Using Shibboleth for Single Sign- On One Logon to Rule them all.. Kirk Yaros Director, Enterprise Services Mott Community College 1
Agenda Overview of Mott Overview of Shibboleth and Mott s Project Review each service (setup / gotchas) Q&A 2
Overview of Mott Community College Est. 1923 Main Campus Flint, MI 8 remote sites Fall Enrollment: 9,100 students 3
Overview of Mott Community College 4
SSO Project A single username / password OR Automatic Authentication to Services 5
Shibboleth Project Started: 01/2013 Rolled out 09/2013 Started with three services (Email, Blackboard, Portal) Prevalent use of Active Directory on back-end Ellucian recommending TMG (end of life) Open Source (aka Free ) 6
Shibboleth Project Total Cost: $22,500 $15 Licensing 9Star for Sharepoint 2010 $7500 consulting setup of Sharepoint 2013 Players: Marc (The Man) Setup IDP, configured GMAIL, BB Sheila (Network Analyst) Sharepoint / WebAdvisor Kirk (Development) IIS SP, Custom Development Library, Datatel clean-up / PM 7
Services Covered Services on Shibboleth Google Apps for Education (Mail / Calendar / Apps) WebAdvisor Blackboard Portal (Sharepoint 2010 / 2013) Custom Web Development (.NET / PHP Applications) Omni Content Management Third Party Vendors (PNC Bank) Indirectly Mojo / Redbooth (Google Auth) 8
Services NOT Covered Datatel (UI) Currently has Oracle Username Only available on campus Intentionally not SSO Other Services Cognos, EMS (on campus only, windows auth) 9
What is Shibboleth The Shibboleth project was started in 2000 under the MACE working group to address problems in sharing resources between organizations with often wildly different authentication and authorization infrastructures. Architectural work was performed for over a year prior to any development. After an alpha, two betas, and two point releases were distributed to testing communities, Shibboleth 1.0 was released on July 1, 2003. [1] Shibboleth 1.3 was released on August 26, 2005, with several point releases since then. Shibboleth 2.0 was released on March 19, 2008 http://en.wikipedia.org/wiki/shibboleth_(internet2) 10
What is Shibboleth Shibboleth Open Source Implementation of SAML Federated Security SP / IDP do not have to be in the same organization (domain) Leverages public / private key cryptography Consists of two (three) main components IDP (Identity Provider) Authentication mechanism, talks with your directory server. Can be on Linux, Windows (others) SP (Service Provider) The service itself 11
What is Shibboleth User Accesses Resource Shib SP (Service Provider) MetaData Shib IDP (Identity Provider) Directory (AD) User Accesses Resource Shib SP (Service Provider) Shib IDP (Identity Provider) LDAP / Kerberos User Accesses Resource Shib SP (Service Provider) 12
General Concepts All requests go through the SP and IDP Metadata can be made central and public key can be embedded in public XML metadata SP s can access more than one IDP IP s can handle requests from multiple SP s Attributes can be all or some to resources based upon settings. 13
What is Shibboleth User Accesses Resource Private Key Shib SP (Service Provider) Authentication Response Public Key MetaData Session? IDP Login Screen (Tomcat) Yes No User Attributes Session Token Shib IDP Private Key Directory (AD) 14
Initial Concerns / Questions Will you spoil your usernames? If No: Colleague change operators / Log ID s will no longer be trustworthy Student s come back after 10 years If Yes: Things much easier, but usernames get ugly after a while JohnSmith123 Directory never shrinks 15
Initial Concerns / Questions WebAdvisor (DRUS) screen Needed to be setup to allow for AD authentication Use of domain field (needs to be set) Update any password change functionality. Student Training 16
Demo See me log in. (Gmail, BB, Portal, PNC) 17
Services Gmail (Google Apps) 1. Access the Google Admin interface 2. Configure the IDP URL 3. Upload Key File (Certificate) 4. Configure Login Redirect URL 5. DONE! 18
Services Gmail Considerations Need a method to sync password changes across AD and Google Apps. (Most likely this is already taken care of) (going to use GAPS to sync now) https://support.google.com/a/answer/2611859 19
Services Portal (Sharepoint) Tried to get setup (1 month) Hired Sharepoint consultant Worked on it for 2-3 months failed, said it couldn t be done Found 9Star Said it can be done, needs special software Configured / setup 1 month 20
Services Portal (Sharepoint) Sharepoint 2010 doesn t support claims authentication Much more complicated Required use of 9Star Add-on Package Creates Shadow groups IDP 9Star ASFS Sharepoint 21
Services Portal (Sharepoint) Use of ADFS3 linking to IDP ADFS3 IDP Sharepoint 2013 Secure Token Service 22
Services Custom Web Development Windows 2012 IIS 7.0 Installed Shibboleth can configure itself. If not, in IIS Manager: 1. Setup ISAPI Header 2. Configure extension (*.sso) 3. Change shibboleth.xml for service provider settings 1. Can include only the Web Site(s) that you want 2. Special configuration if you want a single IIS server to leverage 2 different IDP s (can be done) 3. Configure principlename attribute to come back as LOGON_USER 23
Services Custom Web Development Configuration opt\shibboleth-sp\etc\shibboleth\shibboleth2.xml <RequestMapper type="native"> <RequestMap applicationid="default"> <Host scheme="https" name="appsdev.mcc.edu" > <Path name="secure" authtype="shibboleth" requiresession="true"/> </Host> </RequestMap> </RequestMapper> 24
Services Custom Web Development Can user the same Server Variable LOGON_USER as you currently do for Windows Auth (no code changes) Allows embedding of services seamlessly (Portal / Custom) Timing of web parts was an issue (IPD doesn t like simultaneous requests from same source) Shibboleth natively support spoofing techniques we did not disable Reviews request headers for injected data 25
Demo Web Applications Integration Seamless Integration w/ Internal Apps 26
Services Custom Development (Mobile) Can leverage Bootstrap as css for Login Screen Leverage a mobile-first development paradigm. Logon screen works on desktop / mobile Use of PhoneGap to make an Android App, points to base web site. 27
28
29
Other Applications Bank Refunds (PNC Bank) Had to use what is called Unsolicited SSO Their requirement. This is a SAML 1.x thing (https://wiki.shibboleth.net/confluence/display/shib2/idpunsolicitedsso) Usually in Shibboleth, the flow is assumed to be an SP requesting authentication by redirecting the client to the IdP, and then getting back a response. In the original SAML 1.0 and SAML 1.1 standards, though, SSO was described in only semi-interoperable terms as a response from the IdP to the SP, and the "request" portion was left out. This was carried over into SAML 2.0 as a mode called "IdPinitiated" or "unsolicited" SSO. While this approach lacks interoperability, it has perceived benefits for some service providers; they get to do less work and push that work onto users and IdPs. So it isn't unusual to find SPs that refuse to support the standard fully and insist on this approach. 30
Other Applications Omni CMS System Omni CMS System InCommon.Org Offers trust services for education / research institutions. (we had to work with them) http://www.incommon.org/about.html Yearly fees associated 31
How it s Working Working quietly behind the scenes Very little work to maintain (other than system maintenance) Load is not an issue Red Hat (Enterprise) 6 2 Logical Processors 4 GB Memory (Not Clustered / Load balanced) 32
How it s working Future Changes Many use a combination of CAS / Shibboleth Ellucian Identity Services (now available, free) 33
Recommendations Logging out need to close browsers (we added a message) SLO (Single Log Off) is difficult (not recommended) Web Application Session Service Provider Session Idp Session Authentication Method Session 34
Recommendations - Sessions Web Application 1 Web Session 15 min Web Application 2 Web Session 20 min Shib SP (Service Provider) SP Session 20 min SP Session 1 hour Shib SP (Service Provider) Shib IDP (Identity Provider) Idp Session - 30 min LDAP Auth Timeout 1 hour 35
Recommendations Start with one system (make sure it works) Get session timeouts uniform from the get-go. First time setup, seems confusing: Lots of configuration Files (attribute resolving, attribute filter, AD Configuration, etc) Get your keys right! 36
Light Reading https://medium.com/@vrypan/explaining-public-key-cryptographyto-non-geeks-f0994b3c2d5 https://shib.ncsu.edu/docs/shibworks.html https://shib.ncsu.edu/docs/shiblogindetails.html http://www.utexas.edu/its/help/shibboleth/2299 https://wiki.brown.edu/confluence/display/cisdoc/shibboleth +and+application+logout+best+practices 37
Q&A Questions? Kirk Yaros Kirk.yaros@mcc.edu 38