Shibboleth Configuration in Tübingen

Similar documents

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Shibboleth N-Tier Support. Chad La Joie

AA enabling a closed source legacy application

Shibboleth Identity Provider (IdP) Sebastian Rieger

Integration of Shibboleth and (Web) Applications

Shibboleth SP Simple Installation Guide For LINUX

Using Kerberos tickets for true Single Sign On

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

U S E R D O C U M E N TA T I O N ( A L E P H I N O

Running Multiple Shibboleth IdP Instances on a Single Host

Using Shibboleth for Single Sign- On

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

i2b2: Security Baseline

Perceptive Experience Single Sign-On Solutions

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Introducing Shibboleth

mod_auth_pubtkt a pragmatic Web Single Sign-On solution by Manuel Kasper, Monzoon Networks AG mkasper@monzoon.net

Federating with Web Applications

Authentication Methods

Novell Access Manager

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

Design and Implementation of Web Forward Proxy with

1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Toward campus portal with shibboleth middleware

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

CentraSite SSO with Trusted Reverse Proxy

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

The saga of WebFTS and Federated Identity

Development and deployment of integrated attribute based access control for collaboration

TIBCO Spotfire Platform IT Brief

Setup Guide Access Manager 3.2 SP3

Securing Splunk with Single Sign On & SAML

Kerberos and Single Sign-On with HTTP

Authentication and Single Sign On

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Single Sign-On for the UQ Web

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

How Single-Sign-On Improves The Usability Of Protected Services For Geospatial Data

Single Sign On. SSO & ID Management for Web and Mobile Applications

Protect Everything: Networks, Applications and Cloud Services

Painless Web Proxying with Apache mod_proxy

PingFederate. Identity Menu Builder. User Guide. Version 1.0

Open-source Single Sign-On with CAS (Central Authentication Service)

How To Create A Personalized Website In Chalet.Ch

JOSSO 2.4. Ws-Federation Integration Tutorial

Sharepoint server SSO

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

External and Federated Identities on the Web

1. Introduction. Authors. Abstract. Quang Vu DANG (IFI) Olivier BERGER (GET/INT) Christian BAC (GET/INT) Benoît HAMET (phpgroupware)

Apache SSL Certificate Deployment Guide

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

Building Secure Applications. James Tedrick

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy

SMART Vantage. Installation guide

Examples with.net & PHP. Martin Haagen, QlikTech, Systems Manager;

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

IGI Portal architecture and interaction with a CA- online

CERN Single Sign On solution

SAML single sign-on configuration overview

WebNow Single Sign-On Solutions

Guide to Web Hosting in CIS. Contents. Information for website administrators. ITEE IT Support

Agenda. How to configure

Owner of the content within this article is Written by Marc Grote

Extend and Enhance AD FS

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Configuring. Moodle. Chapter 82

Logout Support on SP and Application

Authentication and access control in Sympa mailing list software

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

SSL Web Proxy. Generally to access an internal web server which is behind a NAT router, you have the following two methods:

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

How To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)

Release Notes Date: September 2013

How To Configure The Jasig Casa Single Sign On On A Workstation On Ahtml.Org On A Server On A Microsoft Server On An Ubuntu (Windows) On A Linux Computer On A Raspberry V

Authentication Integration

Kerberos and Single Sign On with HTTP

Apache HTTP Server. Load-Balancing with Apache HTTPD 2.2 and later. Erik Abele

EQUELLA. Clustering Configuration Guide. Version 6.0

What's new in httpd 2.2?

Apache Tomcat & Reverse Proxies

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Enter Here -> Directory Submitter Software For One > Visit Here <

SAML SSO Configuration

How To Use Netiq Access Manager (Netiq) On A Pc Or Mac Or Macbook Or Macode (For Pc Or Ipad) On Your Computer Or Ipa (For Mac) On An Ip

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

Transcription:

Shibboleth Configuration in Tübingen Thomas Zastrow Yana Panchenko

The university Tübingen is member of the DFN AAI The computing center in Tübingen runs a centralized IDP for the whole university In the SfS, a Shibboleth service provider was installed: https://weblicht.sfs.uni-tuebingen.de http://weblicht.sfs.uni-tuebingen.de still hosts the old D-SPIN homepage 2

Two servers are running the main services for CLARIN D: Weblicht.sfs... Apache HTTPD + Shibboleth Proxy Tomcat WebLicht TCF Visualizer DCA Proxy amber.sfs... Tomcat Webservices Databases Resources SOAP Gateway... 3

Requirements for a SP Certificates from the DFN-AAI, integrated into OpenSSL BEGIN CERTIFICATE MIIFpzCCBI+gAwIBAgIED+vXfzANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJE RTEfMB0GA1UEChMWVW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjEcMBoGA1UEAxMTR2xv YmFsLVVOSVRVRS1DQSAwMTEpMCcGCSqGSIb3DQEJARYadW5pdHVlLWNhQHVuaS10 dwviaw5nzw4uzguwhhcnmtawnde5mtmynja3whcnmtuwnde4mtmynja3wjcbyzel MAkGA1UEBhMCREUxHzAdBgNVBAoTFlVuaXZlcnNpdGFldCBUdWViaW5nZW4xKDAm BgNVBAsTH1NlbWluYXIgZnVlciBTcHJhY2h3aXNzZW5zY2hhZnQxDjAMBgNVBAsT BURTUElOMREwDwYDVQQLEwhXZWJMaWNodDEmMCQGA1UEAxMdd2VibGljaHQuc2Zz LnVuaS10dWViaW5nZW4uZGUxJjAkBgkqhkiG9w0BCQEWF2VoQHNmcy51bmktdHVl YmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJJ+lISL licghmdtc5ekdkspkziefgf6u0i2yt+u/bx37xl4yovmmxjxrlqm4oevne67n8k8 4qe06B8xErFh3KqgC5Q5keUlQmXJu4wvABnk9AuxlwJKuGXI3PetBYdid10A7Iu 3Ki0s3j7+7yYTG6xXJt4qrE7rV/v79zBQcoKOwu1AMdfV9q8GRShEXCQ82P4IITT Q4z513p1e0mscDdBIunH6aThNCJA9rUBwEVX90HX5KHaOPSksHISylhjl/++XJFy /0wBpiZ4+7pN2S/go9J8A153NZSPhF2M5deyWgjT/K2LSudLnegIlRFTq1Kv89eE bf/zahunvakbqqidaqabo4ib5dccaeawcqydvr0tbaiwadalbgnvhq8ebamcbeaw HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRmWkIAb3Vr zkttelxvwsx4nngcudafbgnvhsmegdawgbswwbtonx/i1kgcgngv4pxbnm3dqdai BgNVHREEGzAZgRdlaEBzZnMudW5pLXR1ZWJpbmdlbi5kZTCBkwYDVR0fBIGLMIGI MEKgQKA+hjxodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2NsYXNzaWMtdW5pdHVlLWNh L3B1Yi9jcmwvZ19jYWNybC5jcmwwQqBAoD6GPGh0dHA6Ly9jZHAyLnBjYS5kZm4u ZGUvY2xhc3NpYy11bml0dWUtY2EvcHViL2NybC9nX2NhY3JsLmNybDCBrAYIKwYB BQUHAQEEgZ8wgZwwTAYIKwYBBQUHMAKGQGh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv Y2xhc3NpYy11bml0dWUtY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwTAYIKwYB BQUHMAKGQGh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvY2xhc3NpYy11bml0dWUtY2Ev chvil2nhy2vydc9nx2nhy2vydc5jcnqwdqyjkozihvcnaqefbqadggebagxjyoka uuwufzvszzutqnicslwwhmrb6g63crkbgbmsngfwiyhrizcjtpytdabj1lg2pryj YpbhHR4892JIAm1IkyR4sJvAKXgnzNHtTy1ZTmlP7BjekPb6pcSRWAra84A+bOWY +Q3KRITfEcUfsFw/PWYO8qwDurTWGBK3ReWkwLJ9y89XZDXQZt4A9RQnnBvnC7RU klkamxrv27neeug8eh0tufxsthulbclnnnhaat1c8m2awjwcwshg5ctr99musjtc NGifdwt0qWax50ASplgOtT/GZAw2E7HEEgbDA+6JcKpVlh+UMnk2JN+nkkKUjgnD wn2yhswhnnmiigy= END CERTIFICATE 4

5

Tübingen Software Environment Shibboleth Version 2.x Apache 2: mod_ssl, shib2 enabled DFN tutorial: https://www.aai.dfn.de/dokumentation/serviceprovider/ 6

Configuration Virtual host in Apache (SSL): <Directory /var/www/login_s/> AuthType shibboleth ShibRequireSession On Require valid-user </Directory> -> https://weblicht.sfs.uni-tuebingen.de/login_s/ Shibboleth configuration: /etc/shibboleth/shibboleth2.xml 7

hfps://weblicht.sfs.uni tuebingen.de/login_s/ 8

Local Authentification In addition to the Shibboleth login, there is another login way which makes use of the local Apache user management Its necessary because many CLARIN users don't have an account in the CLARIN identity federation 9

PHP: Display all server based variables <? $email = $_SERVER["eppn"]; echo "Wer bin ich: $email"; echo '<table border="1">'; foreach($_server as $k => $v) { echo '<tr><td>'.$k.'</td><td>'.$v.'</td></tr>'; } echo '</table>';?> 10

SAML Tracer SAML Tracer is an addon for Firefox: https:// addons.mozilla.org/en- US/firefox/addon/samltracer/ 11

Conclusion The computing center in Tübingen was very helpful Also the people from the DFN AAI join the mailing lists! 12

Conclusion Attributes: it is not sure which attributes a SP gets from the IDPs Next step: secure web services and delegation 13

Delegated Authentication with Shibboleth Delegated authentication model among SAML-enabled services since Shibboleth v2.1.3: uses SAML2.0 Enhanced Client profile (ECP) for delegation multi-tier delegation possible 14

Use case for WebLicht: App1, WS2, WS3, WS4 are all protected with Shibboleth within Clarin federation App1 - WebLicht web application for chaining NLP tools WS2 - tokenizer from Uni 2 WS3 - tagger from Uni 3 WS4 - resources from Uni 4 used by WS3 for tagging 15

User App1 WS2 WS3 WS4 recognize both the original client App1/WS3 and the subject (user) and the fact that "delegate" client is accessing it on behalf of that subject as a result know that the user is signed-in and know the user identity can control or limit access of the user based on the user (and optionally the client) identity can apply internal authorization based on the user identity 16

Complications: Shibboleth above v2.1.3 is required requires additional relatively complicated configuration for all the participating parties: for IdP, for SPs that can delegate, for SPs that accept delegation not possible to specify that delegation from all SPs to all SPs is allowed I.e. each web service should know and specify in advance which other web service it can access, and by which other web service it can be accessed 17

What is possible with Shibboleth at the moment: Other restrictions / licenses Academic Community Free 18

Shibboleth & Tomcat There are some third-partie libraries which allow to integrate Shibboleth directly into Tomcat But: They are not official, there could be problems with versions, security etc. Solution: use an Apache HTTPD for the Shibboleth functionality and put Tomcat behind it, accessing Tomcat via mod_proxy_ajp 19

Apache HTTPD runs on port 443 with SSL: https://myserver.de/ Tomcat runs on localhost on port 8080 (or another one): http://localhost:8080/myapplication With the proxy: https://myserver.de/myapplication 20

<Location "/soapgate/"> Order Allow,Deny Allow from All ProxyPassReverse soapgate </Location> ajp://amber.sfs.uni-tuebingen.de:8009/ ProxyPass /soapgate ajp://amber.sfs.uni-tuebingen.de:8009/ soapgate 21