Shibboleth N-Tier Support. Chad La Joie chad.lajoie@switch.ch



Similar documents
Shibboleth Configuration in Tübingen

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Perceptive Experience Single Sign-On Solutions

Authentication Methods

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

Secure the Web: OpenSSO

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Shibboleth Identity Provider (IdP) Sebastian Rieger

HP Software as a Service

SAML Authentication Quick Start Guide

IGI Portal architecture and interaction with a CA- online

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Single Sign-On for the UQ Web

Biometric Single Sign-on using SAML

ClearPass A CAS Extension Enabling Credential Replay

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Getting Started with Single Sign-On

Logout in Single Sign-on Systems

Integrating Multi-Factor Authentication into Your Campus Identity Management System

WebNow Single Sign-On Solutions

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Egnyte Single Sign-On (SSO) Installation for OneLogin

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Agenda. How to configure

SAML-Based SSO Solution

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Logout Support on SP and Application

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Using Shibboleth for Single Sign- On

T his feature is add-on service available to Enterprise accounts.

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

External and Federated Identities on the Web

How To Use Saml 2.0 Single Sign On With Qualysguard

Federated Identity Management

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Getting Started with Single Sign-On

Integration of Shibboleth and (Web) Applications

Configuring. Moodle. Chapter 82

Biometric Single Sign-on using SAML Architecture & Design Strategies

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

Federating with Web Applications

SAP NetWeaver AS Java

ADFS Integration Guidelines

Quick Start Guide to Logging in to Online Banking

SAML Single-Sign-On (SSO)

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Alex Wong Senior Manager - Product Management Bruce Ong Director - Product Management

Software Requirement Specification Web Services Security

Configuring Parature Self-Service Portal

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

McAfee Cloud Identity Manager

Flexible Identity Federation

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Running Multiple Shibboleth IdP Instances on a Single Host

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Connected Data. Connected Data requirements for SSO

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Configuring EPM System for SAML2-based Federation Services SSO

Toward campus portal with shibboleth middleware

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Enabling SAML for Dynamic Identity Federation Management

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Get Success in Passing Your Certification Exam at first attempt!

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

The saga of WebFTS and Federated Identity

SAML Authentication within Secret Server

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Hubcase for Microsoft Dynamics CRM Installation and Configuration Guide

Federated Identity Management

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

F5 BIG-IP: Configuring v11 Access Policy Manager APM

Multi-Factor Authentication, Assurance, and the Multi-Context Broker

Open Source Identity Integration with OpenSSO

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

An introduction of several development activities related to Shibboleth and Web browser-based simple PKI

Using SAML for Single Sign-On in the SOA Software Platform

SAML v2.0 for.net Developer Guide

PingFederate. SSO Integration Overview

Transcription:

Shibboleth N-Tier Support Chad La Joie chad.lajoie@switch.ch

Agenda Use Case Terminology Shibboleth Solution Future Effort Resources 2

Use Case Current use case comes from University of Chicago University uses uportal which displays information from a set of portlets The site hosting each portlet is also a stand-alone, Shibboleth-protected site (i.e. it s an SP) Each app displays personalized information based on the user (e.g. number of unread mails, class schedule) The goals are: Allow the user to log in to the portal and the portal to log in to the portlets as the user. The SAML assertion given to the portlet should be derived from the SAML assertion given to the portal The SAML assertion given to the portlet should be targeted to the portlet (i.e. filtered identifiers and attributes) 3

Terminology Assertion - A set of statements (e.g. authentication and attributes) by the IdP about a user Delegatable Assertion - An assertion which may be used to get another assertion targeted for another service. Delegated Assertion - An assertion derived from a delegatable assertion. Delegation - The process of taking a delegatable assertion and turning it in to a delegated assertion. Web Service Provider (WSP) - non-browser based, SAML service provider Web Service Client (WSC) - client used to request content from the WSP, must offer ECP support Enhanced Client/Proxy (ECP) - a SAML binding that does not require, but does allow, the use of a browser 4

Shibboleth Solution 1. User authenticates to portal with a delegatable assertion 2. Portal attempts to contact portlet which returns an ECP authentication request 3. Portal sends ECP authn request and delegatable assertion to the IdP 4. IdP authenticates the portal via the delegatable assertion 5. IdP issues a delegated assertion within the ECP response to the portal 6. Portal sends the ECP response to the portlet 7. Portlet validates delegated assertion and returns the requested content back to the portal 5

Shibboleth Solution 6

Shibboleth Solution: Security IdP, Portal, and all Portlets must be SAML entities and registered in SAML metadata Issuing IdP added to delegatable assertion s audience list prevents the assertion from being used with any other IdP Delegated assertion uses holder-of-key subject confirmation (instead of bearer) ensures only entities with the private key can use the assertion prevents assertion hijacking (unless the key is hijacked as well) Delegated assertion contains delegation restriction condition prevents the assertion from working with SPs that do not support delegation (in theory at least) ECP Authn response may be encrypted so that the portal can not view information targeted for the portlet 7

Shibboleth Solution: IdP Setup Install N-Tier plugin in to IdP 2.1.3+ Replace existing SAML2SSO profile with version that supports delegation and configure Add ECPSSO profile and configure Configuration Options: SPs allowed to request delegatable assertion Maximum delegation chain length Lifetime of delegated assertion SPs to which an assertion may be delegated 8

Shibboleth Solution: SP/WSP Install latest version of SP 9

Future Work Needed The current solution is use case specific - by design Support for n-tier in all imaginable uses cases is hard A login handler that accepts, and validates, the user s initial credentials The current mechanism expects the whole flow to start with a browser interaction and thus it can use the existing login handlers A set of web service clients The WSC is a Java library based on Apache HTTPClient The WSC is not uportal specific But a good library (or two) for other common languages is needed 10

Resources Shib-uPortal Work Site: https://spaces.internet2.edu/display/shibuportal/home uportal WSC Code: https://www.ja-sig.org/svn/sandbox/shibbolethuportalintegration IdP Plugin Code https://svn.middleware.georgetown.edu/shib-extension/java-idp-delegation 11