Set-up an Identity Provider

Set-up an Identity Provider Dr. Marco Fargetta Marco.Fargetta@ct.infn.it Italian Institute for Nuclear Physics (INFN) Bucaramanga (Colombia), November 27, 2012

In this tutorial we refer to the Shibboleth IdP Official documentation on-line NOTE: these slides will not replace the official documentation

IdPs provide users identities to external services Do not store credentials

Credentials must be accessible by the IdP Authentication information can be differently managed

The first step is to create or use ax credentials database We use LDAP in this tutorial

Configure an LDAP server with several test account Many OS have tool to create and manage an LDAP server Many alternatives available: Apache Directory Studio GQ JXplorer

Download and install last version of the Shibboleth Identity Provider Installation is straightforward

Install a Java servlet container to run the IdP Many servlet container supported (tomcat 6 is recommended)

All the communications run over ssl Configure the servlet container Deploy the idp using a Context Deployment Fragment

IdP context <Context docbase="_path/idp/war/idp.war" privileged="true" antiresourcelocking="false" antijarlocking="false" unpackwar="false" swallowoutput="true" /> Put the context in TOMCAT CONF/Catalina/localhost/idp.xml

Configuration

Retrieve user attributes Configure the attribute to retrieve and the storage Modify the file attribute-resolver.xml

Connect the attribute source <resolver:dataconnector id="myldap" xsi:type="dc:ldapdirectory" ldapurl="ldap://directory.ct.infn.it" basedn="ou=people,dc=local" principal="cn=idp,ou=people,dc=local" principalcredential="******"> <dc:filtertemplate> <![CDATA[ (cn=\$requestcontext.principalname) ]]> </dc:filtertemplate> </resolver:dataconnector>

Attribute Example <resolver:attributedefinition xsi:type="ad:simple" id="email" sourceattributeid="mail"> <resolver:dependency ref="myldap" /> <resolver:attributeencoder xsi:type="enc:saml1string" name="urn:mace:dir:attribute-def:mail"/> <resolver:attributeencoder xsi:type="enc:saml2string" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyname="mail" /> </resolver:attributedefinition>

Define the attributes you want provide Normal policy is: as less as possible Modify the file attribute-filter.xml

Simple filter <afp:attributefilterpolicy id="attributetoanyone"> <afp:policyrequirementrule xsi:type="basic:any"/> <afp:attributerule attributeid="email"> <afp:permitvaluerule xsi:type="basic:any"/> </afp:attributerule> </afp:attributefilterpolicy>

A more complex example <afp:attributefilterpolicy id="attributetoansp"> <afp:policyrequirementrule xsi:type="basic:attributerequesterstring" value="https://sp.example.org"/> <afp:attributerule attributeid="edupersonaffiliation"> <afp:permitvaluerule xsi:type="basic:or"> <Rule xsi:type="basic:attributevaluestring" value="affiliate" ignorecase="true"/> <Rule xsi:type="basic:attributevaluestring" value="employee" ignorecase="true"/> </PermitValueRule> </afp:attributerule> </afp:attributefilterpolicy>

Users must be authenticated by the IdP More options available: Remote System, LDAP, Kerberos, etc... The authentication to use configured as an handler Set in handler.xml

Authentication with Username and Password against LDAP available out-of-the-box The LDAP can be different from the attributes LDAP Configuration in login.config

LDAP login configuration edu.vt.middleware.ldap.jaas.ldaploginmodule required ldapurl="ldap://directory.ct.infn.it" basedn="ou=people,dc=local" tls="true" userfilter="cn={0}";

IdP has to know in advance the service using it Metadata must be exchanged with all the SPs or federations An IdP can enable multiple federations and/or resources

Handler to generate metadata available IdP and SP metadata should be configured Modify the file relying-party.xml

IdP Metadata Configuration <metadata:metadataprovider id="idpmd" xsi:type="metadata:resourcebackedmetadataprovider"> <metadata:metadataresource xsi:type="resource:filesystemresource" file="_path_/idp-metadata.xml"/> </metadata:metadataprovider>

Federation Metadata Config <metadata:metadataprovider id="myfed" xsi:type="metadata:filebackedhttpmetadataprovider" metadataurl="https://feddomain/metadata.xml" backingfile="_path/gridp.xml" disregardsslcertificate="true">

Trusted communications among IdP, SP and users Data sharing over ssl Metadata signed by server

ssl configured in the servlet container Certificate to sign metadata defined in relying-party.xml Update the metadata when change the certificate

Logging system very important to find configuration problem Log output configurable Modify the file logging.xml

The login page of the IdP can be customised The code to modify in the installation package Modify the file src/main/webapp/login.jsp in the installation directory

Run the installation again Take care to not overwrite configure files when requested

Task for today Install an IdP to add in a federation: 1 Define your users database 2 Configure the IdP 3 Exchange metadata 4 Customise interface