An introduction of several development activities related to Shibboleth and Web browser-based simple PKI Toyokazu Akiyama 1, Motonori Nakamura 2, Takeshi Nishimura 2, Kazutsuna Yamaji 2, Yukiko Kawai 1 1 Kyoto Sangyo University, Japan 2 National Institute of Informatics, Japan
Contents Developments related to Shibboleth omniauth-shibboleth rack-saml Developments related to Simple PKI A Testing Framework for PKI applications using Web Cryptography API
Developments related to Shibboleth
Shibboleth and its application development Shibboleth SAML2 SSO middleware Identity Provider (IdP) runs on Java Application Container (e.g. Jetty) Service Provider (SP) can be constructed using Apache module (mod_shib) User attributes are passed as environment variables Deployment Issue Difficult to support various languages and frameworks used to develop web applications (SP)
An Example: Ruby on Rails Easy to implement Web applications using Model/View/Controller pattern Easy to integrate a Rails application with Shibboleth SP (mod_shib) Handle requests by codes in respect for DRY and CoC HTTP handlers like Servlet Pass requests to Scripting Languages Terminate TCP Rails application Ruby on Rails Rack middleware add some codes for Shibboleth CGI, Web Server module (mod_php, mod_passenger) Web Server/Load Balancer (Apache, Nginx) mod_shib Ruby shibd
An Example: Ruby on Rails GitLab (Ruby on Rails application) https://about.gitlab.com/ One of the major software repository Community Edition can be downloaded for constructing private Git repository Frequent updates It s still easy to add Shibboleth related codes, but Do you want to patch GitLab every time? GitLab Ruby on Rails Rack middleware add some codes for Shibboleth CGI, Web Server module (mod_php, mod_passenger) Web Server/Load Balancer (Apache, Nginx) mod_shib Just one of the options of authentication shibd
A Solution OmniAuth Standardized Multi-Provider Authentication for Rack middleware RAILSCASTS #241 http://railscasts.com/episodes/241-simple-omniauth GitLab supports OmniAuth HTTP handlers like Servlet Rails application Ruby on Rails Rack middleware CGI, Web Server module (mod_php, mod_passenger) Web Server/Load Balancer (Apache, Nginx) OmniAuth
Brief Overview of OmniAuth OmniAuth supports multiple authentication Authentication provider: OmniAuth Strategy Multiple providers are handled by URI routing (1) Start Authenticating (2) Pass the result to Web App as a session variable Auth Hash Schema $APP_PATH/auth/:provider/ $APP_PATH/auth/:provider/callback facebook, twitter, ldap, oauth, openid { provider : twitter, uid : toyokazu, info : { name : Toyokazu Akiyama } }
omniauth-shibboleth
omniauth-shibboleth You need to do is Protect /auth/shibboleth/callback by mod_shib Add configuration file to your App Rails example % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth end That s all omniauth-shibboleth repack the SAML attributes to Auth Hash Schema
omniauth-shibboleth Flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => "uid", :name_field => "displayname", :info_fields => { :email => "mail", :location => "contactaddress", :image => "photo_url", :phone => "contactphone" } } end Auth Hash Schema SAML Attributes
omniauth-shibboleth More flexible attribute mapping % vi config/initializer/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do provider :shibboleth, { :uid_field => lambda { request_param request_param.call('eppn') request_param.call('mail') }, uid is eppn or mail :name_field => lambda { request_param "#{request_param.call('cn')} #{request_param.call('sn')} }, } end name is concatenation of cn and sn IdP administrators will be released from the complex attribute mapping at IdP
Apache configuration problem (1/2) An example Rails App hosting architecture using mod_passenger If we can configure Apache, there is NO PROBLEM. Web Browser Web Server SAML attributes are passed as environment variables Apache mod_passenger mod_shib shibd spawn ApplicationPool Passenger HelperAgent Rails App process Rails App process About detailed Passenger architecture, please refer: https://www.phusionpassenger.com/documentation/design%20and%20architecture.html
Apache configuration problem (2/2) An example Cloud hosting architecture e.g. Heroku (Rails application hosting) Web Browser Web Server (Managed by Hosting Service Provider) Application Server (Managed by Cloud User) Apache mod_proxy Unable to install mod_shib Rails on Unicorn mod_shib function is required here
rack-saml
rack-saml Pure Ruby Shibboleth SP (Rack middleware) Cooperate with omniauth-shibboleth easily SAML metadata importing tool is provided Rails application HTTP handlers like Servlet Ruby on Rails Rack middleware Rack::SAML supplement Since OmniAuth and Rack::SAML are Rack::Middleware, they can be used NOT ONLY for Rails but also for the other frameworks CGI, Web Server module (mod_php, mod_passenger) Web Server/Load Balancer (Apache, Nginx)
Developments related to Simple PKI
Recent Web technology changes WebRTC (Web Real-Time Communication) APIs for real-time communication Local device operation P2P communication Enables voice chat without Plug-ins Standardization is ongoing at W3C and IETF An example application SkyWay (NTT Communications) WebRTC platform for application developers Construct a new App without preparing servers Signaling server (PeerJS server) is required for P2P communication For Authentication & Encrypted communication DTLS-SRTP is used
An issue in DTLS-SRTP for P2P communication (1/3) The signaling server (provided by application provider) must guarantee the authentication of end-users Key exchange in DTLS-SRTP A Self-signed certificate Signaling server A B B User A Self-signed certificate User B Shared key
Issues in DTLS-SRTP for P2P communication (2/3) The signaling server (provided by application provider) must guarantee the authentication of end-users Key exchange in DTLS-SRTP Man-in-the-middle attack Signaling server A A fake certificate User A B fake certificate B User B Shared key 1 Shared key 2
Issues in DTLS-SRTP for P2P communication (3/3) Increase of application providers makes it difficult for users to judge their trustworthiness Signaling servers Trustworthy? or Not Trustworthy?
An approach to improve trustworthiness Use trusted third party certificate (PKI) Trusted third party signing server signed certificate A Signaling server signed certificate A B B User A signed certificate signed certificate User B
Issues in PKI Strict PKI requires high operation cost Online signing service can be used PKI requires users to operate Key pairs
PKI key management problem Personal certificate in Keychain Access If the user name is the same, it may be difficult for users to distinguish the certificates. Issuer Name Country Organization CN Issuer Name Country Organization CN It may also be difficult for users to choose the proper certificate for the proper application by Issuer Name.
An approach to solve PKI Key management problem Automatic key selection If PKI keys are managed in JavaScript, it is possible to choose the key automatically by Web Apps Issues in JavaScript-based Key management
Issues in JavaScript-based Key management Pure JavaScript PKI related libraries jsrsasign, PKI.js Store keys into the storage where accessible from JavaScript Example Issue: Entities stored in HTML5 Local Storage can be accessed by any remote script Secure Key Storage must be used Script A Script B JavaScript Private key
An approach to solve Key management in JavaScript Using Web Cryptography API JavaScript API for performing basic cryptographic operations in web applications The specification discusses Key management issues Issues However, key management specification itself is out of scope (will be defined as the other standard?) Standardization is ongoing Implementations are not finished
Construct Testing Framework for Applications using Web Cryptography API (1/2) Implementation of Testing Framework Separate key operations into the Key Management Server (KMS) KMS is implemented using Node.js & node-forge Web Cryptography API encrypt( key_id, ) decrypt( key_id, ) include App Script JavaScript API call is mapped to socket.io communication Key operation is done in KMS Key Management Server (KMS) Running on local PC Private keys with key_id
Construct Testing Framework for Applications using Web Cryptography API (2/2) Implement an example application Online certificate issuance application Client PC socket.io Input Password via GUI Online cert issuance App Script Key Management Server Public key Private key Public key socket.io Signed Public key socket.io Generate a key pair CA Server PKCS #12 PKCS #12 PKCS #12 Per user process Per user key management folder
Future Work Adjust interface more Web Cryptography API compatible Implement DTLS-SRTP using Testing Framework Consider design and implementation of automatic key management
Conclusion Developments related to Shibboleth omniauth-shibboleth rack-saml Developments related to Simple PKI A Testing Framework of PKI applications using Web Cryptography API