worksh_host/shibboleth.sso Session Initiator: /Login Target location:?target=https://$worksh_host/shibboleth.sso/session Other options: https://spaces.internet2.edu/display/shib2/nativespsessioncreationparameters Most parameters can come from three places, in order of precedence: Query string parameter to Shibboleth handler A content setting (Webserver config or RequestMap) <SessionInitiator> element 125

Lazy Sessions example $ vim $DOCROOT/secure3/.htaccess AuthType shibboleth require shibboleth IIS: RequestMap entry for secure3 Save PHP/ASP script from worksh-idp.cc.kuleuven.be: /home/shib/shibbolethspworkshop/examples/lazy_session.[php asp] at $DOCROOT/secure3/lazy_session.[php asp] Access https://$worksh_host/secure3/lazy_session.[php asp] 126

Where to require a Shibboleth session Whole application with required Shibboleth session Easiest way to protect a set of documents No other authentication methods possible like this Whole application with lazy Shibboleth session Also allows for other authentication methods Authorization can only be done in application Only page that sets up application session Well-suited for dual login Application can control session time-out Generally the best solution 127

Access control Goals: 1. Create some simple access control rules 2. Get an overview about the three ways to authorize users 3. Understand their advantages and disadvantages 129

Access control Two implementations are provided by the SP:.htaccess "require" rule processing XML-based policy syntax attached to content via RequestMap Third option: Integrate access control into webapplication https://spaces.internet2.edu/display/shib2/nativespaccesscontrol 130

Access control 1.a httpd.conf 1.b.htaccess 2. XML AccessControl 3. Application Access Control + Easy to configure Can also protect locations or virtual files URL Regex Dynamic Easy to configure Platform independent Powerful boolean rules URL Regex Dynamic Very flexible and powerful with arbitrarily complex rules URL Regex Support - Only works for Apache Not dynamic Very limited rules Only works for Apache Only usable with real files and directories XML editing Configuration error can prevent SP from restarting You have to implement it yourself You have to maintain it yourself 131

1. Apache httpd.conf or.htaccess Work almost like known Apache require rules require affiliation staff require sn bar Special rules: shibboleth (no authorization) valid-user (require a session, but NOT identity) user (REMOTE_USER as usual) group (group files as usual) authncontextclassref, authncontextdeclref Default is boolean "OR, use ShibRequireAll for AND rule Regular expressions supported using special syntax: require mail ~ ^.*@(icts law).kuleuven.be$ 132

Side note: Aliases If in the attribute-map.xml file, there is a definition like: <Attribute name="urn:mace:dir:attribute-def:edupersonaffiliation" id="shib-ep-affiliation" aliases="affiliation aff affil"> [ ]/> This allows using rules aliases in authorization rules, e.g.: require affiliation staff #instead of require Shib-EP-Affiliation staff Aliases can also be used in RequestMap 133

1. Example.htaccess file Require a user to be staff member $DOCROOT/staff-only/.htaccess AuthType Shibboleth ShibRequestSetting requiresession 1 require unscoped-affiliation staff Access https://$worksh_host/staff-only with user staff, access should be granted Try the same with shibn user, access should be denied 134

1. Advanced.htaccess file Require a user to be a student or to have an entitlement: $ mkdir $DOCROOT/toledo $ vim $DOCROOT/toledo/.htaccess AuthType Shibboleth ShibRequestSetting requiresession 1 require unscoped-affiliation student require entitlement ~.*toledo.* Access: https://$worksh_host/toledo with user student and staff, access should be granted. Try again with shibn, access should be denied. 135

2. XML access control Can be used for access control independent from web server and operating system XML Access control rules can be embedded inside RequestMap or can also be dynamically loaded from external file. WARNING: Can bring down entire webserver Same special rules as.htaccess, adds boolean operators (AND,OR,NOT) 136

2. XML access control example Same as previous example but now with XML access control embedded in RequestMap $ vim $DOCROOT/toledo/.htaccess AuthType Shibboleth require shibboleth $ vim $SHIB_CONF/shibboleth2.xml <Host name= $WORKSH_HOST"> [..] <Path name= toledo" authtype="shibboleth" requiresession="true"> <AccessControl> <OR> <RuleRegex require="entitlement">.*toledo.*</ruleregex> <Rule require="unscoped-affiliation">student</rule> </OR> </AccessControl> </Path> </Host> 137

3. Application managed access control #PHP: Application can access and use Shibboleth attributes by reading them from the web server environment Attributes then can be used for authentication/access control/authorization if ($_SERVER[ affiliation ] == staff ) #Perl: { grantaccess() } if ($ENV{ affiliation } == staff ) { &grantaccess() } #ASP: if (Request.ServerVariables( affiliation ) == staff ){ { grantaccess() } 138 http://shib.kuleuven.be/download/sp/test_scripts/

3. Application managed access control Default is to use environment variables instead of HTTP headers (Apache) Cannot be manipulated in any way from outside Unfortunately not all webservers support a mechanism to create custom variables within webserver (IIS,Sun/iPlanet) Solution: AuthType shibboleth ShibRequestSetting requiresession 1 require shibboleth ShibUseHeaders On 139

Adding a separate (Shibboleth) application Goals: 1. Define another application 2. Protect new application 3. Know how to configure them if necessary 141

Terminology Service Provider (physical) An installation of the software on a server Service Provider/ Resource (logical) Web resources viewed externally as a unit Each entityid identifies exactly one logical SP SP Application Web resources viewed internally as a unit Each applicationid identifies exactly one logical application A user session is bound to exactly one application 142

Virtualization concepts A single physical SP can host any number of logical SPs A logical SP can then include any number of "applications" Web virtual hosting is often related but is also independent Applications can inherit or override default configuration settings on a piecemeal basis Multiple physical SPs can also act as a single logical SP Clustering for load balancing and failover 143

Adding an application Goal: Add a second application with a different entityid living in its own virtual host $SHIB_CONF/shibboleth2.xml <RequestMap applicationid="default"> <Host name= $IP applicationid="alt"/> [..] <ApplicationOverride id="alt" entityid="https://$ip"/> </ApplicationDefaults> 144

Adding an application For the additional application, canonical names should be turned off again (unless you use Vhosts) httpd.conf UseCanonicalName Off Test application: https://$ip/secure The IdP will throw an ERROR (entityid is not trusted) Error Message: SAML 2 SSO profile is not configured for relying party 'https://10.2.4.n' Check logging $SHIB_LOG/shibd.log and $WEB_LOG/native.log (DEBUG) You should see the new entityid 145

Adding an application <ApplicationOverride> Rule of thumb is that any settings you don't override inside the element will be inherited from the <ApplicationDefaults> element that surrounds the override. Limitations: You have to supply all the settings needed in the <Sessions> element because of the need to override the handlerurl. You do NOT have to redefine all of the handler child elements. The handlerurl MUST be unique for each SP and MUST map to the same applicationid Respect the XML sequence! 146 https://spaces.internet2.edu/display/shib2/nativespapplicationoverride

Clustering Configure multiple physical installations to share an entityid, and possibly credentials Configuration files often can be identical across servers that share an external hostname Session management: SP itself now clusterable via ODBC or memcached Host shibboleth service on one system 147

Service provider handlers Goals: 1. Understand the idea of a handler 2. Get an overview about the different types of handlers 3. Know how to configure them if necessary 149

SP handlers "Virtual" applications inside the SP with API access: SessionInitiator (requests) E.g. /Shibboleth.sso/Login AssertionConsumerService (incoming SAML response) E.g. /Shibboleth.sso/SAML/POST LogoutInitiator (SP signout) E.g. /Shibboleth.sso/Logout SingleLogoutService (incoming SLO) ManageNameIDService (advanced SAML) ArtifactResolutionService (advanced SAML) Generic (diagnostics, other useful features) E.g. /Shibboleth.sso/Session /Shibboleth.sso/Status /Shibboleth.sso/Metadata 150 https://spaces.internet2.edu/display/shib2/nativesphandler

SP handlers The URL of a handler = handlerurl + the Location of the handler. e.g. for a virtual host testsp.example.org with handlerurl of "/Shibboleth.sso", a handler with a Location of "/Login" will be https://testsp.example.org/shibboleth.sso/login Handlers aren t always SSL-only, but usually should be (handlerssl="true"). Metadata basically consists of entityid, keys and handlers Handlers are never "protected" by the SP But sometimes by IP address (e.g. with acl= 127.0.0.1 ) 151

Session initiators/discovery Goals: 1. Understand the concepts of discovery/session initiation 2. Chains and protocol precedence 3. Overview about various discovery mechanisms 153

Session initiators / Discovery concepts Session initiator Handler that created a SAML authn request for an IdP or uses a discovery mechanism to identify the IdP Discovery (in Shibboleth) Identifying the IdP of a particular user WAYF service Old name in Shibboleth for a particular way to do discovery Handler chain Sequence of handlers that share configuration and run consecutively until something useful happen or an error occurs 154 https://spaces.internet2.edu/display/shib2/nativespsessioninitiator

Intranet case Single IdP, multiple protocols, no discovery: <SessionInitiator type="chaining" Location="/Login" id="intranet" isdefault="true" relaystate="cookie" entityid="urn:mace:kuleuven.be:kulassoc:kuleuven.be"> <SessionInitiator type="saml2" defaultacsindex="1" template="bindingtemplate.html"/> <SessionInitiator type="shib1" defaultacsindex="5"/> </SessionInitiator> Protocol precedence controlled by order of SessionInitiators within a chain Common properties defined at the top are inherited by SessionInitiators in chain 155

Change protocol precedence Example: switch order of chain <SessionInitiator type="chaining" Location="/Login" id="intranet" isdefault="true" relaystate="cookie" entityid="urn:mace:kuleuven.be:kulassoc:kuleuven.be"> <SessionInitiator type="shib1" defaultacsindex="5"/> <SessionInitiator type="saml2" defaultacsindex="1" template="bindingtemplate.html"/> </SessionInitiator> Still allows either protocol, but if the IdP supports Shibboleth profile of SAML1, it will be preferred 156

Identity provider discovery Protocol SessionInitiators work when the IdP is known For consistency, discovery is implemented with alternate SessionInitiators that operate only when the IdP is NOT known A typical federated chain includes one or more "protocol" handlers followed by a single "discovery" handler at the end, like a safety net 157

Typical discovery methods External options: Older WAYF model, specific to Shibboleth/SAML1, SP loses control if a problem occurs Newer SAMLDS model, recently standardized, supports multiple SSO protocols and allows the SP to control the process Internal options: Implemented by an application (e.g. Toledo) Followed by a redirect with the entityid: /Shibboleth.sso/Login?entityID=urn:mace:kuleuven.be:kulassoc:kuleuven.be Advanced "Cookie", "Form", and "Transform" SessionInitiators 158

Discovery service case (default) Multiple protocols, discovery via DS: <SessionInitiator type="chaining" Location="/DS" id= DS" isdefault="true" relaystate="cookie > <SessionInitiator type="saml2" defaultacsindex="1" template="bindingtemplate.html"/> <SessionInitiator type="shib1" defaultacsindex="5"/> <SessionInitiator type="samlds" </SessionInitiator> URL="https://wayf.associatie.kuleuven.be/shibboleth-wayf/WAYF"/> Same as intranet case, but omits entityid and adds the safety net at the bottom Last SessionInitiator in chain tells the DS to return the user to this location with a lazy session redirect that will invoke an earlier handler (SAML2 or Shib1) in the chain 159

External discovery/wayf + Easy to use Choice can be cached in cookie DS displays only applicable IdPs - Loss of control, UI fidelity Impact of errors List of IdPs can become very long 160

Conclusions Introduction: What is Shibboleth? Shibboleth 2.x: What has changed? Concept of Federation Resource Registry A word on ADFS Installation Bootstrapping SP Configuration 161