Integration of Shibboleth and (Web) Applications

Similar documents
Federating with Web Applications

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

OIOSAML 2.0 Toolkits Test results May 2009

SAML Authentication within Secret Server

Shibboleth Identity Provider (IdP) Sebastian Rieger

Introducing Shibboleth

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Shibboleth Configuration in Tübingen

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Federated Wikis Andreas Åkre Solberg

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Spring Security SAML module

Single Sign-On for the UQ Web

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

XAP 10 Global HTTP Session Sharing

Authentication Methods

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

PHP Integration Kit. Version User Guide

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Implementation Guide SAP NetWeaver Identity Management Identity Provider

It is I, SAML. Ana Mandić Development Five Minutes Ltd

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Shibboleth N-Tier Support. Chad La Joie

Automated Testing of SAML 2.0 Service Providers. Andreas Åkre Solberg UNINETT

Using Shibboleth for Single Sign- On

Security As A Service Leveraged by Apache Projects. Oliver Wulff, Talend

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

Authentication and Single Sign On

Using SAML for Single Sign-On in the SOA Software Platform

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

Shibboleth Configuration from 100,000 Feet, in 15 Minutes or Less! Steve Thorpe Systems Programmer / Analyst MCNC

Keycloak SAML Client Adapter Reference Guide

JOSSO 2.4. Internet Information Server (IIS) Tutorial

WebNow Single Sign-On Solutions

Perceptive Experience Single Sign-On Solutions

Identity Federation For Authenticating and Authorizing Researchers

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

Connecting Web and Kerberos Single Sign On

Logout Support on SP and Application

AA enabling a closed source legacy application

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Struts 2 - Practical examples

1. Introduction. Authors. Abstract. Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpgroupware)

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

Weblogic as a Service Provider for CERN Web Applications: APEX & Java EE

Web Service Development Using CXF. - Praveen Kumar Jayaram

Arjun V. Bala Page 20

Securing a Web Service

An introduction of several development activities related to Shibboleth and Web browser-based simple PKI

Advanced OpenEdge REST/Mobile Security

Integrating IBM Cognos 8 BI with 3rd Party Auhtentication Proxies

PicketLink Federation User Guide 1.0.0

Java Servlet 3.0. Rajiv Mordani Spec Lead

Configuring. Moodle. Chapter 82

MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard

<Insert Picture Here> Hudson Security Architecture. Winston Prakash. Click to edit Master subtitle style

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

Crawl Proxy Installation and Configuration Guide

Unlocking the Secrets of Alfresco Authentication. Mehdi BELMEKKI,! Consultancy Team! Alfresco!

Steve Chan

SAP NetWeaver AS Java

SAML Federated Identity at OASIS

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Creating federated authorisation

Controlling Web Application Behavior

Federated Identity & Access Mgmt for Higher Education

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Get Success in Passing Your Certification Exam at first attempt!

Single Logout. TF-EMC Vienna 17 th February Kristóf Bajnok NIIF Institute

Pierce County IT Department GIS Division Xuejin Ruan Dan King

SSO Plugin. Integration for Jasper Server. J System Solutions. Version 3.6

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Get Cloud Ready: Secure Access to Google Apps and Other SaaS Applications

How To Use Saml 2.0 Single Sign On With Qualysguard

Servlet 3.0. Alexis Moussine-Pouchkine. mercredi 13 avril 2011

UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

SSO Plugin. Authentication service for HP, Kinetic, Jasper, SAP and CA products. J System Solutions. JSS SSO Plugin Authentication service

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

IBM WebSphere Application Server

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Workshop for WebLogic introduces new tools in support of Java EE 5.0 standards. The support for Java EE5 includes the following technologies:

Egnyte Single Sign-On (SSO) Installation for OneLogin

Federated Identity Management

The saga of WebFTS and Federated Identity

SAML single sign-on configuration overview

Web Application Architecture (based J2EE 1.4 Tutorial)

SSO Plugin. HP Service Request Catalog. J System Solutions. Version 3.6

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Shibboleth SP Simple Installation Guide For LINUX

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Trademarks: Yellowfin and the Yellowfin Logo are registered trademarks of Yellowfin International.

Agenda. How to configure

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

Integrating Web Applications with Shibboleth

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Transcription:

workshop Integration of Shibboleth and (Web) Applications MPG-AAI Workshop Clarin Centers Prague 2009 2009-11-06

(Web) Application Protection Models Classical Application behind Shibboleth Standard Session Application with Shibboleth Lazy Session / Passive Mode like shhaa-filter Mediawiki Plugin Application as Own Service Provider like simplesamlphp OIOSAML (java) Guanxi (java) 2

Classical Standard Shibboleth Session Identity Provider Attributes Service Provider Apache httpd mod_shib Site-A Site-B Site-X Authentication Authorization no direct information about - logged-in user - or session 3

Classical Web Application Authorization Web Application User & Roles, Access Control User Local IDM Roles & Privileges Application DB Authentication e.g. - LDAP/AD - Kerberos - Database... Authorization application specific dynamic access rules 4

Shibbolized Web Application Remote IDM Web Application User & Roles, Access Control? Identity Provider Attributes Privileges Roles Local Application DB Remote Authentication & Roles? Authorization application specific dynamic access rules 5

Attributes Propagation Identity Provider PHP Web Application User & Roles, Access Control Service Provider Apache httpd Server Env. Variables mod_shib HTTP Header SAML: User-ID, Attributes J2EE Web Application User & Roles, Access Control Privileges Local DB Local DB Privileges 6

Shibboleth Lazy Session / Passive Mode Shibboleth SP (Apache Httpd) Configuration https://spaces.internet2.edu/display/shib2/nativespapacheconfig <Location /secure/passive > AuthType shibboleth ShibRequireSession Off ShibUseEnvironment On ShibUseHeaders On Require shibboleth </Location> use Shibboleth, don't enforce login set attributes to - server environment variables - http headers Shibboleth enabled, but does not block Demo 7

Shibboleth Lazy Session / Passive Mode Shibboleth is enabled as in Standard (Shib.) Session only: no Login enforced! that means: User logged-in: Attributes are retrieved and propagated as usual User not logged-in: Attributes are still propagated, but are empty / hold no values as soon as a Shib. Session (Login) exists => Attributes filled 8

MediaWiki Shibboleth Extension http://www.mediawiki.org/wiki/extension:shibboleth_authentication move code to <mediawiki_home>/extensions/shibauthplugin.php edit LocalSettings.php ### SHIBBOLETH INTEGRATION require_once('extensions/shibauthplugin.php'); $shib_wayf = "Login"; $shib_wayfstyle = "DS"; $shib_https = true; $shib_loginhint = "login via "; $shib_assertionconsumerserviceurl = "/Shibboleth2.sso"; $shib_rn = ucfirst(strtolower($_server['sn'])); $shib_email = strtolower($_server['mail']); $wghooks['shibupdateuser'][] = 'ShibUpdateTheUser'; function ShibUpdateTheUser($existing, &$user) { global $shib_email; global $shib_rn; $user->setemail($shib_email); $user->setrealname($shib_rn); return true; } $shib_un = str_replace("_","-", $_SERVER['persistentID']); Demo 9

Demo Simple Http Header AuthN/Z Demo on Language Archive Tools (MPI f. Psycholinguistics, Nijmegen) Anonymous Access SSO Login Show Session- & Attributes Information Attribute Based Authorization SSO to Modular Web Application SLO, Logout from Local SP Session API to retrieve Session- & User Information (Attributes) Integration add filter in web.xml, set config-file location, use filter for whole web app Configuration see own configuration file shhaa.xml 10

Enable SHHAA Filter in Web Application web.xml <web-app> <context-param> <param-name>shhaaconfiglocation</param-name> <param-value>/web-inf/shhaa.xml</param-value> </context-param> <!-- filter configs --> <filter> <filter-name>aaifilter</filter-name> <filter-class>de.mpg.aai.shhaa.authfilter</filter-class> </filter> <!-- filter mappings --> <filter-mapping> <filter-name>aaifilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- context listener --> <listener> <listener-class> de.mpg.aai.shhaa.config.configcontextlistener </listener-class> </listener> 11

OIOSAML Java Service Provider www.softwareborsen.dk/projekter/softwarecenter/brugerstyring/oio-saml-java Easy Initial Setup & Configuration via GUI Web Application Filter Easy to Integrate in Your Web Application API to retrieve Session- & User Information (Attributes) Compatible with Shibboleth Federation after just slight configuration modifications Provides Own Discovery Service 12

Enable OIOSAML Filter in Web Application web.xml <context-param> <param-name>oiosaml-j.home</param-name> <param-value>/opt//oiosaml/conf/</param-value> </context-param> <listener><listener-class> dk.itst.oiosaml.sp.service.session.sessiondestroylistener </listener-class></listener> <servlet> <servlet-name>samldispatcherservlet</servlet-name> <servlet-class> dk.itst.oiosaml.sp.service.dispatcherservlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>samldispatcherservlet</servlet-name> <url-pattern>/saml/*</url-pattern> </servlet-mapping> <filter> <filter-name>loginfilter</filter-name> <filter-class>dk.itst.oiosaml.sp.service.spfilter</filter-class> </filter> <filter-mapping> <filter-name>loginfilter</filter-name> <url-pattern>/sp/*</url-pattern> </filter-mapping> 13

OIOSAML Configuration GUI

OIOSAML with Shibboleth Federation www.gmjjavadesigns.com/gmjd/entry/how_to_integrate_oiosaml_java access initial configuration site via production URL => URL is used for metadata generation Metadata: OIOSAML uses separate files for each IdP on import Shibboleth IdP metadata: add missing XML namespace information (some prefixes not recognized) turn off Name-ID encryption at Shibboleth IdP - in relying-party.xml change Profile config to: <ProfileConfiguration xsi:type="saml:saml2ssoprofile" encryptnameids="never"... modify OIOSAML default config - set in oiosaml-sp.properties: oiosaml-sp.assurancelevel=0 oiosaml-sp.nameid.allowcreate = false oiosaml-sp.nameid.policy = transient 15

Thanks & Discussion Questions, Discussion... - Thank You for Your Attention - 16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information